DAYLIGHT ROBBERY

Quite often we come across some fraudulent transaction or other on a credit card or a payment wallet. With the proliferation of digital payments, the opportunities for fraudsters are on the rise. There are frequent news articles about how this has become a small scale operation based out of few countries and also in few states in India. When we read about such an incident one of the thoughts that comes to our mind is that these are very dangerous and the good old days of carrying cash is the best option. Imagine if you have to buy a new washing machine and also do few other big ticket shopping, would you want to carry 50,000/- in cash? Is that really safe & convenient? While some of the cynics can always argue for that, even during the good old days of hard cash there have been stories of day light robbery. It’s just with technological development, the fraudsters are upgrading themselves too. So what’s happening today is nothing short of day light robbery and it is important to safe guard ourselves from the same. Let’s simplify how these payments work and also understand some simple ways to safeguard against daylight robbery, the fraud.

WHAT HAPPENS WHEN YOU SWIPE A CARD?

Most of us own a credit or a debit card. Am sure most of us really feel exhilarated when we see the charge slip coming out of the machine after the successful purchase. Those of who still think owning a credit card is a sin, please read my earlier article on the same here. At the same time, it is also important to understand the way credit cards work. While some of the flow are quite technical, I’ll simplify the same here.

These are the parties involved in a transaction:

 You – while you know who you are, The card identifies you by the credentials you would enter. The transaction can be initiated with physical card’s presence of without the card. It is important to safe guard the card credentials – card number, date of expiry, CVV and PIN like any other personal property. CVV is the 3-digit number that is in most cards mentioned at the back of the card. (in certain cards like American Express it is 4 digits and in the front).

Shop – this is where the transaction is happening. This could be a physical shop or an online site or a market place. At times the name of shop could be different from the name of the company that owns the shop and hence you may have noticed different name in the narration in your statement during such times.

Acquirer – this is usually a bank where the shop keeper is having a banking relationship. Basically the money for the transaction that you are making will be paid by this bank. This is called the acquiring bank. In few countries this could also be a non banking entity that is doing this business.

Network – You may have noticed on the face of your card it is written Visa, Mastercard, etc. This is the credit card network which act as an interface between the various banks that operate in the space. With millions of transactions going through them every minute, they have high-tech infrastructures to enabling them. They also have guidelines that the banks will have to adhere to.

Issuer – this is the bank that has given you the credit card. This bank has evaluated your documents and provided the credit limit suiting your requirement. The issuer will receive the inputs for every transaction in an encrypted manner which will be processed in their internal systems which will be either approved or declined depending on the rules. This process is called authorization. The correctness of inputs that you have entered in the Swipe machine (EDC machine) or the online shopping site will be verified by this bank.

The entire information flow from the shop to the issuing bank and back happens within a second or few.

WHAT ARE THE DIFFERENT CREDENTIALS

With a card, a transaction can be executed in different ways, usually these are also governed by local regulators. Let me provide the broad types and the credentials that are needed for the same:

Contactless – I have come across people calling it the Wifi-Card. You’d have noticed a Wifi symbol on the face of the card. With this feature you can basically execute a transaction in a shop just by waving the plastic over a machine. This is usually used to make small purchases like train ticket or coffee. Regulators usually restrict the value of transaction using this mode. For eg., in India the maximum value allowed using this mode is INR 2000/-

Physical with Sign – This is still allowed in certain countries. The card can be Swiped (magnetic strip at the back) or dipped (chip on the card) to obtain the card and holders details. You authenticate by physical signature on the chargeslip.

Physical with PIN – This is now being mandated in lot of countries. Essentially you enter a PIN to validate the transaction. Physical signature is not mandatory here.

Online with CVV – In this transaction you could make an online purchase with just the card number, expiry date and CVV. No other authentication required. Yes, you may be surprised, but this is still allowed in few countries.

Online with 2 factor authentication – The commonly used method is the one-time password (OTP) for this transaction in addition to the card number, expiry date and CVV.

Basically the transaction type and the card date are passed one to the card issuing bank before the transaction is authenticated. The bank would have a strong system of identifying trends and patterns that raise an internal alarm to highlight suspicious activity.

HOW DO FRAUDSTERS CRACK THIS AND HOW CAN I BE CAREFUL

While these systems are available in the ecosystem, fraudsters also work towards improving their infrastructure. Some common frauds and precautions listed for safe guarding

Card lost – when you lose a credit or a debit card, immediately inform your banker. Delayed intimation can prove costly. Best is to carry only those cards that you use the most so that you realize it immediately in case you lose it.

Never ever write the PIN on the card or keep it in the wallet along with the card. This is like giving your house key to a burglar.

Skimming – This is a method by which a fraudster steals card information. This can then be used later to make transactions. Avoid using the card in shops that you are not sure of and look for any additional device or an attachment in a swiping machine or ATM.

I’ve noticed few people handing over the PIN to a restaurant waiter. Would you call them stupid or lazy!

Phishing, Vishing, Social Engineering – These are various ways by which a fraudster having some basic information tries to gain more detailed credentials from you. Phishing is by sending an email with a link and Vishing is by speaking to you posing as your banker. Social engineering is through messenger or whatsapp, posing as a friend or a potential business partner.

Never ever share OTP or your password even if a Nigerian widow is willing to share a million USD with you.

Malware/Spyware – This seems to be gaining momentum. A person posing as a banker calls and shares a link clicking which, your phone would download a malware which may enable the fraudster to see the messages on your phone. Then transactions are executed with OTP which can be seen by the fraudster.

Never ever click any suspicious link or download an app on insistence of any unknown person.

ADDITIONAL SAFE GUARDS

More Importantly, use online purchase platforms that are renowned and are secure. When in doubt check for a lock symbol near the URL or the SSL details at the bottom. (SSL is secured socket layer, the security level of information transfer).

Some online platforms enable you to store your card number credentials for ease of repeat purchases. Ensure you use this option with a renowned site only. Now, this data is stored in the seller’s website and if their data privacy policy and procedures are not strong, some random disgruntled employee there could download the details in an Excel file and sell it online.

Look for the lock symbol on top left corner and the SSL logic used by the platform

Most of the banks allow you to set transaction limits by transaction types. For example, you may set the international transactions to ZERO or Lock your other unused cards while travelling. Explore your banking app to have this done across your cards. Usually this will be under Manage Cards

Sample bank Mobile App 1 – Setting your customised controls in a card
Sample bank Mobile App2 – Setting your customised controls on your card

Banks that provide certain fraud protection limits and benefits, do check them out and understand the features.

It always feels that flying is more dangerous than good old driving. But did you know the percentage of people dying on road is way higher than those flying. It is important to safe guard than shun the new age payment options.

Being a detailed subject, I have not covered a lot of technical aspects. Do share your thoughts, experience and comments and of course more tips for the benefit of the readers! Stay safe guarded from daylight robbery!

This is not a Financial advisory. The intent is to simplify financial concepts. Please seek professional advise before any financial decision and if you come across any suspicious transaction in your bank or credit card account, call your bank immediately!

One thought on “DAYLIGHT ROBBERY

  1. Great article to deep dive in to security Sankaran. I will share my personal experience, 3 months back my online id was hacked, got a call from bank saying that did you do a transfer to somebody on a particular day, I said no then they made me to wait in the call and went through all security protocols for 2 hrs, they said my online account was hacked some how, through that the
    Hacker did a quick pay to X acct, but surprising thing is that I always do net banking from office laptop only, I was thinking that office computers has latest
    Antivirus softwares, on top of it they have 3
    Levels of extra security, so o thought this is better than personal phones and personal laptops as most of us have antivirus for hat comes out of deals, so I was not sure how much it can fight against hackers. Also they were suggesting me to completely Re-create new email in gmail as suppose to using existing gmail address. Then they closed all my Accounts same day and asked me to visit bank to create new account and then they ordered me new DC and CC. I am still worried about the US secuity protocols in banks, they don’t ask for OTP which is typically sent to mobile by all Indian banks.
    Other thing they do for all quick transfer across personal accounts and friend they engage 3rd party payment transfer systems, usually through interaction of web service call between Actual bank and 3 rd party systems which is typically another company, so a hacker has another possibility to hack the web service, from account touting number and to acct routing number and inputs can be tailored for a successful response, but none of the banks reveal that technology security glitches. So there is more to this which a common man like us will not know much. It was pretty stressful time as everything needs to be done from scratch, even I am scared to use same set of laptops or devices again for net banking. Other thing I did is I disabled, all remember password features offered by chrome and safari, every time I launch the browser I do CTRL+SHIfT+Del to delete all the cookies and history of web pages and then access the bank online site and then do this same operation of CTRL+SHIfT+del to remove all the traces again.

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s