How criminals steal your credit card info

The South African Banking Risk Information Centre (Sabric), on behalf of the banking industry, has voiced its concern about the increase in card fraud in 2014.

The banking industry’s gross fraud losses due to South African-issued credit card fraud increased by 23% from R366m in 2013 to R453.9m in 2014.

The losses associated with debit card fraud also showed an increase of five percent, from R117.7m to R123.5m in 2014.

The majority of the debit card losses were due to counterfeit card fraud, and most of the transactions occurred within South Africa.

Credit card fraud is most prevalent in the provinces of Gauteng, the Western Cape, and KwaZulu-Natal, as they collectively accounted for 88% of all credit card fraud in South Africa.

These provinces also recorded the highest number of skimming devices retrieved. From 2005 to September 2014 a total of 1,377 handheld skimming devices were recovered by either SAPS or bank investigators.

Criminals can use various methods to steal debit card and credit card information, and then use this information to commit card fraud. Here are some of the most popular methods used.

Card skimming

ATM Card Skimming

Card skimming involves the illegal copying of encoded information from the magnetic strip of a legitimate card by means of a card reader. This could occur either at ATMs or points of sale.

“These devices have the ability to read and store the information on the magnetic strip of a card when the card is swiped through the device,” said Sabric CEO Kalyani Pillay.

The compromised information is then downloaded onto a computer and used to encode another card. Specialised software is used in both instances.

Criminals also do their utmost to steal the victim’s PIN so that they can use the counterfeit card to either draw cash or make purchases.

Often card skimming devices and hidden cameras are installed on ATMs to steal card information and PINs (through a small camera) from users.

Criminals purposefully design these devices to ensure they blend with the ‘look and feel’ of ATMs.

Social engineering and handheld card skimming

Handheld Card Skimmers

One of the common scams, Sabric warns, is a person claiming to work for a bank approaching unsuspecting ATM users while they are standing in an ATM queue.

The criminal then advises them to ‘re-activate’ their card by swiping it through a ‘card re-activating device’.

“Unbeknown to the victim, the device in the perpetrator’s possession is not a ‘card reactivating device’ but a handheld skimming device,” Sabric warns.

“Often there would be a second or even third person loitering around the ATM, shoulder surfing for the customer PINs.”

Card skimming at retail merchant points of payment

Merchant Point Card Skimming

The skimming of cards can also take place at a merchant point of payment, often referred to as the point of sale.

Personnel working at retail outlets, such as waiters and cashiers, are often provided with handheld skimming devices by card fraud perpetrators and rewarded for skimming customers’ cards.

First Calgary Financial provides the following basic advice: If you cannot insert your chip card with your thumb pointed at the device and have your thumb remain fully on your card, tell the store clerk you believe the terminal has been tampered with. Do not enter your PIN and remove your card.

Other methods of stealing card details

Credit card details stolen

Pillay warned that card skimming is only one way through which criminals can steal card details. Other methods include physical theft, infected computers, and poor online security.

“Card details can also be stolen if written down on paper or sent by way of emails that are not encrypted. This should never be done,” said Pillay.

She added that computers can be infected with spyware which will relay everything the victim types, to the criminal.

“If card information is typed on an infected computer, the characters could be relayed to the criminal. Malware can also be used to steal card data.”

This credit card information is then used to commit Card Not Present (CNP) fraud – a fraudulent transaction where neither the card nor cardholder are present when the transaction is conducted.

CNP fraud is typically conducted using telephonic sales, purchases on the Internet, mail order, or fax.

Online risks

Kaspersky Lab Online Banking Threats

Kaspersky Lab states that whenever you try to visit an online banking or shopping website you could be putting your identity and your finances at risk.

This includes risks from malicious spam, phishing, Trojan viruses (including keyloggers which record everything you type on your keyboard), infected websites, and computer viruses.

Prevent falling victim to card skimming fraud

Sabric offered the following advice on how to protect yourself against card skimming:

• If you think the ATM is faulty, cancel the transaction immediately, report the fault to your bank, and transact at another ATM.
• Be cautious of strangers offering help as they could be trying to distract you in order to get your card or PIN.
• If you are disturbed or interfered with whilst transacting at the ATM, your card could be skimmed by being removed and replaced back into the ATM without your knowledge. Cancel the transaction and immediately report the incident using your bank’s toll free number which is displayed on the ATM or on the back of your bank card.
• Choose familiar and well-lit ATMs where you are visible and safe to transact.
• Know what your ATM looks like so that you are able to identify any foreign objects attached to it.
• If your card is retained, do not leave the ATM before you have cancelled your card by calling your bank’s call centre using your own mobile phone.
• Shield the hand that is typing your PIN.
• Never let the card out of your sight when making payments and, if possible, insert the card into the point of sale device yourself.
• Always ensure that the card you receive out of the ATM is your own.
• If you have debit, cheque, and credit cards, don’t choose the same PIN for all of them so that if you lose one, the others will still be safe.
• Keep your transaction slips and check them against your statement to spot any suspicious transactions.
• Check the Rand value of the transaction on the screen before entering your PIN and authorising the transaction. Note the value must be reflected in Rands. If not, stop the transaction and contact your bank immediately.
• Change your PIN as often as possible.
• Do not ask anyone to assist you at the ATM, not even the security guard or a bank official. Rather go inside the bank for help.
• Never force your card into the slot as it might have been tampered with.
• Do not insert your card if the screen layout is not familiar to you and looks like the ATM may have been tampered with.
• Never write your PIN on your card.
• Never write your PIN on paper and store it in the same location as your card.

Prevent online Card Not Present fraud

Pillay urged consumers to ensure that their computers have appropriate security measures installed and that their software remains updated.

“Consumers must also register for 3D secure products before making online purchases and only buy from online merchants who offer 3D secure on their websites,” said Pillay.

“Once registered, a unique password will be required before transactions can be completed which provides an extra layer of security.”

More on credit card fraud

Online credit card fraud warning for South Africans

How criminals are skimming your bank cards

Don’t trust your ATM