Monday, June 23, 2008

Are you a victim of Credit Card fraud?

"I wasn't in Japan on August 23. In fact, I have never been to Japan in my life!" My friend finally managed to convince his credit card company that the USD 1200 cellular phone charges on his account weren't his. I have shared the same woes before, almost every two years. Fraud can befall any credit card user today.

Credit cards are the most convenient form of payment worldwide. Petrol points, air miles, cash back and many other rewards encourage us to swipe frequently. But rewards and convenience come with their own risks. I may be bold to state that after five years, the only credit card customers not affected by fraud will be those who never activate and use their card at all.

One question that I have been asked at every security conference that I address is: "How do I use my credit card securely on the 'net?" Well, let me ask you: "How do you drive accident free on today's streets?" The sheer volume of credit card transactions, coupled with multiple locations of data storage and exchange increases the probability of credit card "accidents" on the information superhighway.

Ever wondered how fraudsters obtain your credit card information? The first technique involves "harvesting" large transaction databases. Merchants are required to store transactions for a couple of months until they get paid by the card company. The largest transaction theft in history occurred with U.S. retailer T. J. Maxx (TJX). TJX's breach recovery costs exceeded USD 500 million, affecting 100 million accounts. Another method involves stealing card information directly from end users, using trojans and malware that recognize website forms and intercept keystrokes. A third method - "phishing" - fools users in interacting with fake websites disguised as real e-banking websites. Users get fake emails of account suspension. Clicking them lures users into divulging their account information to fake websites. Credit cards are also actively traded for cash on underground Internet Relay Chat (IRC) channels.

Here are some tips for "defensive driving" on the information superhighway.

1. Never use your Debit Card for online transactions. Your bank's marketing tells you that debit cards work "just like credit cards". They may look the same, even carry Visatm or Mastercardtm symbols, but the similarity ends there. With credit cards, merchants are not paid immediately. The onus lies on the merchant to prove a transaction's authenticity. Credit card companies have to investigate the fraud with the merchant before holding you entirely responsible. With debit cards, cash is immediately debited from your account without a grace period. Only use debit cards for ATM withdrawals, nothing else. Avoid getting Visa or Mastercard branded debit cards if your bank allows a non-branded option. For details, visit http://www.privacyrights.org/fs/fs32-paperplastic.htm

2. Don't get caught in the "phishing" net. If you get an email from your bank or someone claiming to be your bank for re-establishing your identity and account verification, simply delete the email. If in doubt, call your bank and ask.

3. Delete emails containing credit card statements. Card companies have gone paperless to save money, but from a security standpoint, print and destroy these emails immediately.

4. Ask your credit card company about online fraud protection options and policies. If it lacks them, take your business elsewhere.

5. Change your credit card number every year. This cumbersome method may be the most effective fraud protection technique for frequent online shoppers. I destroy my card every year, and ask for a new one. New cards have different numbers. So even if old transactions are stolen later, the chances of the card being valid are minimized.

6. Ask for notifications for large transactions. Many banks and card companies provide email and SMS notifications if transactions exceed a certain amount. However, when a tank of petrol costs Rs. 2000, I wonder what amount limits to set without being SMSed everytime I swipe my card!

Lastly, nothing works better than common sense. If you are shopping at a new website, try paying over the phone. Read reviews posted by other users. Verify transactions in your statement meticulously. And when surfing idly on the Internet, look up the Web Hacking Incidents Database (WHID) at http://www.webappsec.org/projects/whid/. WHID tracks all media reported security breaches.

Do you have any tips or experience to share regarding combating credit card fraud? Write me at cyberwatch at net-square dot com

Published: Times of India, Ahmedabad, 26-Jun-08

No comments: