I have investigated several credit and debit card fraud schemes. I have encountered the following exposures over and over again. Carefully read to understand and be safe. Before you suffer making more money, first protect the little you have on your account.
If you use a visa debit card or credit card, you should be careful. It is very easy for fraudsters in Uganda or elsewhere to defraud you. The only security you have is not losing your card and or not revealing your card number and security code.
As a competitive advantage, most banks will issue you a VISA debit card or a CREDIT card (if you are assessed as credit worthy). In Uganda, virtually all bank customers have visa debit cards, as they also double as their ATM cards. New market entrants like UBA have come up with new cards called CHIP and PIN. Although technically advanced and very secure on-line, they have several shortcomings, attributed to poor security awareness of their holders. These cards are instantly issued to aid your on-line transactions like paying for ACCA, CISA, CFE or any other professional exams/ qualifications. UBA’s card called UBA Africard is at a higher risk of identity theft as the customer’s names are not shown on the card. The generic name for all UBA Africard is UBA Cardholder. Any one who gets physical possession becomes the owner! Like all cards, this card has a unique client 10-digit identification number, located at the bottom, on the backside. You need this additional # to process on-line payments.
Being a holder of a debit and credit cards, I have noted the following security (confidentiality, integrity and availability) weaknesses:
- The card has an option for a signature of the rightful owner. However, this signature serves no purposes as far as authentication is concerned. You can use the card to process payment on-line without verifying your signature.
- If you lost your VISA debit card, it is easy to lose money. At most supermarkets and other points of sale (POS) processing such VISA cards, the gadgets in use have weak authentication controls. I witnessed a customer pay for goods using the debit card at the checkout point in a Supermarket. The customer just handed over their debit card, which the teller swiped into the machine. And alas, the transaction was processed instantly. No any authentication asked – no password or any security question requiring the genuine owner to answer. Financial institutions issue cards with very weak security controls. How many holders have been advised of the risk of disclosing the information on their cards or losing the physical card altogether?
To understand the risk posed by most VISA cards, let’s understand how you can use the visa cards to make payments.
You can buy goods on-line from any vendor like Amazon, eBay or pay for professional exams. One can also make a one-off purchase from any vendor on-line for any item of interest e.g. paying for pornographic subscriptions. Stolen cards are often used for the latter or similar purchases that are unethical or criminal in nature. This has double negative impact of damaging the reputation of the genuine cardholder.
To pay for goods on line, you need to have the physical VISA debit card or the details thereon – the card number, expiry date, name on the card and the three-number security code usually at the back of the card. If one gets the front and back side photocopy of your card, they have enough information to purchase items on your card. All the information needed to process a transaction is written on the card. The only time one needs a passcode/ pin number, is when withdrawing money via the ATM machine.
Attach vector: a fraudster steals information on your card by copying it on a piece of paper for use later. They don’t have to steal your physical card. In effect, a person could use your card to pay for their on-line errands while you have the physical card in your pocket! Or you use it as the fraudster also uses it.
Recommended countermeasure: Aggressive customer awareness of the mentioned danger. Issuing banks must advice their customers NEVER to give their physical cards to any person or share the details thereon. Customers should sign having read and understood such caution while collecting their cards from the bank.
Reactive control in place: SMS notification every time money is deducted from your account/ card. Some banks send an automatic SMS to the customer’s mobile phone number, every time their card is used to withdraw money. If the customer is not aware of the payment, they can contact the bank and report the fraud. However, this control is only reactive – customers are informed only after the card has been used and money withdrawn!
Regulatory control: The payment card industry data security standard (PCI/ DSS) addresses some of this issue. All banks that issue payment cards must be accredited and all bank staff involved in card issuance should be certified/ training in PCI DSS. This is should be an on-going effort.
You need a physical visa debit card (something you have) and a personal identification number (PIN) (something you know) to withdrawal money from your account via the ATM. This is secure.
Attack vector/s: (1) Fraudster steals your ATM and coerces you to reveal pin; (2) Your close friend or relative picks your card from your bag, and also gets to know your PIN. You could have given your PIN to such a person in the past to help you withdraw money while you were too busy to do it on your own; (3) your card ‘captured’ by the fraudsters at the ATM, while they watched over your soldier as you entered your PIN. When you leave ATM, they retrieve the card and PIN and withdraw your money. And other new schemes. But the three are the most common.
Counter measure: (1) ATM withdrawal limits; (2) User awareness training and security cameras in the ATM rooms. The most effective is user awareness training. Security cameras in ATM rooms help banks explain who actually used the victims card to withdraw money, after the genuine customer comes to the bank complaining. So this is a reactive measure.
Supermarket purchases at POS
This presents the biggest exposure. To ensure convenience and therefore competitiveness, most banks have partnered with several supermarkets to have their customers pay using their debit or credit cards. All one needs is a physical card (to swip). At some point of sales (POSs) the cashiers might ask for the card holders ID like driving permit or passport so as to confirm ownership by matching the names on the card and on the ID. However, this control does not work for cards like UBA Africard that has generic username, UBA Cardholder. Some cashiers will take a copy of your ID. But that is not always the case, as in reality, so many customers visit the cashiers and wont tolerate an overzealous cashier moving from their desk to make a photocopy of a customers ID. Few POS require the customer to input their PIN code like the one they use on ATM. Many others I have visited, just swipe your card and deduct money. No other questions asked!
Attack vector/s: Fraudster steals your physical card. If they are good at social engineering, they could steal your PIN, just in case.
Counter measure: User awareness training and security cameras in the supermarkets. The most effective is user awareness training. Customers should never share their cards. You must report the loss of your physical card to the nearest issuing bank branch and police – for the card issuing bank, to disable your account withdrawals, and to the Police to look for the fraudster.
Of course, the list is not conclusive. I will share more. Would appreciate your comments below.
I remain, Mustapha B Mugisa, CFE, Your Anti-fraud and Forensic Expert.