Letter to the Editor: Banks encourage credit card fraud
In 2019, I had two successfully executed frauds on my card. The first for almost RO700 and second almost RO1,400, plus a third attempt that did not go through because the OTP request came to my mobile phone, and of course, I ignored it and reported to the bank. The fraudster failed that time. More on this third very serious attempt later.
In ancient times before technology and the ‘chip’ era took over, credit cards were embossed with customer and card details because they had to be swiped manually for an imprint that appeared on an authorisation slip which you signed. There was no PIN system. Hence there was the need to have all the details written on the card and your signature behind. Today that’s no longer necessary. Cards have electronic chips. Everything that is written on the card is hidden in the chip. And you have your PIN hidden in your brain cells, safe and sound!
Therefore, the only thing accomplished by writing your details on the card is to make it easy for fraudsters. After two frauds on my credit card, (one refunded and the other pending), I raised this issue with my bank asking them to raise it with the card issuers: Visa.
I don’t want my card number, name, expiry date, CVV number to be shown all over my card. What else does Visa want to give away? My PIN number? I simply don’t want Visa to make it easy for someone to defraud me. All these details, just like the PIN number, are private and I can keep them to myself just like I do with the PIN number.
The sealed envelope the bank gives me with the credit card should contain all these details which I will keep to myself like the PIN. If I have the need to disclose this information, I will decide when and to whom. But the bank has an obligation to protect my details. And since the details that are embossed on the card are already in the chip, why repeat them openly! I want my card blank, no name, no dates, no numbers, period! The bank says it can’t be done. I guess keeping details private will bust the scam, or at least a big portion of the scam.
Which takes me to the third, but failed attempt to defraud my card. It happened just three days after my card was issued! In that time I used it only once. I did that to find out if the card had already been activated. Well, looks like someone else was also waiting to confirm activation! Almost immediately.
Late at night, watching TV, I get an SMS giving me an OTP number to complete an online transaction, which I never requested. Those who do online shopping know that the online payment process is: Get to the payment page, put your name, card number, expiry date, CVV number and your address.
Once all these details have been input correctly, the process takes you to the page where your bank has to give you an OTP (a temporary PIN lasting a few seconds) to input on the page and submit to complete your transaction successfully.
If you fail, the transaction is invalid and cancelled. So, effectively, three days after my new Visa card [which replaced the frauded and cancelled card] was issued, someone already had all those details pertaining to my card and could process a transaction all the way up to OTP request, failing only because my mobile phone was with me.
That’s how fast the fraudsters operate. If that doesn’t smell like an inside job, someone inside giving away customer card details, I don’t know what does! In this process, what saved me was my mobile phone, which means the bank relies on only one level of security, all others passed successfully because the bank made my details public. Despite all the money banks make out of credit card business, yet they invest in only one level of security, your mobile phone, to protect you from online fraud.
In the two earlier frauds, no alarm bells rang at the bank when they saw an unusual amount being transacted. They had previously called me for amounts as small as RO100. But in these two cases of fraud, amounts much larger than I usually use, did not alert the bank. The bank saw no need to watch out and call me. They have my mobile number, which roams with me even in the washroom!
The first fraud was transacted in a very strange way. A person with a German passport and a completely different signature to mine used my card details to spend about RO700. He actually presented his passport to the merchant.
One would suspect the merchant was in on the fraud. But why retain a copy of the fraudster’s passport? It was obviously not an online transaction, since I got no OTP number on my mobile to authorise the transaction.
If it was at the sale point transaction, then no PIN number was used because my PIN is not recorded anywhere other than my head. I got the usual SMS telling me the amount was debited from my card! I called the bank instantly and got the card blocked.
So basically you have a transaction done by:
A person whose passport shows a different name to that on the card
The signature used is also different
The amount spent is unusual for me
No PIN code was used
Yet, it passed.
No one bothered to check why the name on the card is different from his passport. The merchant asked and got authorisation from the bank. And until I protested, that transaction, with its mismatch name, was not considered unusual by the bank. It took the bank four months to refund me.
In the second successfully executed fraud, I also got an SMS message! My credit card statement indicates the name of the merchant. But the bank is still unable to comply with my demand to give me details of this transaction justifying debit of almost RO1,400 on my card! Effectively, PIN number, name on card, unusual amount, all stand for nothing when it comes to credit card security.
In both instances, I phoned the bank immediately asking it to block the card. That’s two successful frauds, same customer, same card issuer and same year. How many others I don’t know. But I am sure that in all cases of credit card fraud or even ATM card frauds, there’s one thing in common, all customer details are all over the card making it so easy for fraud to happen.
The security features of that chip on the card have been made redundant as far as fraud prevention is concerned because card issuers/banks have disclosed these details on the card. Brilliant security system, don’t you think?
Unless, we customers join up and demand that the era of embossing all these details is over and we want blank cards, banks and card issuers will not move. Customer identification is not a problem on the chip. In fact, I remember many years ago Standard Chartered even had a photo placed on the card, which aided the security.
Pay Pal, Apple Pay and similar reliable systems where the card details are not given all over the place is a good security system. But keeping the card completely blank, no name, or number, or date or CVV, is the strongest security level for now. And of course, your photo on the card would be a good addition.
Think about it. Get your bank to think about it too.
In the meantime, start by privately recording the card details and scratch them away from your card, like the CVV number, expiry date or any other detail that can be removed without destroying the card. Everything is hidden in the chip. You don’t need these details on the card, the merchant doesn’t need them either, only the person who will steal your card details needs them there. So, press your bank for a blank card.
I have been a banker for 20 years. In the olden days, security and customer service have always been our main concerns. We were always trying to be one step ahead of the bad guy! But today the good guys are, unfortunately, sleeping on the job! Banking has become a telephone business. Try talking to anyone on the so-called telephone banking, you feel nauseated by the time you finish. That’s modern banking.
There is a lot of work that needs to be done to turn these humungous glass buildings into banks once again, and hopefully where our hard-earned money is safe!