Card fraud persists, despite chip technology - TechCentral

Card fraud persists, despite chip technology

Counterfeit card fraud, especially as a result of card skimming, is on the increase again, according to the SA Banking Risk Information Centre (Sabric). And consumers with chip-and-pin cards shouldn’t assume they are protected, the centre warns.

Susan Potgieter, GM of the commercial crime office at Sabric, says that although banks are now issuing more credit and debit cards with integrated chips, requiring customers to enter PIN numbers at points of sale and at ATMs, criminals are able to work around the security.

Last year, Sabric attributed a sharp decline in counterfeit card fraud to the introduction of chip cards. Banking industry financial losses due to the fraudulent use of lost and stolen cards fell by 60% in 2010, from R92,9m to R37,2m.

In 2010, banks lost R263,8m to credit card fraud, down from R409,3m in 2009. Counterfeit card fraud accounted for R141,4m of the losses. During the year, banks seized 189 handheld and 36 ATM-mounted skimming devices.

But criminals are increasingly working around chip-and-PIN security. “Although chip-and-PIN cards are extremely effective to prevent lost and stolen card fraud, they still have a magentic stripe on them,” Potgieter says. “Criminals copy the information on the magnetic stripe in the same way they have been skimming cards all along.”

She says they then use the information from the magstripe to manufacture counterfeit cards without chips, drawing cash and making purchases. “Cards can be skimmed at any point where a customer hands over a card to a third party,” she says. “Once in the hands of criminals, the card is swiped through a skimming device that has the ability to copy and store the data.”

Criminals also tamper with ATMs by fixing a skimming device over the card slot. “During the transaction, criminals film the PIN number using a small spy camera placed on the machine in such a way that it can film the keypad,” Potgieter says. Customers don’t realise their details have been stolen as the transaction proceeds as normal.

Sabric says it doesn’t know exactly how many cards are skimmed as customers often don’t know their cards have been compromised. “The banking industry measures the impact of this type of crime by monitoring closely the level of counterfeit card fraud, which is indicative of the problem.”

As banks crack down on fraud through technologies like chip and PIN, criminals are turning to other types of card fraud, according to Sabric. There is a focus by perpetrators on fraud not requiring the physical presence of the card or the cardholder — known as “card not present fraud”. The centre says here has been a sudden change in tactics by criminals, who are committing more fraud on the Internet, through mail order services and the telephone.  — Staff reporter, TechCentral

  • I had my card cloned and maximum withdrawals made just the other day. With Standard bank Card the tsotsis don’t even need your pin.
    I am told they are the easiest to clone by some players in the market.
    i phoned the Bank kto inform them, but their call centre agents are not trained to raised an alarm when they hear such things, she wasn’t even moved about it. Sshe went on business as usual. I still have not heard from the bank since Saturday.

  • caleb thondlana says:
    24 May 2011 at 12:53 pm I had my card cloned and maximum withdrawals made just the other day. With Standard bank Card the tsotsis don’t even need your pin.
    I am told Standard bank ones are the easiest to clone by some players in the market.
    i phoned the Bank to inform them, but their call centre agents are not trained to raise alarm with their principals when they hear such things, she wasn’t even moved about it. She went on business as usual. I still have not heard from the bank since Saturday.

  • MR T VAN DER WALT

    just post your card number and PIN and I will sort it out for you a.s.a.p

    🙂

  • Werner

    It was known the chip system is flawed before it even got released to the public.

    Since banks weren’t going to replace every single reader, they still had to allow the chip to be ignored. And viola the chip is practically worthless… From what I recall the chip-verification can also be falsified by the reader.

    You can also still grab the front and back of the card to commit online fraud.

    The banks can now just use the chip as a way to offload the risk to the customer in more cases.

    If they really wanted to banks could give a client the option of allowing their cards to be used ONLY on chip-verified transactions.

  • david

    Just this morning a petrol attendant was able to overide the need for a pin on my chip enabled card. By the time i got out to enter my pin, the card reader had already printed my receipt.

  • the_librarian

    Lovely. Why are tsotsis so clever? >.<

    I'm so glad I don't have a credit card anymore. A bit more hassle, but at least I won't have a surprise overdraft on my account, courtesy of Mr Tsotsi.

    @caleb – start looking for another bank which is trained to handle CC fraud.

  • Chris

    @caleb, then why do I have a std credit card with a pin number, but virgin money (absa) has never even bother to change their system? Still swipe and sign from them

  • We posted a scary story along with some tips to avoid bank-card fraud over here:

    http://www.mojodojo.co.za/2011/05/12/bank-fraud/

  • One of the primary challenges in credit and debit cards payment security is coming up with practical ways to secure payment transaction data. The fundamental problem is that cardholder data becomes a shared secret. This secret often needs to be shared amongst a lot of parties in order to fulfill even a single transaction. Because security relies on the least common denominator of security controls amongst these parties, a leak is almost inevitable during the life of an account.

    What happens when we throw out a lot of today’s assumptions around electronic payments and e-commerce and assume that the merchant shouldn’t have to store the data at all? What if we never even handed this sensitive information over to the merchant in the first place? As we can see, one of the primary difficulties in securing this data is identifying all the places to which it travels. But what if this no longer mattered? Or at least mattered significantly less?

    In order to rethink payment security mechanism, we had first to examine what is in place today. The current security model contains fundamental flaws and suffers from assumptions that are overly broad and ultimately unnecessary. A series of patches and Band-Aids have been billed as best practices and part of an in-depth security strategy. And although these security practices are helpful in protecting data in a generic sense, they do not focus on the real issues of the credit card payment systems.

    Thinking out of the box, our company has looked at credit and debit payment security that renders the value of card account information useless to attackers and brings assurance to consumers. We looked at the possible points of failure for credit and debit card payment information. When a consumer makes a purchase using his credit or debit account where a card is not involved, whether online or offline in a scenario such as a phone purchase, he supplies this data to the merchant in order to prove he has the resources or credit to pay for the merchandise. This data passes through various systems within and beyond the merchant environment through payment gateways, back-office applications, acquiring banking networks and systems, issuing banks, and card association networks.

    Through MobiCash secured transaction model, the card is linked to the client mobile phone and transactions are securely signed with NSDT™ a technology that sends “cryptosounds” through the phone’s audio channel to enable contact-less mobile payment. NSDT™ technology provides a very high level of security and protects user privacy; it is uniquely suited to the retail context.
    NSDT™ (Near Sound Data Transfer), transmits an electronic signature, one time password, and cryptographic key to secure electronic transactions and provide strong authentication services. NSDT™ uses the audio channel and security features of any cell phone. As a result, no software downloads or hardware modifications are required. An Encrypted Sound is emitted every second containing: transaction data, a certificate, a one-time password, an identifier, a transaction number and an electronic signature. OTPs are only valid for 1 transaction and have a very short life span, making them useless if intercepted and replayed.

  • Well, I’m struggling to make banks take the real definitive solution against ATM card frauds, cloning and skimming that my company invented some months ago. It’s a titanium case that protects the card against all these problems, making impossible the data theft when withdrawing.

    Before advertising, we wanted to check whether a bank was interested in giving the product to customers. It has already been tested. Unfortanelty it takes time…but be aware that soon a solution will come up!

    For any info, don’t hesitate to ask 😉