Mumbai: Customers across India are asking themselves this question after an increase in the number of credit card frauds. Everyone knows at least one person—the Mint newsroom has two—whose card has been misused in the past few months.
Suneel Bandhu, a Mumbai executive received a message on his phone at 3am on 7 January, alerting him that he had used his Visa card issued by the Hongkong and Shanghai Banking Corp. Ltd’s (HSBC’s) Mumbai branch to buy $790.97 (around Rs.42,633 today) worth of products at a Wal-Mart store in Romeoville, Illinois. A call from the bank followed to find out whether he was in the US or had given his card to someone who was. He answered in the negative to both the questions.
Instances such as this are becoming common, going by complaints on consumer rights forum Grahak Seva, anecdotal evidence, the reaction of the banking regulator, and the number of complaints with so-called police cyber cells that deal with credit card fraud.
Niket Kaushik, additional commissioner of police, crime, Mumbai. The government has started a training programme for officers across the country to help them deal with such cases, he said.
“We have been running a seven-day capsule course on cyber crimes for police stations across the country in association with Nasscom. It’s mandatory for police officers other than those who are already a part of the cyber crime cell to take the course,” he said.
This has helped local police stations as they are now equipped to investigate cases related to cyber crime, including credit card fraud, without support from the cyber crime cell, he said.
On 8 February, Reserve Bank of India (RBI) deputy governor Anand Sinha told news agency Press Trust of India in Mumbai that instances of credit card fraud being reported were “of high magnitude”. “We have to be alert,” he added.
Various explanations have been proffered for the increase in instances of card fraud, including the fact that most overseas websites do not insist on either CVV or the additional “Secure” layer.
“In India, while all domestic transactions are authenticated through the Secure protocol, as per an RBI mandate, many international merchants do not use the Secure protocol for ‘card not present’ transactions,” said an HSBC spokesperson.
None of these explanations is entirely satisfactory and experts say the current situation reflects the inability of card issuers, banks, the regulator, and merchants to deal with card fraud. No one is safe.
Since September, EntroPay, which offers a pre-paid virtual card that can be used in place of a Visa card, has seen an increase in the number of complaints from India. And the website uses “Secure” authentication.
Alex Mifsud, chief executive officer (CEO) of EntroPay, said in an email that he’s been in touch with Indian banks over the complaints, although he added that the fraud levels aren’t unexpectedly high. Security experts said banks can’t claim to be hack-proof. “Even though Indian banks have done well to increase their security, there is no foolproof method to avoid hacking. Banks and users have to be continually vigilant,” said N. Jagannath Patnaik, director, channel sales, South Asia, Kaspersky Lab, a maker of anti-virus software.
Indeed, almost two years back, in March 2011, Brian Krebs, who writes a blog on security, claimed that hackers had figured out a way to break 3D Secure (Visa) or SecureCode (MasterCard). “What’s interesting is that the thieves could defeat these security systems by gathering personal data on victim cardholders, which they appear to have done here,” Krebs illustrated with screenshots on his blog in March 2011.
“3D Secure is a good marketing slogan. Of what use can it be if a user’s machine is compromised?” said Mumbai-based cyber security expert Vijay Mukhi.
Card issuers don’t agree. “With 3D Secure technology, the merchant is unable to see sensitive card details which are securely entered and verified directly with the issuing banks. The success of second-factor authentication in controlling e-commerce fraud in India has been noticed by other regulators around the world,” said Uttam Nayak, group country manager, India and South Asia of Visa Inc.
“MasterCard has a comprehensive fraud management programme in place to protect consumers worldwide,” a spokesperson for the company said in an email. “We work closely with our banks to ensure that consumers are protected. When MasterCard determines that account data is at risk, we notify our customers to take action to protect cardholders. Cardholders are also protected by MasterCard’s zero liability policy for protection against transactions that they did not authorize.”
Still, Nayak admitted that fraudsters were getting smarter.
“In today’s environment, we’re all up against criminals who use increasingly sophisticated attacks to gain personal and sensitive information. As always, constant vigilance and consumer education remains a key component of personal security,” Nayak said.
Indeed, fraudsters seem to have moved on from basic techniques such as skimming. Online crooks are using far more sophisticated methods to gather information without being anywhere near the scene of the crime, said Adelia Castelino, director at In-Solutions Global Pvt. Ltd, an online security provider. And they get card details from both banks and card users, said Nishanth Chandran, CEO of E-billing Solutions Pvt. Ltd, a payment platform provider with an expertise in fraud detection and prevention.
Some fraudsters send out millions of Trojans and even if 10% manage to reside undetected on a host computer, that means information on 100,000 cards, if not more. “These are then sold as ‘card dumps’ to international fraudsters with all the details, including the 3D password,” Chandran said.
However, bank, merchant, and card issuer networks aren’t as impermeable as they would like everyone to believe.
In March last year, Visa and MasterCard said in the US that up to 1.5 million numbers had been stolen, technology website ZDNet reported.
“Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet,” Visa said at the time, adding that in the US it follows a zero-liability fraud protection policy.
MasterCard in its statement at the time said the breach had taken place at a US-based entity. ZDNet said the hack may have taken place between 21 January and 25 February last year and may involve more than 10 million compromised card numbers.
In June last year, a hacker with the Twitter handle Reckz0r claimed to have hacked 79 banks globally and gained access to more than 50 gigabytes of personal data. “Today’s target is VISA & Mastercard, I will be only leaking a portion of the credit card information, as I cannot leak the entire data, it’s too large...,” Reckz0r said in a post.
The targeted banks were not named except US-based Chase Bank. As proof of the theft, details of 1,700 accounts were released and Reckz0r said this was a fraction of what he possessed.
Reckz0r could not be contacted. However, global hacking group Anonymous said at the time that Reckz0r was taking credit for an old hack by a hacker collective known as Zero for Owned.
Mint wasn’t able to determine whether any Indian banks were breached.
Visa and MasterCard together dominate the card payment system in India, with 96% being processed through their network, said A.P. Hota, managing director and CEO of National Payment Corporation of India (NPCI), set up by banks in 2008 as an “umbrella institution” for all retail payment systems in the country.
“Visa is the highest with 60% of cards followed by MasterCard with 36%,” Hota said. “American Express has 2.3% of cards. In terms of spends, Visa and MasterCard would be processing 99% of the transactions.”
India has a total of 333.2 million cards, both credit and debit. HDFC Bank Ltd has 6.21 million credit cards, followed by ICICI Bank Ltd with 2.82 million. State Bank of India-GE with 2.5 million credit cards and Citibank with 2.34 million credit cards were at number three and four as of December 2012, according to RBI’s website.
SBI Cards said in an email it hasn’t detected any breach of its data. It also put forward the 3D Secure/SecureCode defence, without commenting on how this had been compromised on the EntroPay site. “We quickly identify a common fraud trend and possible compromise point and proactively build fraud control strategy in our 24x7 globally acknowledged transaction monitoring tool so that transactions of our customers happen in a safe and secure environment and they are not inconvenienced in any way,” it said.
Visa and MasterCard are promptly informed in such instances, it said. “For the fraudulent transactions done in a non-3D Secure Internet environment, we usually have a charge-back recourse to the merchant ensuring the customer does not have to bear any loss,” it said.
Citibank said it is continuously boosting security with measures such as “Chip+PIN credit cards”.
“The bank provides additional security in the form of second-factor authentication for e-commerce transactions and offers choice of static or dynamic passwords to the customers,” it said in an email. It’s also able to monitor transactions in real time.
Bandhu’s story had a happy ending.
“As requested by the bank, I went to complain at the nearest branch. They were not surprised by the complaint.”
HSBC told him he wouldn’t be liable for the transaction and the money was credited back to his card account this week, the entry being identified as “Skim Cases SK”.
A few days after he got the first text about the US transaction, Bandhu got an SMS from SBI Cards saying his MasterCard (issued by SBI-GE) was being blocked “as a precautionary measure to prevent misuse”.
“This appears to be a preventive proactive step as I do not see any unauthorized transaction on this card yet,” he said.
ICICI Bank, HDFC Bank, Axis Bank Ltd and Standard Chartered didn’t respond to queries on transactions taking place on Secure-enabled sites.
Do customers have to bear the cost of credit card fraud?
In the US, no. In India, banks may insist that customers take on part of the cost. Indian banks do insure themselves against frauds on credit cards with a high credit limit.
How do credit card security systems work?
In India, most websites require the CVV (card verification value) number, and also a second level of verification involving either a one-time number generated by the card issuer and sent to the customer’s registered phone number, or a password that needs to be entered on the issuer’s site. This kind of authentication is known as 3D Secure for Visa cards and SecureCode for MasterCard.
How are cards misused?
ATM skimming: A scanner picks up card details while it is being used at a merchant establishment or ATM.
Trojans: When some programmes or content (typically pirated) is downloaded, Trojans (named after the famous horse) are downloaded too, and reside on a computer, evading most detection systems. These programmes capture any 16-digit number keyed into the computer and send it to the Trojan’s owner.
Hacking: A bank, merchant establishment (including e-commerce websites) or card issuer is hacked and data stolen.
Leslie D’Monte and Khushboo Narayan contributed to this story.