June 21, 2009

Safeguards for your money against ATM card fraudsters

By BABAJIDE KOMOLAFE, Asst. Business Editor

THE rising incidence of ATM card fraud is causing bank customers to developed apathy to payment cards, with some customers  returning their ATM cards to their banks while some simply refuse to obtain the cards..



Bankers however insist that the solution is not rejecting ATM cards but in understanding how ATM fraudsters operate and how to safeguard your accounts against their nefarious activities. PAYMENT cards were designed     to provide banking customers     with all round access to the money, hence making life more convenient and comfortable. But this is becoming the opposite for many banks’ customers in Nigeria. The rising incidence of card fraud has created fear and apathy for the cards in the mind of many Nigerians. Though not peculiar to Nigeria, the rate at which fraudsters are having access to customers’ accounts through these cards is frightening.

Many of the banks are battling with customers’ complaints of money disappearing from their accounts traced to the use of ATM cards. In one instance a customer of one of the big banks lost about N1m within one week, and about 80 per cent of the money was withdrawn through point of sale (POS). To avoid this scourge, bank customers are rejecting ATM cards. According to Sesan, a customer of one of the leading first generation banks, “Since I lost my ATM card, I have not collected another one. Even the other account I just opened, I have deliberately refused to apply for an ATM card. I know they can come handy especially on weekend and public holidays, but I don’t want to lose my money to fraudsters.”

But banking executives maintained that there is nothing wrong with the ATM cards, and that the problem has always been with the cardholders themselves especially the way they handle their personal identification number (PIN). They reasoned that the benefits of having an ATM card far outweighs the risk and the solution is to understand how ATM card fraudsters operate and how to protect your account from their reach.

How ATM card frauds occur: Explaining how ATM card frauds occur, a group executive in charge of card services in one of the top banks stated: “It is true that in recent times we have heard report of cases of ATM fraud, which is actually on the rise. It is important to view ATM fraud cases from several perspectives, before April 1, 2009 what Nigerian banks were issuing were magnetic stripe cards, called magstripe card. It is easily cloned, once the card is cloned fraudulent transactions can be effected on the card. The card is susceptible to cloning because all information are copied on a black stripe at the back of the card and this loophole is what fraudsters have capitalized on to defraud innocent, greedy and ignorant Nigerians. But there is the chip and pin card which cannot be easily cloned.

The Verve Card recently developed and introduced by InterSwitch is an example of a chip and pin card. However, let me state for the record: no fraudster can use the cloned card without the PIN of the authentic cardholder. So, what they do now is to on a daily basis send different types of text messages informing the cardholder that “he or she has won one prize from one MTN or Glo Promo and before you can claim your prize you need to provide your ATM card number and PIN number, the gullible will supply this information and the fraudster quickly use it to clone a new card with which he takes control of the  account and make withdrawals from the account linked to that PIN and card.”

Ignore those emails:   Perhaps, one factor re sponsible for the frightening increase in recent times is the barrage of daily scam emails from fraudsters. The e-mails are disgquised as if they are from InterSwitch, requesting the receiver to go to a website and enter his/her card details e.g.PIN. Unfortunately, most innocent cardholders  get these scam e-mails and comply with the instruction.

In fact, but for colleague, a staff of one of the leading media houses almost fell victim. He was about to enter his card details when a colleague passing by and on seesaw what he was about doing warned him  that it is a fake website. But, according to a senior banker in of the second generation bank, “In most cases, customers, out of just   ignorance or greed fall victim to such scam  e-mails and enter their card details including their PIN and once they do so, they compromise their PIN and  no matter how secure the card is, whether magstripe or chip and pin, once the PIN is compromised then the security is removed.

You see, there is no absolute solution to ATM fraud but it can be minimised, the reason is simply because both work with PIN number.Once you compromise your PIN in anyway knowingly or unknowingly the account has lost its security component. It’s like your normal cheque book once somebody else can sign your signature your account has lost a very important aspect of its security.

Let’s assume that I have a chip and   pin card and I decide to compro mise my card number and PIN, a fraudster might not need to go and clone a new card all he needs to do is to go online, where he needs no card because all he needs is just the card number and PIN, the onus of the security of the card still lies with the cardholder. If you look closely at this website you will discover certain features are there which authentic websites would never display.

Take Interswitch for example, it is spelt InterSwitch in some of the scam mails which is wrong but because people see the logo they assume its genuine and they go ahead to log in their card details. When cardholders get such mails or text all they need to do is to check the back of their ATM card and they will find the customer care number of their bank or card issuer. They must always find out from the bank first before responding to such requests and in any case no bank will ask for the customer’s PIN for whatever reason or reasons.

This is simply because the cardholder’s information resides with the bank apart from the PIN, which the bank initially supplied and advised that the holder change on first ATM transaction. So, there is really no reason for the bank or the switch company to ask for the cardholder’s.”

According to an InterSwitch staff, it is important for cardholders to know that the company does not have a direct dealing with all card holders and hence the case of the company sending email or text to them cannot arise. “Infact we don’t have their email addresses or their telephone numbers. So there is no way InterSwitch could contact any cardholder or send information to them.”

Customers should change to Verve cards: Bankers also advise customers to exchange the margnetic strip ATM card for the chip and pin Verve card recently developed by InterSwitch. At the launch of the card last year, managing director/chief executive, InterSwitch, Mitchel Elegbe, explained that one of the reasons for the card was to combat ATM card fraud and hence the card has in built security that can forestall any fraud attempt on the holders account. Verve card is basically a chip and pin based card and is also Europay, MasterCard and Visa (EMV) compliant card.

It has a set of standards and compliance that a typical financial institution that is issuing and acquiring electronic payment transactions must adapt its operating system to and  for it to be able to secure its cardholders and payment systems.
It’s just like having NAFDAC that regulates drug and food in the country, now the new card (Verve) is EMV complaint and is a chip and pin based card. For the magstripe card which has been phased out now, it has a typical black stripe at the back and that is where the information of the holder is stored, and such information can easily be extracted for cloning, but for a chip based card like the Verve, the information is stored on the chip and is also encrypted just like your regular GSM SIM card, it can store phone numbers the same way the chip on the verve card can store information and when those information are stored they are encrypted with certain keys. The encryption is not done by the issuer alone, it is a combination done by the issuer, the switch and the primer.

According to Elegbe, one of the interesting and unique security features of the Verve card is that if it mistakenly falls into the hand of fraudsters whenever they attempt to use the card by trying to get the PIN through trial and error, by the second attempt the owner of the card would receive a text message informing him/her of such attempt on the card.

Although since it was introduced late last year, Intercontinental Bank is the only bank that has started issuing Verve cards. Investigations reveal that other banks, in compliance with June 30 deadline of the Central Bank of Nigeria, CBN, to migrate to chip and pin card, would soon be issuing the cards to their customers.

But, a source in one of the banks noted that, “typically Nigerians always resist change even if it’s for our benefit. Several adverts and notifications have gone out, yet our people will not change their magstripe for the Verve chip and PIN. To make it easy we refused to make it compulsory but cheap to acquire just to make sure the customer is protected. As long as our people refuse to exchange their present magstripe card for the Verve to that extent they are susceptible to ATM Fraud.”