Credit Card and Net Banking Security
Convenience with Risk
Net Banking has brought banking to our doorsteps, enabling us to carry out banking transactions from the comfort of our homes. Credit and debit cards have brought appreciable ease to the making of payments at shops, hotels and restaurants, as well as while making purchases and other financial transactions online. Yet this convenience comes at a cost, viz. the risk of losing our money through frauds or theft and misuse of card or data. Somebody might steal our credit or debit card and use it by forging our signatures or even getting hold of our ATM PIN. Cards can also be cloned or ‘skimmed’ and the cloned cards misused by the fraudsters. Information relating to our net banking passwords or credit or debit cards may be compromised, and any person having access to the information might misuse it for making payments from our accounts.
Technological & other Innovations
Yet these risks need not deter us from utilizing the facilities of credit cards and net banking, for by observance of certain safeguards and precautions, the risks can be greatly minimized. Moreover, recent advances in technology, and adoption of certain security measures by Banks and financial institutions have made things less hazardous. Let us have a look of some of these advances and measures, which include:
1. 128-bit SSL Encryption
A high level of encryption standard is used for all Net Banking transactions. This ensures that the information exchanged between the customer and the Bank is completely secure.
2. Smart chip credit cards.
These have been adopted by most countries, and this has made card skimming or cloning extremely difficult. Previously, it was fairly easy for someone (such as a waiter in a restaurant or an employee at a petrol pump) to obtain our credit card details and copy them on to a bogus card, which could then be used by him as a credit card at our expense. For this purpose, a pocket-size device with a scanning slot was used; swiping the credit card through this device would copy the information held on the magnetic strip into its memory. In the UK alone, an astonishing $200 million was spent with cloned credit cards in the year 2000. The newer smart cards, however, have microchips embedded in them that encrypt the information contained in the magnetic strip. The microchip cannot be changed or deleted. If a skimmer tries to scan somebody’s card through the aforementioned device, he will obtain only encrypted information and thus be unable to clone the credit card. If someone steals the smart card and disables the chip, the new swipe terminals will alert staff to ask for an ID or decline the transaction. The smart chips also generate and transmit a unique identifier that can change with each transaction. They generally require the cardholder to enter a PIN to authorize transactions, instead of merely signing on a receipt. Total fraud losses dropped by 50% and card counterfeiting fell by 78% in the first year after EMV smart cards were introduced in France in 1992.
3. Verified by Visa / Master Card Secure Code.
This is a safeguard devised in respect of online purchases through credit/debit cards. It involves registering the card on the website of the issuing Bank or financial institution. An Internet password for the card is generated by the user at the time of registration. This password, along with the usual card details, is required to be entered each time an online transaction is made with the card at any merchant establishment’s website. This minimizes the chances of online frauds as the self-generated password ensures it is the cardholder himself who is making the transaction. The password can be changed by the consumer as often as he likes.
4. One Time Password
Despite the provision for a self-generated password as above, most online transactions, whether through Net Banking or credit/debit card, now require instead the entering of a One Time Password (OTP) sent on the consumer’s registered mobile, for authentication of the transaction. This is claimed to provide a two factor authentication, but that may be the case only in the case of Net Banking transactions, where the OTP is used in addition to the Net Banking username and password. In the case of credit card transactions, the OTP is generally being used in lieu of the self-generated Internet Password. It is thus not clear as to how the OTP provides any additional security in such cases. The advantage of OTP over the self-generated password seems to be that the former remains valid only for a few minutes, and thus the chances of its being leaked out to some other person are less. It is also claimed that the OTP allows us the freedom of banking online without the need to remember multiple passwords.
Disadvantages of OTP
At the same time, the One Time Password system has some disadvantages not yet fully realized. Place your registered mobile carelessly somewhere without locking it with a password (not all mobiles have the facility of password protection), and you may be in for a shocking experience. Anybody in know of your credit card details can, by getting hold of the mobile even for a short time, swindle you of your hard-earned money by getting a One Time Password. Moreover, in the event of the registered mobile being non-functional or getting lost, you may be rendered helpless by not being able to make even essential payments online for quite some time. The biggest problem could arise when you go abroad, for then the registered mobile becomes non-functional, and the mobile number changes because of using either a local SIM of that country or a Matrix card or some other internationally valid SIM. The problem has been solved to some extent by some Banks allowing you to register, on their website, the International Mobile number that you will be using while abroad. This means that you should obtain your international SIM beforehand and register it on the Bank’s website before traveling. This is because even registration of the International mobile number involves receiving a One Time Password on the already registered mobile.
Hi-tech Banking Frauds
A news item appearing in The Hindustan Times dated October 25, 2015 provides a concrete and glaring example of such frauds. Lokesh Kardam, a 33-year-old driver got a call from an unknown person claiming to be a bank officer, who told him that his ATM card had been blocked. To unblock it, he immediately needed to disclose his card number and the three-digit CVV, or card verification value, that figures at the back of the card.
A worried Kardam parked his car, took out his debit card and read out all details. Seconds later, he got another call asking him to read out a six-digit OTP, or one-time password, that he had received as a text message. The unsuspecting driver read out three unique OTPs to the caller.
“Within seconds, I realized Rs. 22,000 had been spent from my account,” recounted Kardam, the main bread-winner for a family of seven.
He had just had a taste of ‘vishing’ or voice phishing, a technique to trick gullible customers to part with confidential personal banking details. Vishing uses voice calls to steal identities and financial information, generally by instilling fear in the mind of the targeted person, or by tempting him with some attractive offer such as a free trip or discounted holiday package. These calls are difficult to trace, most of them having been made through the internet. Apart from calls, criminals use e-mails and websites that closely resemble those of legitimate companies, and seek individual banking information.
According to data supplied by the Reserve Bank of India, banks in India incurred a loss of Rs.1200 crores in 2014-15 on account of overall frauds, up from a loss of Rs.7542 crores in the previous year. Between April 2011 and September 2014, banks in India reported 27,614 credit-card related frauds, 3,835 debit-card related deceptions and 1,969 cases of trickery concerning internet-banking. Likewise, in the UK, around GBP 1.2 million is lost every day on account of credit card frauds, despite the advent of chip and PIN technology.
Precautions for Consumers
Thus although Banks have taken a number of measures to enhance credit card and Net Banking security, these by themselves may not serve the purpose unless accompanied by greater knowledge and awareness among the consumers themselves. The following are some of the precautions we as consumers can take to ensure a safe experience:
i) Looking after our credit card. We should know at all times where our credit card is. It should never be left out of sight when using it at shops or restaurants, nor should it ever be left unattended. It takes only a few minutes for someone to make a copy.
ii) Keeping information confidential. Information pertaining to credit/debit cards or Net Banking account should be kept confidential. This means that the card or account number, card expiry date, etc. are not to be disclosed to any unauthorized person. It is only when we connect to the Bank’s Helpline or Customer Service that they may ask us for the card or account number or a few details for identification purposes, such as mother’s name, postal address, registered mobile number or date of birth. But even the Bank will never ask for the card CVV code, ATM PIN or any passwords, such as those relating to Net Banking, Verified by Visa or OTP. The ATM PIN is to be keyed in only at an ATM or when making a credit/debit card payment using a point of sale machine. It is not to be revealed to any individual. The ATM PIN can be changed or generated by us through the Bank’s website or helpline. We should ensure that the PIN created is one that can easily be memorized, and does not have to be carried on chits of paper while going to the ATM or for making purchases.
iii) Not sharing information with other websites. Some websites and software offer tools to help us with budgeting, managing accounts, investing or payment of taxes. But if we give them our Net Banking ID and Password, we might lose money through misuse of the information. If we have already shared such information, we should take immediate steps to change the user ID and Password.
iv) Promptly Reporting Card Theft or Loss. As soon as we become aware that our credit or debit card has been lost or stolen, we should promptly report the loss to the issuing Bank or financial institution. Once the loss has been so reported, the cardholder ceases to be responsible for illegal transactions made on the card after that. Most banks have free 24-hour telephone numbers to encourage prompt reporting.
v) Reviewing Accounts Regularly. We should regularly go through statements pertaining to our credit card and bank accounts, so that any suspicious transaction comes to our notice as soon as possible and can be promptly reported to the Bank. Better still, we may check the accounts online every few days without waiting for the monthly statement. Any questionable transactions should be reported to the Bank immediately. Laws in most countries put a cap on the customer’s liability ($ 50 in the US; Rs. 10,000 in India) in cases where a fraudulent transaction is reported promptly to the Bank, say within two days of its coming to notice. Since banks nowadays report transactions to customers through SMS on their registered mobile, it is necessary that we should go through these messages regularly so as to be in a position to report unauthorized transactions expeditiously.
vi) Net Banking Access. We should avoid accessing Net Banking from shared or unprotected computers in public places.
vii) Keeping software updated. Keeping the anti-virus software up-to-date can help stop counterfeit emails reaching our inbox and stop us from clicking onto potentially harmful websites. It can also prevent hackers from stealing our passwords or credit card information by keeping the computer free from malware designed for this purpose.
viii) When purchasing online. We should make sure that the address of the website where we enter our credit card information begins with ‘https’ rather than just ‘http’. The ‘s’ stands for secure. In addition to ‘s’, certain browsers will display a small lock icon in the address bar to indicate a secure site. If we use Internet Explorer or Google Chrome, we should look for this icon. When we click on the lock, a certificate window should appear. If no window appears, we may be on a fraudulent website. Browsers such as Apple Safari or Mozilla Firefox indicate a secure site in slightly different ways, which can be ascertained from the help page of the browser.
ix) Being aware of fraudulent emails. No financial institution will send an email to its customers asking them to provide any of their login details. If we do receive an email, purporting to be from our bank or financial institution, that asks for such details, we should treat it with suspicion as it may well be a phishing attempt to trick us into handing over our credentials. Likewise, we should be wary of links in emails that appear to be from our bank. This is a trick often employed by the bad guys to get us onto a website that looks like that of our bank. They can steal our username and password, and ultimately our cash, by encouraging us to enter our login details on the fake site. It is always safer to access our online bank account by typing the address into our browser directly.
The Next Step in Security
Recent Improvements in technology, and measures taken by banks and financial institutions to enhance security, have no doubt greatly reduced the risk of fraud in banking transactions. But, as evident from the above, frauds have not been eliminated or even minimized. Even the much vaunted One Time Password (OTP) can prove futile in protecting a credulous customer not aware of security threats, as seen from the aforementioned case of the driver Kardam. On the other hand, the OTP is not very convenient, especially when one is on a foreign visit.
It is time Banks think of taking credit card and Net Banking to the next logical step. The field to be now explored is that of biometric security. Biometric technology represents a significant security advancement because it physically proves an individual’s identity. Use of another person’s credit or debit card at an ATM by a thief in possession of the card and the ATM PIN is quite common. But if identification at the ATM is with the help of the cardholder’s fingerprints, in addition to the PIN, such thefts would have largely become a thing of the past. Likewise, authentication of Net Banking and online credit card transactions can be through fingerprints along with other identifiers such as passwords. This would provide far greater security and convenience than such measures as the One Time Password (OTP).
© 2015 Sunil Mathur