another example of the Credit Card industry's deceptive advertising targeting children
cartoon of the month

Monday, May 16, 2005

Information Technology Act 2000, India Hacking section 66

Coming soon to a theatre near you,
Sarbajit Roy's personal blog.
Dammit, just about everybody seems to have a blog nowadays

So is it now "curtains" for http://hometown.aol.com/roysarbajit/ where my trusty public files have resided all these years?

My Credit Card Project Files
I want to get regulated the Credit Card Industry in India which is now illegally controlled by a clutch of cowboy Foreign Banks who have the Government in their pocket!
Scrivener Sarbajit Roy

MasterCard credit skimming fraud tactics

Customer education, merchant compliance imperative
(source the HINDU Aug 29, 2002)


Highest percentage of frauds falls under the `card not present' type of transactions and counterfeit cards. Though skimming is not happening in India, skimmed cards are in circulation. A technology to prevent skimming is already being pilot tested by MasterCard.

Skimming Indian credit cards is not attractive as the credit limit is very low. -

THERE ARE some things money can't buy. But for everything else there is MasterCard. So goes the catchy slogan of MasterCard, one of the major credit cards in circulation in the world. True to the slogan the convenience of a credit card needs no description. But it can be misused when it reaches the wrong hands. Consider this to know the magnitude of the problem — the total loss to MasterCard last year mounted to a staggering $369 million.

India is no exception to credit card fraud. The only consolation being that most of the frauds are small in value and can be easily checked. "The highest percentage of frauds in credit cards in India happens in the mail order telephone order (MOTO) type," said Mr. Rajiv Duggal, Director (Security & Risk Management), South Asia, MasterCard International at a seminar conducted by Chennai based FSS on identifying and preventing credit card frauds. These are the typical `card not present' type of transactions where the card owner furnishes the card details in an application form or conveys it over phone.

In a typical mail order application the card owner furnishes card details like the card number, his name, date of birth, signature and card expiry date apart from his address where the product has to be delivered. The merchant sends these details to the issuing bank for approval before delivering the product to the customer. In a clean case the process goes to completion without a glitch. "A fraud when committed easily comes to light if the issuing bank checks the address given on the application with the owner's actual address," said Mr. Duggal. This works on the assumption that the impersonator would give his address and not the actual owner's address. "So this type of fraud can be easily checked and prevented if all concerned banks look for the inconsistency," Mr. Duggal explained. Technology to prevent such crimes is already in place but very often the impersonator gets away with the crime due to lack of attention to details.

But even when the banks are alert the crooks still have a way to cheat the system. In many cases the fraudster uses the telephone to inform the bank of a card loss and requests the bank to send the card to a new address as he is on the move. Actually an MNC bank which is one of the biggest players in India went on air some time ago advertising their customer friendly nature by delivering the card to the customer at a new location. "Banks are more customer oriented these days even when there is a change in address. And this is the root cause of all problems," he stressed.

Compared to MOTO, frauds due to lost cards is less and is primarily due to customer's fault. "What can you say when the customer writes the personal identification number (PIN) on the reverse of the card and then loses it. It's akin to losing a signed blank cheque," a banker comments. Frauds due to card loss and counterfeit are around 13.4 basis points in India against a global value of 7.5.

Counterfeit cards are very rampant abroad and there are many techniques used to make one. The simplest one is to erase the original embossed number on the card. "Even a hair drier can do the job," said Mr. David Garrett, Senior Industry Specialist at ACI Worldwide which provides the technology to identify and prevent card frauds. The next step is to emboss a new valid number and scratch the magnetic strip to destroy the original customer validation code (CVC1) data. CVC1 data contains all the information about the customer. The card will not work when used in a swiping machine very commonly seen at merchant outlets. So what does the merchant do? Typically punch the card details and the sale is completed.

But is there a technology to prevent this too? The CVC2 number (last three digit numbers) found on the reverse of the card can call the bluff. "But how often do merchants get in touch with the banker and the banker cross checks the CVC2 with the customer?" quips a banker.

A more common counterfeit method again prevalent abroad is to make a new plastic with an embossed number and other details. But have a close look at your card and you will find a four-digit number printed on the card below the embossed number. This number unique to a particular bank will match the first four digits of the embossed number. "Citibank and HSBC cards are one of the widely prevalent cards in India. And you will find one of the two numbers printed there," Mr. Duggal said. Manufacturing the plastic with the printed numbers and embossing on it are done by two different persons. And in all likelihood the printed numbers will be different from the embossed numbers on the card. But does the merchant check for it every time?

But hold your breath. Even when the two numbers match, another technology is at hand to prove the genuineness of card. The reverse of the card where the customer signs has MasterCard or Visa printed in an oblique fashion. "This printing is very difficult to duplicate and serves as one more check to identify counterfeit cards," Mr. Duggal explained.

As technology develops so do the types of frauds. Frauds were on the rise again after the introduction of CVC1, CVC2 and holhograms. The latest fraud happening abroad is skimming. In simple terms it means catching the CVC1 data found in the magnetic strip using a wedge to a phantom terminal and transferring this to the fraud syndicate which manufactures a counterfeit card with this CVC1 data. Though skimming is not prevalent in India, skimmed cards are in circulation here. These are typically cards whose holders are based in Canada or the U.K. Why only Canada or U.K? Because these countries offer the biggest credits to customers and an ethnic Indian population with similar sounding names live there. Any doubt in the merchant's mind is thus eliminated.

MasterCard is on the job again and is testing an anti-skimming Magneprint technology to identify such cards. According to Mr. Duggal the magnetic strip containing CVC1 data emits a low intrinsic noise which can be measured using a special reader. Since formation of magnetic particles is unique to each card, the noise it produces also becomes unique. This noise goes to the host as an algorithm where the unique noise of the original card can be compared whenever the card is used. Skimmed cards can never match the magnetic particles of the original card. The technology is being pilot tested.

ACI Worldwide's neural network technology takes care when all the available checks and balances are defeated. Neural network looks at a customer's typical usage pattern and raises a flag whenever a strange usage appears. It is now for the bank to contact the customer and verify the usage. "Somebody can only steal my card but never my usage pattern. And neural pattern will always be there to alert me of any fraud," said Mr. Garrett confidently. But till such time that these checks are in place, only customer, merchant and bank education and compliance can help prevent any problem. "After all technology cannot eliminate frauds. It can at most only minimise it," Mr. Garrett reiterated.


R. Prasad


recently in Mumbai.