Cashless Card Transactions and Security Loopholes
Al most every adult today possesses plastic money in the form of debit, credit or prepaid cards. These cards, e-wallets and other digital platforms are witnessing a surge in their volumes to embrace digital payment solutions and Digital India’s vision of cashless economy. Digital money transactions are executed through debit cards, credit cards, internet banking, e-wallets, UPI(Bhim), AEPS(Aadhaar Enabled Payment System), cheque etc. for shopping(on e-commerce sites or through POS in offline mode), bill payments , education, banking etc. To encourage digital payment platforms after demonetization, Govt. even reduced transaction charges levied by banks on merchants on debit and credit cards.
Banks have phased out magnetic stripe card security and have moved to Chip Card Security standard to maketransactions more secure and authenticated. This standard called as EMV (which stands for Europay, MasterCard and Visa) includes a microchip in the card that protects buyers against fraudulent transactions.
In case of online transactions card issuing companies are using 3DS (which stands for 3 Domain Secure) protocol which is a program designed to reduce card fraud and shift liability for fraud from online merchants to the card issuing banks. 3DS is used by Visa and MasterCard under the names “Verified by Visa,” and “MasterSecure Code” respectively. In this program cardholders register their cards by entering the card number, birth date, and passcode. When a cardholder makes a purchase at a site that uses 3DS, he enters the code which is verified by the issuing bank and is never shared with the merchant site.
Even though the banks or card issuing authorities are using above mentioned security protocols and standards still there are few loopholes that hackers use to steal sensitive information. The only thing required to block these loopholes in the system is properly educated user. First of all we will look into these techniques of fraud and then discuss about the ways of preventing such frauds. There are many kinds of card frauds particularly related to credit cards and are categorized into two categories:
(1). CNP(card not present): This occurs when the card holder’s information is stolen and used illegally(online transactions) without physical presence of card , and is a result of phishing mails or other forms of hacking where a cardholder is usually of unaware of how information was stolen which we will discuss later on.
(2). Card present: This is less common and takes the form of Skimming where in a dishonest seller swipes a consumer’s card into a device that stores the information and then consumer’s account is charged.
In addition to the above there are other ways like packet sniffing and session hijacking that hackers use to steal information particularly when there is any kind of data breach of email or e-commerce site. According to the researchers of University of Newcastle, there are few weak spots in the credit card security which makes it easy for fraudsters to retrieve sensitive card information like date of expiry or CVV number. This technique is known as Distributed Guessing Attack in which the guesses for the card’s CVV number across multiple sites is spread out with each attempt narrowing the possible combination until a valid expiration dates and CVV numbers are determined. The similar technique is believed to be responsible for the hack of thousands of Tesco customers .This is very rare but we need to be careful particularly while performing transactions on foreign sites that bypass the 3D Secure gateway and only require CVV number like Ali Express. Similarly cyber security breaches in Japan-based Hitachi Payments Services compromised 3.2 million cards in 2016.
The various preventive measures that one can take to avoid such type of frauds are:
A. Online preventive measures
Only go to established e-commerce sites that are safe and shop only on those that are SSL (Secure Sockets Layer) certified that can be identified with lock symbol in URL box of browser.
Make sure that website uses “https” protocol where‘s’ stands for secure instead of only ‘http’.
While making any online transaction look for a site that uses payment verification tools such as MasterCard Secure Code or Verified by Visa.
On an individual level we can safeguard transactions by installing anti-virus software on our computer and smartphone to keep out malware.
Do not use debit cards for e-commerce transactions instead use credit cards.
Try to hide CVV on the site by masking it by asterisks because foreign sites use CVV asthe only point of verification.
Register for SMS alerts as the bank will alert you to any online card transaction or ATM withdrawals the moment these take place.
Avoid using unsecured W-Fi networks or public Wi-Fi as these are easy targets for identity theft cases in online transactions
Always log out from online accounts to ensure data security and avoid storing confidential passwords on your mobile phones.
Keep changing your passwords from time to time to reduce the probability of identity theft.
B. Offline preventive measures
Never reveal your PIN, CVV or password to anyone and make sure not to respond to e-mails or SMSes or phone calls that ask for crucial personal or card-related details.
Checkyour bank or credit card statements on regular basis so as to detect any unauthorized transaction through identity theft and alert the bank immediately.
At shops or petrol pumps, make sure that the card is not taken by the salesperson to a remote location where you cannot see it as the card information can be easily copied and stolen.
Ensure that you never sign a blank receipt.
WHAT TO DO IF CHEATED
Now the question arises if one thinks that he/she has been cheated, then we should follow the following steps and not panic:
If there is a case of card identity theft or a fraudulent offline or online transaction, report the loss immediately to the bank or card provider and have the card blocked. The banks may tell you to fill the chargeback form for the fraudulent transactions.
If the bank does not respond within a week, approach the nodal officer of the concerned.
If there is no response from the bank within 30 days, contact the banking ombudsman appointed by the RBI (https://www.rbi.org.in/commonman/English/Scripts/Against-BankABO.aspx).
In case all the above measures fail then we can approach the court of law for redressal.
All the information that I have provided to the readers in this article is just for the purpose of creating awareness about the security features of digital transactions and preventive measures that we need to take safeguard our hard earned money from fraudsters not the otherwise and don’t forget that prevention is better than cure