Punching in your personal identification number (Pin) has helped cut retail fraud by 47 per cent in the past year but fraudsters are already moving on to exploit other weaknesses in card transactions, particularly online.
While “Chip and Pin” has been highly successful in cutting down on card fraud, banks and card companies admit to being concerned at a rise in crimes involving cloned cards, identity theft and online transactions.
One growing problem is with so-called “phishing” attacks. Phishing involves bogus e-mails from fraudsters who try to trick gullible internet users into revealing their bank account and security details, usually by asking them to click on a link to a fake website where they are asked to enter their log-on details.
Phishing crimes in the UK have soared from 1,713 in 2005 to 14,156 in 2006. PayPal, an online transaction provider with 15m UK customers, now provides a free phishing investigation service because attacks have become so common.
Another growing scam is “skimming”, or card cloning. Here the card’s magnetic strip is copied by a card reader in a shop or restaurant in seconds. Skimmers can also tamper with cash machines to add a card-copying or “skimming” device in front of the card slot. This type of fraud rose 3 per cent to £99.6m last year, forming nearly 25 per cent of all card losses. Skimming and cloning are becoming an international problem with card details often exported from the UK by criminal gangs to countries such as the US where Chip and Pin is not yet in use
Gangs in overseas territories then use “money mules” to carry out fraudulent transactions using counterfeit cards filled with details sourced from the UK. Security experts say the US has become the global centre of the trade in stolen identities and card details. This year for the first time the US has eclipsed France as the top country for fraud involving UK cards.
US security firm Symantec said this week that identity thieves in the US and elsewhere were offering stolen credit card numbers, dates of birth and other sensitive information in large volumes over the internet for as little as £7 per identity.
Card providers urge cardholders to take great care not to lose sight of their cards in the UK or overseas and to check statements immediately for signs of suspicious overseas transactions.
Apacs, the trade body for banks and card providers, says that “card not present fraud”, mainly committed online, rose 16 per cent last year to top £212m, nearly 50 per cent of all card losses. Online banking fraud increased from £23.2m in 2005 to £33.5m in 2006, much of it due to phishing attacks.
Jemma Smith, head of public relations for Apacs, says: “People going abroad are at risk of card fraud but we also know that organised gangs are targeting UK cardholders for use overseas. The main issue in the past few years has been skimming or the illegal copying of cards. Chip and Pin has helped reduce this in the UK but the risk remains high in countries without Chip and Pin.”
While banks usually limit the liability of cardholders who are victims of fraud or identity theft to £50, there are signs of a tougher attitude by card providers towards cardholders who fail to take what the Banking Code calls “reasonable care” with their account and security details.
Which Money? has called for an addition to the Banking Code to protect customers against online fraud.
Which Money? editor Martyn Hocking says: “Chip and Pin has made life harder for fraudsters so it seems likely that phishing attacks will increase further. There is one particular area of concern for consumers here – at present, if you lose money as the result of online fraud, you don’t get the same protection as you do with card losses. The banks have said that for now they will refund people’s money in online cases but this may change as the problem grows. Which? Money is calling for an amendment to the Banking Code to make this protection compulsory.”
The Financial Ombudsman Service is already dealing with 80 disputes a month involving card companies and victims of fraud. It warned that while the ombudsman welcomes genuine grievances, customers who were negligent in protecting their Pin, card or security details, could find their case rejected.
In one recent dispute, a cardholder lent her card to a business colleague to pay for drinks and meals for clients because his card was close to its limit. When the statement came through it was clear the card had been used to buy several expensive drinks later the same day at a nightclub. The colleague denied the purchases were his and refused to refund the cost. The ombudsman rejected the cardholder’s complaint that her card provider should reimburse her because she had willingly given the card and security details to a colleague even though this breached the terms of her card.
Toni Merschen, group head of Chip at MasterCard, says one major challenge with online transactions is the lack of “strong authentication”. To tackle this, MasterCard and Visa have introduced an additional layer of security for online transactions involving an extra password. MasterCard’s system is called SecureCode and Visa’s is Verified by Visa.
Apacs, the trade body for banks and card companies, has urged online shoppers to register with these services because they make life more difficult for fraudsters.
Another improvement to online security is on its way later this year. The CAP (Card Authentication Programme) is a handheld security device which will generate a unique, once-only security code for each online transaction. The CAP should ensure that only the rightful owner of the card can use it online.
