Global gang skims Indian credit card industry of Rs 30 crore in 2 months


February 6, 2013

MUMBAI: The credit card industry in the country has been hit by a series of frauds over the past couple of months, a scam which could potentially impact a large number of credit card users in days to come.

February 6, 2013

MUMBAI: The credit card industry in the country has been hit by a series of frauds over the past couple of months, a scam which could potentially impact a large number of credit card users in days to come.

Top card issuing banks have seen unauthorized transactions totaling around Rs 30 crore so far by an international syndicate, which bankers believe is capturing card information through retail outlets that have been compromised.

The most disconcerting part is that banks have not been able to identify the establishments or the machines which are swiping card information. A couple of banks that TOI spoke to suspect the theft could be taking place in swipe machines in departmental stores that have been accessed by hackers and compromised to read and transmit credit card information.

All top credit card issuers — ICICI Bank, HDFC Bank, Citibank, SBI Cards and Axis Bank — have been affected by these frauds.

Here is how it works. After accessing the credit card information, the hackers use it internationally for online transactions. There have been cases where cards have been cloned and used for transactions in shops.

"We have seen cloning happening when cardholders travel to some global destinations that are notorious for cloning. Now we are seeing this happen with cards where the holder has neither travelled abroad nor used it for online transactions," said a bank official.

Although fraudulent transactions in India have shrunk dramatically with the introduction of 3D security, the weak link is international transactions. In India, a user needs the cardholder's name, expiry date and CVV number (the three-digit number on the back of your card) plus the online banking password or one-time password for online transactions. Internationally, the transactions are done on the basis of credit card information alone.

There is, however, hope for consumers who have been cheated. Banking sources say where it is established that the consumer is not at fault, they don't have to bear the loss. However, there is substantial inconvenience to the consumer as the amount is kept pending until investigations are complete.

Banks on the other hand may have to reissue thousands of cards which have been compromised and replace existing cards much ahead of their expiry date. In some cases the card issuing banks are protected by insurance if the fraud amount crosses a certain level if they have purchased covers. The bank's contracts with the credit card payment companies Visa and MasterCard also provides for reversal of charges if the merchant has not taken precautions.

"ICICI Bank has noticed that certain fraudulent transactions have taken place in the last few weeks across some overseas merchant terminals on credit cards that have been skimmed. This is not specific to ICICI Bank; it's across the credit card industry. ICICI Bank has taken measures to protect its customers whose credit cards might have been compromised, by issuing new cards to them," ICICI Bank said in a statement.

Although RBI does not investigate these frauds, it does prescribe standards for the card industry. To enhance security features the central bank has asked banks to move to chip-based cards by June 2013 for those who use cards in international transactions. RBI has also said that it will decide whether to make chip-based cards mandatory depending on the progress of Aadhaar, which if successfully rolled out, would provide another level of security through biometric identification.

Bankers said that it was not possible to classify all the contested transactions as fraudulent. "We have had cases where the cardholder could not identify the name of the company in his billing statement. But that customer apologized later when he recalled the transaction," said a bank official. They said that the true extent of fraud could be known after each case is investigated.

Citi, another large issuer which has also been hit by such frauds, did not comment on the magnitude of such cases. "Citibank is committed to providing enhanced security for customer transactions across all channels, including credit and debit cards, at all times. In keeping with this objective, Citibank is amongst the first banks to issue Chip + PIN credit cards in the country for higher security. The bank has also invested in robust controls including advanced transaction monitoring system (with real-time monitoring capability), process of call back to customers for high-risk transactions, proactive reissuance of cards at risk as well as conducting regular customer and merchant education programmes," Citi said.

IndusInd Bank, meanwhile, has experienced a fraud on its pre-paid card. The fraud was a result of hacking the Electronic Clearing System using a malware. The bank believes the hacking to be the work of an international fraud syndicate. "There is no impact to any of our customers. The malware has been identified and removed. External consultants have been hired to investigate this incident and steps taken to secure their systems basis advice from them. Monitoring controls have been enhanced including using the fraud prevention systems of the Associations" a spokesperson said.

According to SBI Cards, the company immediately blocks a card when it gets information on a fraud. "We analyze and try to identify a common fraud and tend to narrow down on the possible compromise point and subsequently block the suspected merchant to pre-empt any further misuse or fraudulent activity," it said. It added that it also informs the payment network (Visa and MasterCard).

Courtesy: TOI