"Online crime is getting bigger by the day and most fraudsters not only have access to your credit card numbers and IP address, they also know your personal information such as address, phone number and e-mail account," warns Nishanth Chandran, Co-founder and Executive Director of E-Billing Solutions, a payment gateway services provider which specialises in online risk & fraud management.
"With the help of technology, a carder committing a fraud from Chennai can easily conceal his IP address by inserting a proxy and pretend the transaction to be coming from London," says this computer science engineer, who feels cyber crime can be controlled if both the merchants and cardholders take precautionary steps.
In an exclusive interview to Sify.com, Nishanth shares his insights on some of the biggest challenges facing the card industry.
What should a person do if he finds certain transactions that were never done in the credit card statement?
In any online/offline credit card/debit transaction there are three parties: issuing bank, acquiring bank and the merchant. Usually the acquiring bank charges the customer's credit card through the issuing bank.
Hence in case the cardholder finds a charge, which he has not done, he has to immediately contact the issuing bank. Issuing bank will immediately start an investigation and the charge will be reversed
What type of credit card fraud is most prevalent in India?
When it comes to credit card frauds, there are mainly two types: online and offline. In online, the card information is stolen and used without the cardholder's knowledge. In offline, the card is physically duplicated or skimmed. In the online, as the person who is committing the fraud remains anonymous, the most commonly used way of identifying a transaction or an activity is from the IP address from which the transaction is done.
There are many databases available to identify the geographic location of the user. However, this has become a legacy system where carders can easily mimic by inserting a proxy i.e., a fraudster from Chennai can easily pretend to be coming from London!
How does EBS software protect merchants against fraudulent transactions?
EBS takes fraud protection for its merchants seriously and we have a state-of-the-art risk management system, which conducts 600+ checks against each transaction to track the behaviour patterns of fraudsters. Most fraudsters will be having a pool of credit card numbers, IP or proxy address, personal information such as address, phone number and e-mail address.
With all these information, they try to place orders with e-commerce merchants. Our software identifies the patterns between all these transactions and flags the transaction before it is sent for fulfilment.
We have merchants who sell air tickets, movie tickets, digital goods such as software, where the fulfilment is real time i.e., the ticket is issued instantly to merchants who ship goods within 24 hours. We cover both the categories and fight fraud almost in real time.
When somebody steals a card and enters into fraudulent transactions, who is held liable - retailer, card owner or issuing bank?
It depends on what type of transaction it is, but in most cases it is the retailer who is liable for fraud in online or e-commerce scenario. However, if the transaction is authenticated by 3d secure, then it is the card-issuing bank, which is liable to a certain extent with some conditions attached to it.
What are the precautions a person can take to prevent credit card frauds?
Both the merchant and cardholders must take certain precautions.
Precautions for merchants:
- Check whether the billing and shipping address matches, when selling tangible goods
- Check if the IP address is from the billing location.
- Try to call your customers to verify if you see a high order value.
- Ask verification questions like nearest landmark from your place and verify it with Google Maps.
- Make a Google search of the IP address to see if it is present in any proxy websites. If you find, it is better to cancel that order.
- Search your customer name or email address in social networking sites like Facebook or Orkut to verify their location.
- Ask your customer for a photo identity such as driving license or a passport and verify with the card name
It may not be possible to check each and every order; however, you could do it for high value transactions.
Tips for cardholders:
- Never disclose your card number to anyone.
- Don't send the number to anyone through email.
- If any organisation is asking for a scanned copy of the card, provide only the front side of it.
- No banker will call you or ask for details like PIN Number, CVV Number, don't give this information, bankers can validate with your credit card number itself.
- When entering credit card details in any Web site, check the credibility of the Web site. Check if you are on a https:// page which means Secure Socket Layer, an encryption technology, which securely transmits your credit card information to the merchant.
What is your view on the RBI's initiative in providing compulsory PIN number for online credit card transactions?
'3D Secure' complements the state-of-the-art risk management system of EBS, which checks across 600+ rules. RBI's new initiative suffers from many limitations, which may adversely affect businesses.
The new initiative requires the cardholder to remember one more password, which can again be sniffed by a fraudster by infecting computers with Trojans.
RBI's new regulation of mandating 3D Secure covers only Indian credit cards which account for just about 0.16 per cent of transactions compared with as much as 4 to 5 per cent of international cards.
The new system has quite a few drawbacks and the number of transactions has dropped down considerably. In many countries 3D authentication was made optional and in India too people should be given an option.
How can a person make sure that a site is secure before making any online transaction?
- While entering the credit card number see if you have "https" in the address bar of your browser.
- Look for logos or credibility certification such as Verisign, PCI etc in the payment page and click on those certificates to check if it is genuine and carries their business information.
In terms of security, where does India stand in comparison with other countries?
As far as Internet security pertaining to credit card data, India is at par with the global standards and we are seeing large corporations taking security seriously and implementing security standards. Some of the large corporates that have implemented our Risk Management System save around Rs 2.5 crore every month from frauds.