Travelling regularly makes you more vulnerable to credit card fraud. Jenny Southan reports on how you can protect yourself.
Every day, it is estimated that £1.2 million is lost through card fraud in the UK. Phoning your provider in a cold sweat after discovering your account wiped out or payments you’ve not made is something many of us have experienced at some point. Fortunately, card companies have a legal obligation to reimburse you – including interest or charges incurred – but it is not a nice feeling and sorting it out can be highly inconvenient.
On average, one in three people have been a victim of card fraud, but a recent poll on businesstraveller.com revealed that among our readers it is higher – about 60 per cent. This is probably because frequent travel requires more online transactions and card payments in restaurants, bars, petrol stations and shops overseas, where skimming can be a problem.
Business travellers are also likely to have more credit cards than the average person, so are at an increased risk of phishing, pharming and mail interception. In the first half of 2012, plastic card losses abroad on UK-issued cards amounted to just over £46 million, a 17 per cent increase on 2011.
Reader feedback on our web forum sheds light on the kinds of scams people have encountered. Poster PierreAntoine writes: “My Visa was copied and, in two days, my account reached e8,000, when my bank called me. My Amex was copied twice – once in Buenos Aires with expenditures reaching e1,200 and once in Ukraine for e700.”
ThomasK writes: “Our cards are normally issued in the US and then sent to Asia [but] can easily be identified by dishonest people in [the] post office. All they have to do is sign them and then go shopping. Since these are replacement cards they are already authorised and the digits and numbers the same. I had people buy jewellery and gold in Dhaka, then on Biman Bangladesh Airlines for duty-free and in Hong Kong.”
JamesMaloney5 writes: “My card was cloned at a very upmarket restaurant in Kuala Lumpur on December 22 [before being] used on December 23 to buy a small amount of petrol. [This is] standard operating procedure, I am told, to check the card is valid before moving on to either sell the details or spend with it. Then [it was] used at a department store in Sydney on December 24 to buy goods to the value of £6,000.”
According to trade body the UK Cards Association (UKCA), online banking fraud amounted to almost £22 million between January and June 2012, a 28 per cent increase on the same period in 2011, while the number of phishing websites has increased from more than 20,500 in 2008 to over 111,000 in 2012.
The good news is card fraud losses are lower than ten years ago, despite the peak seen in 2008. Why is this? A UKCA spokesman says: “The fight against internet fraud has been aided by the increasing use of sophisticated fraud screening detection tools by retailers and banks, as well as the continued growth in the use of [online fraud prevention solutions] American Express Safe Key, Mastercard Secure Code and Verified by Visa. The vast majority of this type of crime involves the use of card details that have been fraudulently obtained through methods such as skimming, hacking into retailers’ data connections, or through unsolicited emails or telephone calls.”
Although the roll-out of chip and PIN has reduced card fraud in the UK, many countries – such as the US – have not yet introduced it. The UKCA says: “The majority of fraud abroad typically occurs as a result of criminals stealing magnetic strip details from UK cards to make fake cards for use in countries that have yet to upgrade to chip and PIN. This type of fraud has dropped significantly in the past three years, though, partly owing to banks’ fraud detection systems, which monitor for unusual spending patterns and stop potential fraud before it happens.”
Another measure being taken is the introduction of “matrix display cards” with a tiny built-in keypad battery and LCD screen. In autumn 2011, Visa announced its Code Sure credit card featuring a tiny screen on the back – it makes online payments more secure by generating a unique PIN number every time you use it. In November, Mastercard launched a similar product in Singapore, with plans to roll it out globally from 2013.
At the same time, criminals are becoming more inventive. While credit card providers are integrating RFID tags (indicated by a wifi-type symbol) into cards for fast, PIN-free contactless payments, this new technology has opened up a new way for hackers to steal your details – all they have to do is purchase a cheap reader and pass it over your pocket/wallet/bag and it will store your information instantly. This can then be used to produce a clone in a matter of minutes. How can you protect yourself? Buy a protective aluminium-lined wallet (Tumi is bringing out a range of ID Lock bags and accessories in spring 2013) or wrap it in tin foil – just don’t risk microwaving it, despite what some people have suggested on the internet.
The trade in stolen details and cloned cards is being further enabled by the mysterious cyber underworld of the “dark web” or “deep web” – a hidden layer of the internet that is not indexed by conventional search engines and is reputedly 5,000 times bigger than the World Wide Web.
Anyone willing to go through the time-consuming task of accessing it (you need to download, among other things, special free anonymity software such as Tor, which blocks your IP address) will discover credit cards, drugs, guns and even assassins available for sale via untraceable online black markets such as the Silk Road. But not everyone will be using it to buy illegal items – the dark web is also used by Wikileaks and people in countries where access to the internet is restricted. It has been reported that about four million people log on to Tor every day, a figure that is said to have doubled in two years.
The Serious Organised Crime Agency (SOCA) declined to comment on the dark web beyond saying:“SOCA and its partners are aware of the so-called ‘hidden’ areas of the internet, and have the capability to investigate organised criminal groups seeking to exploit them. It remains vital that businesses and individual members of the public take steps to protect their computers and personal information. Get Safe Online [getsafeonline.org] offers information on how to do so.”
How do you know if your card details are up for sale online – be it through the dark web or illegal “carding” sites that are searchable on Google? In all likelihood, you won’t, even if you discover you are a victim of fraud – this is because of the authorities’ hesitation in being open about such matters and the fact that this type of fraud is so hard to trace.
However, in April 2012, the FBI managed to seize three dozen carding sites as part of a two-year investigation with authorities, including those in the UK, Germany, Romania and Australia. It said more than 2.5 million “items of personal and financial information” were retrieved from now defunct sites such as mynickshop.us and vncards.org.
But it will probably only be a matter of time until others pop up.
Is there anything else you can do to protect yourself? Myles Stephenson, chief executive of Corporate Pay, suggests using its prepaid top-up card, which is not directly connected to a bank account. “Consumers can use it in the same way as a credit card but with a limit to the funds available so if it is stolen, there is a cap on how much can be spent,” he says.
Five top fraud scams
Which.co.uk explains five key types of card fraud and advises on how to combat them
CARD SKIMMING
This is where thieves attach a camera to cash machines to record your PIN number and card details. Alternatively, a corrupt employee in a bar, for example, might be able to capture your magnetic strip details by secretly passing it through a card reader when you’re not looking. Which.co.uk says: “Check the ATM for unusual protuberances. Be aware of others around you. If someone is behaving suspiciously or makes you feel uncomfortable, choose a different machine. Insist that your card is not taken away for swiping in shops, restaurants and petrol stations.”
CARD NOT PRESENT (CNP) FRAUD
The most common type of card fraud in the UK is where criminals obtain details from online transactions and then make purchases over the internet, phone, fax or mail order. Schemes such as Mastercard Secure Code and Verified by Visa, which thousands of retailers have signed up to, are designed to combat this. If you register a private password for use when shopping online, you’ll be asked for it when you make a transaction.
PHISHING
This is when scammers send out fake emails that appear to have come from your bank, asking you to submit account details and passwords on a bogus version of the bank’s website. A bank or credit card company would never ask you to do this, so be suspicious. It may also take the form of an unsolicited phone call, with the caller asking you to “verify” personal information. Which.co.uk writes: “Never reply to emails or click links in emails, even if they look like they’re from your bank. If you are called by your bank, check its normal contact numbers to confirm whether the message is genuine.”
PHARMING
This can occur when you try to log on to your bank account, triggering a computer virus to redirect you to a fake website, where you will be requested to submit your details. This happens when there is no “SSL” (secure sockets layer) padlock on the browser. The pharming site may or may not look the same as the legitimate site. Which.co.uk writes: “The only way to beat pharming attacks is to install, and regularly update, virus and firewall software. When you log into your account, check that the web address is correct before entering your details. Always log off properly from sites and web browsers, especially when using a shared PC. Don’t do your online banking from an internet café or over a public wireless internet hotspot as your details could be intercepted.”
MAIL INTERCEPTION
Anyone living in a communal property with shared letterboxes is at risk of this type of fraud. Criminals who have access to your paper bills or statements only have to take them to then use the information to make purchases online. Which.co.uk writes: “Cancel any old cards you don’t use and close any accounts you aren’t using. Ask your bank not to send you unwanted credit Wcard cheques.” You should also switch to paperless banking if possible.
