Mixed messages abound about the scale of credit card fraud. Some claim that using your credit card over the Internet is financial suicide, others cite statistics that online transactions are safer than face-to-face transactions. Depending on who you talk to, anywhere in the world can be a 'fraud central' for card skimming, and industry losses are rolled up like phone numbers. Statistics become meaningless, and can be used to support your own arguments.
As far as Indonesia, and those who live, work or visit here are concerned there is one fact regarding credit card fraud.
Visa International and Mastercard, two major service providers worldwide, currently rank Indonesia as No. 2 on the list of the world's worst countries for credit card fraud based on total recorded incidents.
The problem for most is how to reduce the risk of becoming a victim. To appreciate this, some understanding of the problem is necessary.
Credit cards bear the symbol of the company that controls and regulates credit cards. Banks that are required to meet standards set by the credit card company issue the cards themselves. Credit card companies are non-profit, and collect funds from charges to the bank. These fees include fines for malpractice. When customers suffer losses due to fraud, the credit card company covers them, but takes the money back from the issuing bank.
This relationship is important because while customers may be comforted by seeing the credit card company logo on their cards, the responsibility and duty of care to them actually falls on the issuing bank.
Furthermore, when a customer makes a purchase at a retailer, the issuing bank may not have a credit card terminal at the retail outlet. This makes sense, banks share facilities and therefore any reader will be able to process the transaction. However, this means that the transaction is entrusted to another bank’s processes and protocols.
In any country, the security of card information depends on the bank's own protocols, systems and general security level.
In Indonesia, the banking sector has a troubled past. Many of the banks opened in the past decade were personal lending facilities for corrupt businessmen. What followed were hasty mergers, attempts by the Indonesian Bank Restructuring Agency (IBRA) to prevent the collapse of the entire sector, and a shaky path to normality. The recent sale of Bank Central Asia illustrates that there is still a long way to go.
Being without your plastic card, for a short period of time, can be a real hassle. A criminal can quickly spend hundreds or even thousands of dollars using your card or its details - often before you realise anything is amiss. There was a time when if you, the customer, were clever enough to take a carbon copy from a shop assistant when using your credit card, you could rest easy. Not any more. Credit card fraud is an international business run by clever syndicates with industry insiders on their payroll. Here are some of the methods used to obtain credit card numbers and related information today in Indonesia.
Fake Scam
A counterfeit card is one that has been printed, embossed or encoded without the permission of the issuer, or one that has been lawfully issued and subsequently altered or re-encoded.
Most counterfeit fraud cases involve skimming, a process in which the original data on a card's magnetic strip is electronically copied to another, without the knowledge of the legitimate cardholder.
Skimming typically occurs in retail outlets - especially bars and restaurants - where a corrupt employee takes a customer's card before handing it back, then selling the information at a higher-level criminal enterprise where counterfeit cards are made. In other cases, the details obtained through skimming are used to commit card-not-present fraudulent transactions. Often the cardholder is unaware of the fraud until a statement arrives showing a purchase they did not make.
More worryingly, card details can also be obtained by ‘Chipping’ card readers at legitimate points of sale. Card readers need to be serviced and repaired from time to time. Cases have been uncovered where a fake service engineer has been present and inserted a chip into the reader which records the card details of transactions completed on that reader. A month later the ‘service engineer’ returns and removes the chip (which now contains hundreds of card details).
Additionally, in countries like Indonesia where security is less robust, tapping the phone line from the card reader to the host bank, or tapping the bank's phone line can be accomplished with little technical know-how. The chances of detection are also slim.
(Cardholders must always look at their cards when making transactions)
Merchant Fraud and Ghost Terminals
In order to install a card reader, a retail outlet must meet certain criteria. These are often very basic in Indonesia and therefore fraudsters can easily set up fake or phantom operations. One method is to rent a shop on a short-term basis for cash, install a reader that provides fake details and then carry out maximum fake transactions with compromised data and fake cards in the shortest possible time. This can be achieved more easily by ‘buying’ a failing business that already has a legitimate reader installed.
Ghost terminals can be created by getting the readers themselves, from say a failed business. With some banking knowledge, the readers can be initiated with the bank with completely false details, via an automated phone call in the initiation system. Once a high volume of fraudulent transactions is discovered, the trail leads nowhere.
Card-not-present Fraud (Fraudulent Use of Card Details)
This crime involves using fraudulently obtained card details to make purchases, usually over the phone or on the Internet. A physical card is not required. Typically the details are taken from discarded receipts or copied without the knowledge of the cardholder. As with counterfeit fraud, the legitimate cardholder may not be aware of the fraud until a statement is received.
More worryingly in Indonesia, criminals have been found to have information apparently obtained from bank data breaches. This can be obtained technically (by hacking into an unsecured bank database) or through collusion of bank staff (paying them to reveal or download information).
The card details are then used to visit online casinos and any winnings are kept as 'laundered' money. The crime syndicate will run several computer terminals 24 hours a day to gamble online with the card details until the cards are blocked.
(Discard receipts carefully - shred them if possible - and check the statements for unfamiliar transactions. See Ten-Point Internet Checklist post)
Lost or Stolen Card
Most lost or stolen card frauds occur at retail outlets before the cardholder reports the loss. In other cases, card details from lost and stolen cards are used to commit fraudulent card-not-present transactions.
To help detect fraud on cards that haven’t been reported lost, the banking industry in most countries uses intelligent computer systems that track customers’ accounts for unusual spending patterns. Such systems are generally lacking in Asia.
(It is essential that cardholders keep their cards safe at all times, and immediately report lost cards to their issuing bank so the card can be blocked)
Card Fraud Not Accepted Letter
The number of plastic cards stolen in the post is difficult to assess. While still a small fraud, there has been a significant increase (in countries with reliable statistics) in the past two years. This increase illustrates how criminals are looking for new areas to exploit as fraud prevention initiatives push them away from their usual methods.
(Contact your issuing bank if you are concerned about sending plastic cards by post)
Identity theft
While evidence of identity theft on card accounts is currently minimal, it is likely to increase once the chip and PIN system comes into effect as this may encourage criminals to look for different ways to commit fraud.
There are two categories of identity theft.
Application Fraud
Application fraud involves criminals using stolen or forged documents to open accounts in someone else’s name. Criminals may try to steal documents such as utility bills and bank statements to gather usable information. Or, they may use forged documents for identification purposes.
Account Takeover
Criminals try to take over someone else's account, first by gathering information about the intended victim. The criminal then contacts the card issuer, posing as the original cardholder, to request that mail be directed to a new address. The criminal then reports the card as lost and requests a replacement be sent.
This type of fraud is not common in Indonesia. They tend to be confined to more sophisticated jurisdictions with strong anti-fraud apparatuses.
(Cardholders should dispose of bank statements, utility bills and receipts carefully - shredding them if possible)
ATM (Automated Teller Machine) Fraud
Most ATM fraud cases occur when the legitimate cardholder has written down their PIN and stored it with their card in a stolen wallet or purse.
An increasingly common problem is shoulder surfing – where criminals look over ATM users’ shoulders to watch them enter their PIN, then steal the card using distraction techniques or pick pocketing.
ATM fraud involving card-trapping devices is also on the rise in Western countries. The device holds the card inside the ATM, where the criminal approaches the victim and tricks them into re-entering their PIN. Once the cardholder gives up and walks away, the criminal removes the device, along with the card, and withdraws cash.
(Never write down your PIN and be alert when using ATM machines).
Expats Targeted
Expat credit cards are rich pickings for fraudsters. They are easily identified by the first four digits of the card number, issued by a foreign bank. They generally have higher daily and overall spending limits, and more diverse spending patterns, making the fraud harder to detect. Syndicates will send cards created with these details to countries where they can be used most efficiently. Currently, Taiwan and Japan are the favorites in Asia for luxury purchases. Syndicates also seek out Gold and Platinum cards for the same reasons.
(Have a locally issued credit card to use as an alternative. This will also serve as a backup in case you are unlucky enough to fall victim to fraud. Avoid Gold and Platinum cards unless you really need the higher limit or other benefits they offer.)
To combat plastic card crime, two facts need to be established at the time of the transaction - that the card is genuine and that the person using it is the true owner.
The introduction of highly secure chip cards in countries such as the UK meets this first objective by confirming that the card is not counterfeit. Chip cards also open up new possibilities for addressing the second objective of fraud prevention – identifying the cardholder.
To meet this second part, all face-to-face credit and debit card transactions will eventually be authorized by customers entering their PIN (personal identification number) rather than signing a receipt. This method is starting to be introduced in Europe, but due to the large investment required in card system infrastructure, it will be a long time coming to Asia.
To help protect yourself from becoming a victim of card fraud, follow these tips:
Take care of your card, keep it safe at all times and never lose sight of it when making transactions.
Carefully dispose of receipts from card transactions - destroy them if possible to prevent 'dumpster divers' from obtaining information about you and your card.
Check your receipt against your statement. If you find any unfamiliar transactions, contact your card issuer immediately.
Never write down your Personal Identification Number (PIN) and never reveal it to anyone, even if they claim to be from your card issuer or the police.
When using an ATM, be alert for anyone who may be trying to watch you enter your PIN and do not allow yourself to be distracted by anyone trying to talk to you.
Report lost or stolen cards to your card issuer immediately.
Have a locally issued credit card to use as an alternative. This will also serve as a backup in case you are unlucky enough to fall victim to fraud. Avoid Gold and Platinum cards unless you really need the higher limit or other benefits they offer.
Other useful tips:
- Sign the new cards as soon as they arrive. Make sure that you cut up the old cards as soon as the new ones become valid.
- If you carry a bag, carry it securely with the buckle toward you. A money belt or secure inner pocket is best for valuables.
- Do not leave your card unattended in a bag, briefcase or jacket pocket in public places and keep your bag or briefcase on your lap.
- At work, keep your bag and other personal items in a closet or drawer.
Internet Fraud
Most internet fraud involves using fraudulently obtained card details in the real world to make card-not-present transactions online. Card-not-present fraud on low-Internet transactions accounts for about three percent of all card fraud losses.
Cardholder Information Security
The incidence of hackers stealing cardholder data from websites is very low compared to other ways criminals access card details. To protect data, international card schemes have strict criteria to help retailers protect their websites.
Ten Point Checklist for Internet Transactions
The vast majority of businesses operating on the Internet are honest and legitimate organizations. Due to the credit card fraud problem here, many companies will not accept purchases with an Indonesian mailing address. The following ten-point checklist when shopping on the Internet is recommended.
Only use recognized and established retailers.
Never reveal your PIN to anyone and never send it over the Internet.
Make sure that a locked padlock or unbroken key symbol is displayed at the bottom right of your browser window before submitting your card details. The beginning of the retailer's internet address will change from 'http' to 'https' when the purchase is made using a secure connection.
Make sure your browser is set to the highest level of security notifications and monitoring. Security options are not always enabled by default when you install your computer.
Use the latest version of your web browser, older versions are less secure.
Make sure the retailer has an encryption certificate. This should explain the type and level of security and encryption it uses.
Check your card statement as soon as you receive it. Raise any discrepancies with the retailer in question in the first instance. If you find transactions on your statement that you did not make, contact your card issuer immediately.
Print your order and keep a copy of the retailer's terms and conditions and returns policy. There may be additional charges such as local taxes and shipping, especially if you are buying from overseas.
Make sure you are fully aware of any payment commitment you are making, including whether you are instructing a single payment or a series of payments.
If you are hesitant to provide your card details, look for another payment method.