REDUCING FRAUD RISKS IN E-BANKING
AIJAZ A SHAIKH
May 2 - 15, 2011
E-Banking has emerged into a very important mode of banking in Pakistan where customers while using state of the art technology and alternate delivery channels such as ATMs, POS, Internet, mobile and Phone (IVR) Banking, perform both traditional and innovative banking transactions.
Various E-Banking Channels more tractable in nature are getting lot of attention from the consumers. ATMs provide various financial and non-financial services. Prominent financial services offered through ATMs are cash withdrawal, Utility Bills Payment, Fund Transfer, and Mobile pop-up. Non-financial services include mini bank statement and balance enquiry.
According to the State Bank of Pakistan's quarterly report on Retail Payment Systems, the E-Banking transactions during second quarter of Financial Year 2011 have reached 56.42 million in volume and Rs5.5 trillion in value. After adding 172 ATMs, the total numbers of ATMs reached 4,734. Out of 9483 bank branches existing in Pakistan, 7036 (or 74 per cent) bank branches are offering real-time online banking.
ATM FRAUD CASES
Among ATM fraud cases, card-skimming attack is probably the most widespread crime the banks have been facing since last decade. According to the information available at European ATM Security Team (EAST) website, total 4629 skimming attacks were reported in European Union member countries for the period from January to June 2009 compared with 5743 for the same period in 2010 showing an increase of 24 per cent in volume. For the same periods, skimming related losses fell from 156 million Euros to 144 million Euros showing a decrease of 8 per cent in value. As reported further, this is the largest number of such attacks reported in a six month period since EAST first began recording these statistics in 2004. In Pakistan, banks have started reporting skimming cases but its share in country's fraudulent transactions portfolio is still imprecise. According to the information collected from internet, skimming is growing virtually in every major city in USA, Europe, Canada, Latin America and Asia.
Skimming is a fraudulent act of reading, copying, and storing the consumer information encoded on the magnetic stripe available on the back of ATM, Debit, or Credit Card.
So far, the most effective anti-skimming measure in place is EMV (Euro pay, Master Card and Visa). EMV is a global standard based on a Chip and PIN technology. Chip technology provides adequate protection to cardholder data since it is theoretically impossible to copy data from a chip. In Pakistan, due to growing skimming cases, the banks have started issuing chip based cards but the implementation of standard is still in infancy stage.
The significance of evidences collected and processed during post-fraud scenario occupies a very importance position. Broadly speaking, evidences have been categorized as primary and secondary. In primary evidence, the ATM or system-based reports are generated and checked for verification, authenticity and for the satisfaction of the complainant. Most of the complaints are resolved based on the information collected through primary evidences. Secondary evidences such as event snaps and CCTV footage are used in most sophisticated crimes perpetuated on ATMs such as Skimming, Card/Cash trapping, Transaction Reversal Frauds (TRFs) to name a few. Secondary evidence provides a lucid and an undeniable confirmation about the nature of the fraud, fraudster, and the way it was committed.
In Pakistan, consumers are facing great difficulty in getting evidences from banks after their accounts have been either mistakenly or fraudulently debited. Specific instructions or guidelines on protecting and archiving the evidences are not available, which has multiplied the consumer grievances. Following information will, however, arm the consumer in resolving their e-banking related complaints and fraudulent cases to greater extend.
In case a cardholder receives partial or no cash from ATM, the same may immediately be reported to the concerned bank preferably in writing or by calling at their IVR (recorded line) number. The banking practices in Pakistan suggest that in case a machine does not disburse any cash but debit the card holder account, the bank will atomically credit the card holder account. Submitting a written complaint is required only when the machine disburses partial amount but debit the account with full amount. The accountholder should be very vigilant in partial retract cases since, in most of these cases, primary evidence does not provide sufficient support and therefore decision of the bank may go against the accountholder. In this situation, secondary evidence usually provides decisive support to the legitimate complainant.
To avoid skimming of data on payment cards, the cardholder should not leave the possession of the debit or credit card in any case. At any merchant location such as petrol pumps, restaurants, book shops where the card is accepted for payment, the accountholder may himself or herself swap the card on POS terminal or allow the merchant to swap the same in front of card holder. Leaving the card unattended may compromise data stored on magnetic stripe, which will result into the fraudulent transactions.
As an added security, it is advised to activate the SMS facility on all payment cards. Banks in Pakistan offering Payment Cards also offer SMS alerts against a charge. Since SMS alerts explicitly mention amount, date and time of transactions, it can effectively be used as evidence in case of fraudulent usage of lost, stolen or compromised payment cards and therefore alerts should not be deleted immediately from the mobile.
In all these and other E-Banking related frauds, the time occupies a very important position since in few cases, it has been observed that while screening the primary evidence the banks, due to limited storage capacity and IT infrastructure, overwrite the CCTV recording and delete the event snaps from time to time, which otherwise can be used in fraud resolution. Accountholder therefore should enquire about his or her complaint regularly and ask for the progress made in this regard.
(The writer of this article is the Joint Director Payment Systems Department, State Bank of Pakistan.)