Debit Card Fraud in India: How safe is the Debit Card?

About The problem

In the news sometime back it was shown that SBI had blocked about six lakh debit cards after it suspected a malware-based breach was detected in an ATM network outside the bank’s purview. About 30-32 lakh debit cards are learnt to have come under threat of potential fraud after an ATM security breach through malware infestation. According to media reports, the payment systems of Hitachi Payment Services were infested with malware that helped miscreants to steal personal information and do fraudulent transactions.

Affected banks, cards

Cards issued by State Bank of India, HDFC Bank, ICICI Bank, YES Bank and Axis Bank as "worst affected". The cards, as per the report, include 2.6 million of Visa and MasterCard and 6 lakh of RuPay cards.

What is a card Debit/Credit card fraud?

Debit/Credit card fraud is a wide-ranging term for theft and fraud committed using or involving a payment card, such as a credit card or debit card, as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account.

Mechanism of the Fraud:

Skimming

This is a more technical mode of duping. The common cardholder hardly can do anything against such tactic. In the Skimming the fraudster plants a small skimming device in the debit card slot of the ATM machine. The skimming device read the magnetic tape information of the card when the card goes through the skimming device. With the copied magnetic information, the defrauder can reproduce a duplicate card (on any plastic card) to be used later to withdraw cash. In order to access the PIN, the fraudster also installs a small camera at the ATM kiosk that can capture the ATM pin when it is entered by the cardholder.

Card swapping

Card swapping is another form of ATM-related fraud. When a customer visits a merchant establishment, a shopping mall, a restaurant or a petrol pump and uses his/her debit card for transaction, the attendant (fraudster) notes down the ATM PIN when it is keyed in by the customer. Later, while returning the card to the customer, the attendant swaps the customer’s card with a dummy card that is identical to the customer’s card. Since the customer is unaware of the swapping, he secures the dummy card whereas the fraudster gets both the card and the PIN which he uses to withdraw cash till the card is blocked by the customer. The fraudsters keep several dummy cards of various banks and depending upon the card provided by the customer for the transaction, they pull out a similar card and hand it over to the customer. Since most customers don’t check if the returned card is theirs or not, the fraudsters are successful in cheating the customer.

Keypad jamming fraud

Keypad jamming fraud is one of the common method followed by fraudsters to steal money. The modus operandi of defrauder involves jamming both the ‘Enter’ and ‘Cancel’ buttons on the ATM machine by applying glue or by inserting a pin or blade at the edge of the button. So when the customer tries to press the ‘Enter/OK’ button after entering his ATM PIN, the key does not function and the customer can’t proceed with his transaction. At this juncture the customer thinks that the machine is not working and tries to cancel the transaction, which also does not go through as that button is also jammed. Thinking that the transaction is cancelled, he leaves the ATM machine. As soon as the customer leaves or is prompted to visit the nearby ATM machine, the fraudster takes over the machine and since the transaction is active for around 30 seconds in most cases (some banks have reduced it to 20 seconds), he keeps the transaction active by pressing some functional buttons and in the meantime removes the glue or pin from the ‘Enter’ button to go ahead with the transaction. The fraudster then withdraws the cash from the customer’s account, leaving the customer unaware of the fraud till he checks the message from the bank.

How much loss to the Customer?

According to Reserve Bank of India (RBI), banks are responsible for security of the debit cards they issue. “Hence, in case of any monetary loss on account of breach of security or failure of the security, the bank is liable to bear the loss,” RBI says in a circular on debit cards. The bank is liable if there has been a failure of its systems and infrastructure resulting in fraud. According to the RBI, if a transaction has taken place without the additional factor of authentication and a customer has complained that the transaction was not affected by his/her, the issuer bank will reimburse the customer.

What should the customer do when fraud take place?

As a customer when you know about the unauthorized transaction of fraud, there is no need to panic. Only you have to immediately inform the bank about the loss. If the bank is not intimated the bank cannot be held liable for the fraud. You can report the fraud at any time of the day but immediately after you come to know about it. Once you report the loss, it is the bank’s responsibility to stop further use of the card. If the cardholder is found to have been negligent, he/she will have to bear the liability. In a recent draft circular on customer protection, RBI has mentioned the liability of the customer:

Liability of a Customer in case of Fraud:

Steps taken by banks (Source: RBI)

The breach happened sometime between May and July. Banks have been alerting customers to change the security PIN or even replacing the cards. Bankers have told the news papers that all measures being taken are to safeguard the system against any potential threat.

Steps taken by RBI

The central bank is taking the matter very seriously and is looking into the issue. According to the Times of India, the infested systems have been quarantined and inspected; the affected cards have been spotted. The RBI has also asked banks to inform it about any suspected fraud immediately, the report said.

What are the precautions the customer should take?

Set a limit on you card. You can do it using net banking. With the limit you could minimize the fraud up to that limit.
Change your personal identity number every six months or as frequently as possible.
Update you mobile number and email ID with the bank: It would update you to know every transaction in your account. RBI also mandates banks to send online alerts for all card transactions so that a card holder is aware of transactions taking place on her card.

Dos and Don’ts of ATM transactions

Conduct your ATM transactions in complete privacy, never let anyone see you entering your Personal Identification Number(ATM Password)
After completion of transaction ensure that welcome screen is displayed on ATM screen
Ensure your current mobile number is registered with the bank so that you can get alerts for all your transactions
Beware of suspicious movements of people around the ATM or strangers trying to engage you in conversation
Do check if the card given to you by the merchant after completion of the transaction is your card
Look for extra devices attached to the ATMs that may be put to capture your data
Inform the bank if the ATM / Debit card is lost or stolen and immediately report if any unauthorized transaction
Check the transaction alert SMSs and bank statements regularly

Don’ts