Cybercriminals, who steal money from credit cards of unwitting citizens, have already become a legend in Ukraine. Nobody sees them, but results of their activities are rather gross, when money disappears from clients’ accounts in unknown direction and there is a really small chance to get it back. Moreover, in many cases clients proper ignore simple safety measures thus providing thieves with easy access to their accounts.
In an interview with Oleksandr Tretyak, a member of the Committee on banking infrastructure and payments of the Independent Bank Association of Ukraine, ForUm has learned about possibilities of modern thieves and elementary protection methods against them.
– What is the rate of credit card frauds, happened due to carelessness of clients proper?
– There is no exact statistic data, but in a varying degree every case of unauthorized transaction occurs due to carelessness of clients. However, thieves constantly improve their methods, thus clients not always can protect themselves.
– Does the probability of being attacked depend on what amount of money is there on the account?
– No, it does not. In the majority of cases thieves do not even know how much money is there on the account, they just attack as many accounts as they can lay hands on.
– What are the most common violations of safety rules by clients?
– Well, card operations can be divided into cashing and trade transactions. Cashing requires physical presence of a credit card, in particular, the card data reading by a special device, an ATM machine, for example, which in turn requires a PIN. In this case, the most common violation is poor protection of the PIN code. Clients often write it down on a piece of paper and keep it next to the card or even keep the PIN envelop in their purses. However, the cashing fraud is a complicated procedure, as it requires special equipment to read the data and PIN.
Though cash frauds seem to be more attractive operations for thieves, they prefer internet transactions, carried out without physical presence of the card. In the simplest case, thieves need the card account number, the 3 to 4 digit Card Security Code (CVV2) and/or the card’s expiration date. As a rule, clients do not care to protect this data. We are used to give the card to waiters in restaurants, to send its copy via e-mail for booking a hotel room, to ignore what a cashier in a supermarket actually does with this card. It gives strangers a possibility to study, memorize or even to take a picture of the card and its data.
– Are there rules, which must not be ignored under any circumstances?
– Well, in fact, there is only one principle rule, which is to limit the access of strangers to the card, including its requisite details (CVV2, PIN, expiration date, account number).
– Is it expedient to open a different card account for internet transactions only?
– Indeed, it may be of use, especially for those who often purchase through internet or those who have significant amount of money on their main card. It would be also expedient to set a payment limit or keep the card always blocked and activate it only for the very transaction.
– Sometimes it is required to enter the card account number for some charity event or other. Can it lead to the card fraud?
– The account number itself is not enough for any transaction. Thus, entering or publishing only the account number, a client does not risk any theft. However, he must always remember about protection of other requisite details.
– What should a client do for cashiers or waiters not to take advantage of him?
– To be sure clients should follow the operations of a waiter when he takes the cards. Clients have the right to ask for the payment operation to be held near the table. Moreover, a client can cover or paint out the CVV2 code of the card after remembering or writing it down somewhere. Besides, never tell your PIN to a waiter, always type it personally so nobody sees it.
– What operations of a waiter or other service worker can be considered suspicious and should alarm a client?
– If a service worker studies your card for a long time trying to remember its data or pass the card through a foreign device that reads the magnetic strip, such operations are rather alarming.
– How common is the use of skimming devices in Ukraine?
– There is no true data about the number of ATMs equipped with skimming devices, and the data available is most probably underestimated, but in general, the use of such devices trends to grow.
Instances of skimming have been reported where a perpetrator has put over the card slot of an ATM a device that reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a miniature camera (inconspicuously attached to the ATM) to read the user’s PIN at the same time. Another technique used is a keypad overlay that matches up with the buttons of the legitimate keypad below it and presses them when operated, but records or wirelessly transmits the keylog of the PIN entered. Recently-made ATMs now often run a picture of what the slot and keypad are supposed to look like as a background, so that consumers can identify foreign devices attached.
However, thieves constantly improve their methods and develop devices that beat anti-skimming devices. Sometimes, skimming is difficult even for card issuers to detect, let alone a typical cardholder.
– Is it so easy to install a skimmer?
– Installation of a skimmer takes about a minute. In crowded places nobody pays attentions if someone does something to an ATM. Moreover, it is hard to tell whether a person is actually installing something on the machine or simply using it. Besides, perpetrators may work in groups, when one person installs the device and others imitate a line to cover the thief from passing by people. For this, banks regularly inspect their ATMs to control whether they have any foreign devices installed.
– So how can a client be sure to use a safe ATM?
– Well, covering the keyboard with the hand while typing a PIN is one of the means to protect the account, as without the PIN any other data of the card is useless for thieves. For bank clients it should become a must even if they use a presumably safe ATM. Moreover, banks install anti-skimming devices pretty steady for vandals not to break them or dismount. Thieves, on the contrary, install them infirmly to be able to remove the device fast. Thus, it would not hurt to pull the card reader couple of times, and if it detaches not to use the ATM but to call the bank and report the incident.
– Is there any chance to get back the means, stolen by thieves?
– Every case on compensation is considered by banks individually, and there are no criteria to follow. It may also depend on the complexity of the theft. Skimmers, for example, are hard to detect for typical customers, and ATMs are the property of banks after all, which includes certain degree of responsibility. Obviously, banks must investigate into every operation and transaction, challenged by a client and subject to compensation following the IPS. The IPS is common rules of the International Payment Systems, compulsory for all banks. This document is an internal publication for bank officials to consult and follow. However, according to the IPS, operations and transactions confirmed by a PIN are not subject to contestation, as entering the PIN is considered the primary sign of client’s authenticity.