With a 23% year-on-year increase in card-skimming fraud in South Africa, from R366m to R453m recorded last year, according to the Hawks, it is becoming increasingly important for both consumers and establishments to be vigilant about this type of fraud, especially during the busy festive season. Due to each case being different, determining who is responsible for the loss can be challenging.
While most people may automatically think the bank handling the transaction is responsible for the loss, the bank is not necessarily liable if the consumer or merchant has not taken proper care. There are various factors that need to be taken into consideration when determining liability for card-skimming fraud.
Most of the fraudulent card-skimming machines are actually imported, and on the face of it look and feel exactly the same as any other mobile card machine. In order to clone a card, all the fraudster needs to do is clone the strip and take note of the three-digit card verification value (CVV) number on the back of the card. The fraudster uses these details to create a cloned card, which is then used elsewhere for fraudulent purchases. These machines also record the Pin number and the customer is simply advised that the machine does not work and the fraudster then processes the transaction on the correct machine, but by this time all the information sorted on the card has been copied and the cardholder’s security compromised.
To combat this type of fraud, and reduce the associated costs for the crime, various African countries, including South Africa, have begun to migrate to EMV (Europay, MasterCard and Visa)-compliant cards. These cards have a chip-and-Pin system. Every time an EMV-compliant chip card is used, a unique transaction code is created that cannot be used again, making it impossible to use the same code for a future fraudulent transaction. While it does not prevent data breaches from occurring, the EMV-compliant cards do make it harder for fraudsters to use the cloned card, although this is still possible if these cards are “exported” to territories which are not EMV Compliant.
It is important for merchants, such as restaurant owners, to ensure their employees are not involved in card-skimming scams, as the merchant can be held liable if they have not taken due care. If a consumer goes to a restaurant they expect proper service and their data to be secure.
In the same vein, it is important for consumers to be proactive and look for signs of card-skimming scams. If the machine does not work and does not produce a paper slip to prove the transaction failed for some reason (such as failed communication or lack of authorisation), it could be a sign that the machine is a fake. In this case, consumers should make sure they speak to the manager. The customer has the right to ask the manager if the machine belongs to the establishment. It is also a good idea to never let the machine or the card out of sight during transactions.
Unfortunately, it is usually only after a customer has left an establishment and fraudulent transactions are performed that the victim realises they have become a victim of card skimming. The bank will only flag the transactions if they seem suspicious after a few transactions have occurred. That is why it is beneficial to have the instant notification service activated, where the consumer receives communication in the form of an instant message once a transaction has occurred. This way they can flag possible fraudulent activities with the bank as soon as they occur.
Locating the venue where the card skimming occurred can be challenging. However, the advent of social media can make it easier to find the location if multiple people start complaining their card was skimmed and they find out other victims were at the same venue. Even after the location is determined, the injured party would still have to prove negligence on the part of the owner. As per all social media posts, people need to be very careful not to post statements which could be deemed defamatory.
Due to the various factors that come into play when determining liability for card-skimming fraud, it is vital that both consumers and merchants take the necessary precautionary measures to avoid becoming a victim.
- Anton Meyer is executive head at SHA Specialist Underwriters