Credit Card Frauds – What You Should Know

Given the recent spate of news articles about credit card frauds, we thought we should ‘de-mystify’ all the discussions going on and outline what you, the user, needs to know to safeguard against such frauds.

What comprises a ‘Credit Card Fraud’?

When criminals get hold of your credit card details (including the cvv number printed on the reverse of your card) and use these to make purchases with your card, it is a ‘credit card fraud’.

How can someone get hold of my Credit Card details?

This can happen in any of the following ways:

#1. When a criminal manages to actually see your credit card

How can this happen to YOU?

  • If your card gets lost or stolen.
  • If you may have taken a photocopy of your card and the copy gets into the wrong hands
  • At a shop or restaurant where you may have used your card:
  • Yes, many shops & restaurants are infiltrated by criminal gangs who manage to copy your card details without you being aware. Sometimes, a person working there is a part of the gang who swipes your card on another unauthorised device to copy the card details or sometimes the swipe machines (those ‘thingies’ where your card gets swiped) have been infiltrated by criminals to capture and copy /forward the credit card details online. At times, the billing systems may also have been compromised. All this is known as “skimming“. Unfortunately, despite some very stringent mandates from MasterCard & Visa (there is a security standard for this known as PCI-DSS)  many establishments, especially the smaller ones, are not compliant and remain insecure.
  • Note: Some countries are notorious for this. So when you travel to such countries, you become an easy victim

#2. When your card details get stolen online

How can this happen to YOU?

  • Your own device (PC/Laptop/Tablet/ Smartphone) gets ‘infected’ or ‘compromised’ by malware (malicious software) that is programmed to steal your credit card details as you use the card online
  • The online merchant with whom you are doing an online transaction may have insecure servers or databases or applications (in other words, ‘systems’) – where your credit card details are stored. So these may get infiltrated by cyber-criminals – from where your credit card info gets into their hands
  • OR the other folks in the credit card chain– like the bank with whom the merchant has tied up with or a ‘payment aggregator’ (an intermediary between the merchant and the bank) – may have had their systems similarly infiltrated.
  • You may become a victim of ‘Phishing’ or ‘Vishing’/’Smishing’.
  • ‘Phishing’ is when you get a very authentic-sounding mail supposedly from your bank asking you to go online and give your credit card details – which you may end up doing. In reality, banks NEVER ask you to give your card details – and it is usually a cyber-crime gang behind it
  • ‘Vishing’ is when the same thing happens over a phone call – and you end up giving out your card details
  • ‘Smishing’ is via sms

How will I know if my card has been ‘compromised’ or ‘defrauded?

-You may see suspicious transactions in your statement – transactions you may have had nothing to do with

-You get sms or email alerts or a call from your bank informing you of transactions you have not done

So what should I do to protect myself?

– If you ever lose your credit card, report it IMMEDIATELY to your bank. Keep your bank’s call centre number and your credit card number handy in case you face this situation (and DO NOT store your credit card number on your mobile phone!!)

– NEVER give a copy of your credit card (especially a copy of the reverse side) to untrusted people. In fact, you should simply avoid giving it to anyone, even your family members, since you don’t have control over where they may leave it by mistake, etc

  • So what should you do if you book a ticket for a relative and have to give him/her a copy of your credit card to show at the check-in counter (since airlines in India require this)?
    • DIN it into their heads that, under no circumstances, should they give the photocopy of your card to the airline. And that they should TEAR the paper properly and dispose it as soon as they reach their destination. Call and follow-up with the person if required!!

-Subscribe to the “transaction alert” facilities offered by your banks (in case your bank doesn’t do it automatically) – where an sms and/or email is sent to you every time a transaction is done.

-Be alert to Phishing and Vishing/ Smishing. Remember, your bank NEVER asks you to reveal your credit card details. In case you do have a doubt that the mail you have received is indeed genuine, CALL your bank on a number you already have (not the one mentioned in the email) and re-check. Similarly, if you get a call asking you to give your credit card details, disconnect the call and call up the bank yourself on a number you already have to verify. Never give out details on an incoming call as you can never be sure it is really coming from your bank

-If you are traveling abroad, it may be worthwhile to call your bank to find out if the country you are traveling to comes under their list of “high risk” countries for credit card frauds. In such places, it makes sense to avoid using your credit card – instead use travel cards / travelers cheques and other less-risky products. In fact, many banks themselves replace your card as soon as you are back from a travel to a high-risk country.

-If you ever get an sms/email alert about a transaction you haven’t done, call your bank immediately and report it.

-Go through your monthly credit card statements carefully – to ensure that no suspicious transactions have happened. If you see something, report it immediately

-Always tear your charge slips before you dispose them. Especially make sure that the part where your credit card details are mentioned is properly destroyed. The credit card ecosystem standards now require that your full credit card number is not to be printed on charge-slips. But there are several places where this is not done – so it is better that you remain careful!

For Online Transactions:

-Always keep your Anti-Virus and Anti-Malware up-to-date on your devices (yes, you MUST install one on your smart-phone or tablet if you use it for extensive browsing or use apps on it). And avoid visiting suspicious websites!

-Turn on the secure online transaction mechanisms offered by Visa (‘Verified by Visa’) and Mastercard (Secure Code) – where you get a second password (one time passwords (OTPs) or special ‘internet pins’) for online transactions. In fact, in India, the RBI has made it mandatory for banks to give a second password for online transactions.

– While transacting online, make sure the site where you are giving your credit card details is SSL-protected. Which means, check if the URL in the address bar of your browser begins with ‘https’ instead of ‘http’

-NEVER do online transactions using a public device (like a cybercafé, etc) or using a free wi-fi (like at airport terminals or cafes). They are extremely high-risk areas!

And last but not the least, it is always good to have cards with lower credit limits. Have multiple cards if required – instead of one single card with a high limit. This ensures that even if there is a fraud, your maximum damages would be to the extent of your credit limit only.

Posted by Shivangi Nadkarni, Co-Founder & CEO, Arrka Consulting. | @arrka2 | @shivanginadkarn


About Shivangi

Arrka Consulting provides Consulting & Advisory Services in the areas of IT Risk. Whether you are a large organisation or an SMB or even an individual, we help address challenges that each of you face in this domain
This entry was posted in frauds, Infosec - simplified, Infosec for non-Infosec folks and tagged , , , . Bookmark the permalink.

One Response to Credit Card Frauds – What You Should Know

  1. Common man speaking up says:

    I will explain my point with a live example

    My mother used an ICICI BANK credit card to buy certain services online. The outcome of this transaction was that the service provider charged the card 3 times in a span of 1 minute for the same service. A basic system alarm should have got triggered to detect such repeat charge for the same amount on the card and it should have stopped the transaction from being executed.

    The card provider & the aggregation need to routinely review the merchant so that they can identify if the merchant in question is legit and put him in a bucket of acceptable merchants that can be allowed to charge the same card repeatedly or should they refuse the payment of the same amount if the transactions are done in a time frame of 1 minute using the same credit card.

    Also there is no flagging of such transactions or even blacklisting of such merchants and this is where there I see a clear loss of responsibility on behalf of the the credit card company /eco-system in general.

    A similar risk bucket /tagging needs to be in place for the credit card holder also.

    The only way you can register this complain is by sending icici bank an email , scanned copy of your complaint letter and letting them know about the same. After that you pray that the email is read by the team in the back office and the story goes on. You cannot take this problem to the branch! and submit this data.

    Realistically speaking if somebody does go to RBI and educates them about the problem each of these banks would loose sleep. What is needed is for the banks to disclose the total number of credit card frauds cases that they have received a complaint about and cases where the money was returned back to the card holder. We do not want a number of cases closed but a number of cases where the money was returned back and what % of amount was returned back to the consumer.

    On a different note
    Each year I loose money using ICICI BANK’s card and have to myself complete this investigation. In a few cases I have spend more money in detecting the crime , following up with the bank and this amount spent far exceeds the amount I have lost.

    Get well soon is my message to them

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s