Clicky

badge

Thursday, December 22, 2016

Surviving a credit card fraud- my experience

In between my various travel activities, my credit card was compromised and someone started using it to make international purchases. Thanks to a super-efficient fraud detection software of ICICI bank and a well-defined process, the issue has been tackled. This post explains my experience going through the same and reading this might help you prevent similar incident occurring to you.

Background
•    I am a careful and sensitive user of credit cards. I seldom let websites store my credit card details and I always key in the details myself, though it is not very convenient.
•    Though my bank keeps sending me SMS stating I am eligible for an increased limit, I have been refusing it, since my current limit is more than enough for me.
•    I am aware of most of the phishing attempts done by tricksters and have been able to avoid them all these years (I am using cards for close to 10 years now)
•    Because of my occasional international travel, I have used my card for international transactions. While RBI mandates a secondary authentication by means of OTP etc, no such mandates apply for international transactions. Once the merchant has your card details, he can keep charging you at will, without your consent or additional authentication like OTP. (I have experienced this with Balibikerental.com and Tiger Air Australia)- This is a very risky proposition as any misuse is hard to dispute and fight back. The international transactions remain to be the biggest vulnerability/loop hole in my credit card usage
The fraud
On an early morning of Oct 2016, when I woke up from my sleep at 4 AM, about half a dozen transaction alert notifications were flooded in my mail box. My sleep went for a toss as I studied the transactions- I had not executed any of them. They were multiple small amount transaction ranging from USD 1 to Euro 20 to USD 79, together totaling up to about INR 10000.  Obviously the thief has been smart enough not to try any big value transactions as such transactions are easily picked up by fraud detection softwares or cards may not have the limit. All transactions happened at about late night time (10.32 to 11 PM)- the time of the day when one is likely to be least attentive- either asleep or may be partying etc.

It was clear that my card has been compromised. I called ICICI customer care right away to block the card. I was told that their fraud detection software has already flagged my card for abuse and has temporarily suspended it, preventing further transactions. Upon my call, staff said that he can get the card permanently suspended and I need to call after 7 AM to speak to disputes team and to request a new credit card.

Today banking softwares have evolved well to pick up suspicious transactions- by amount, location, merchant, frequency etc and take pro-active measures to prevent further damage. Thanks to the software boys and girls. Without this feature, the thief would have continued all night with hundreds of low value transactions.

I called them later in the day, I was offered a replacement card and transferred to disputes team. I confirmed to disputes team that I didn’t perform these transactions, nor did I receive any product or service against these transactions. I was asked to send a letter stating that these transactions are not performed by me, sign, scan and mail it to the disputes team. I agreed to it and asked why transactions are going through without OTP or secondary authentication. I was told that OTP is needed only in India and international transactions go through if merchant provides card no, expiry date and CVV number correctly. Any merchant with whom you have done transaction once will have these details, even if you chose not to save the card details with merchant website, it is big risk doing international transactions with your credit cards. We should stick to reputed companies and hope that card details will not be abused or compromised.

My last international transaction was with BaliBikerental.com, from whom I had booked a Honda Scoopy. I am not sure if I should blame these guys for some how knowingly or unknowingly compromising my card details or the thief got it from somewhere else.
The resolution
Bank registered my complaint and said they will raise a dispute with the merchant. There will be a gap of several weeks before the transaction happens and money is actually credited to the merchant by Visa. Banks and VISA would have agreement with merchants for dispute scenarios like this- if Merchant agrees, transaction will be reversed. If merchant insists that he has already provided a service, then it gets tricky. Usually if a product/service is involved and it is not yet delivered - example a phone or a hotel booking, then merchants won't have any basis to say they won't co-operate. Sometimes when a service might have already been delivered (ex: paid online gaming session or download) merchants may resist. But usually they cooperate- for a few dollars they don't want to be getting bad name.

In my case, bank has credited back all the transaction amount in good faith. However, the dispute process went on for months. Most of the disputed transactions have been fully reversed by now.

The PayPal connection
I did some research on my own on each of the transactions.

One of the transaction was at Paypal-the first one. The thief had used PayPal to validate the card, by making 1 USD transaction. I called Paypal and informed that whoever used this card is a cheat and his/her account needs to be suspended. But PayPal executive on phone was not mature enough to comprehend the severity of situation.  I even logged a written complaint through their website, but didn’t receive any response so far. I think PayPal doesn’t really care if the payment is legitimate.

Other merchants where the transactions were done, they were all outside idea or didn’t really have an online presence to trace them and alert them on the fraudulent usage. For a successful fraud, fraudsters would need help from merchants also-either they will use the stolen card details to buy something quick from genuine merchants or in most cases, set up fake companies and do big transactions, so that once banks pay the merchant, entire money can be pocketed.
I got my replacement card. I am good for now, hope this card stays secure longer.

ICICI Bank’s social media team also helped to the extent they could. But there wasn’t much value add/need for their intervention as the disputes team did the work with good efficiency. Social media folks did some extra coordination/follow-up which was nice. On one of the occasions, my pre-paid balance was running low, so I asked if they can call back- dispute team said "No, they can't call back". I had to recharge, call again and repeat the story. Looks like only social media team has authority to call customers, but their call usually unnecessary if core teams work efficiently.

What Banks can do more
With great push for cashless transactions, there are now dozens of new ways to make payments. We should now be more careful than ever, as not all parties will have genuine intentions and not all apps/systems/networks will be safe all the time to offer protection against online frauds. Read below to find out what all can be done by banks and customers to prevent credit card frauds.

Banking softwares are getting fairly smarter day by day against fraud. They can detect unusual activities and flag a transaction and may temporarily suspend a card if used for questionable transactions repeatedly (like it happened in my case)- I am very happy that ICICI Bank has commissioned best of the technology available for this purpose (I think they use Infosys’s Pinnacle). In many cases, if a card is used in high risk country, banks proactively replace the card, to pre-empt any risk of abuse. There are two more things banks can do, in my opinion.

Banks can offer following security measures to customers for better security
-    Let customers control their limit. For example, I may have 1 lakh credit limit. But if I am not planning any high value transactions, I should be able to set the credit limit to a much lower limit- say 20k. This way, even if my card details are compromised, max anyone can use it will be up to 20k. Much less risk. Whenever I am planning a high value transaction, I can login to internet banking, increase my limit, perform my transaction and then reduce the limit.
-    Make OTP mandatory even for international transactions if customer is fine with it

What can be done by customers to prevent credit card fraud?
  • Do not save card details on merchant websites- you never know which website will be hacked when and your details reach wrong hands. It might be inconvenient, but keying in for each transaction is safer.
  • Ensure that email and SMS alert for your card usage is active and working
  • Avoid international transactions if possible. If not possible, transact only at reputed websites.
  • Avoid making banking transactions over unsecured public wifi, cyber cafe or in open places where the data you enter might get compromised.
  • Never share your card details with anyone through any medium
  • Get a second credit card, with much lesser limit- use this for high risk international transactions.
Pay it safe, Play it safe. 
Similar: When ATM gave Rs 100 note instead of 500 * Fake calls claiming of court cases against you *

7 comments :

dhiru guri said...

My experience is been quite different with auto blocking of credit card on suspicious use. Last time around when we had gone on a trip to Aurangabad I had used my Credit card to make payment to the hotel for the accommodation for 4 days which was little above 10k. The Icici bank thought someday is using my card and blocked it permanently. I got mail next day saying that my card has been blocked and new card is on its way to my residence in Bangalore.We had to survive the rest of the trip without credit card. Hope the money is recovered back.

Durga Prasad Dash said...

I think OTP should be made mandatory. As we are moving towards less cash society, online frauds may increase.

Shrinidhi Hande said...

@DPD- Yes

@Dhiru- yes, I have heard of similar stories.

Amit Misra said...

You have provided very useful information. Thanks a lot!

Shrinidhi Hande said...

You're welcome

Bhushavali N said...

As soon as I made a cash withdrawal in Europe, I got a mail from my bank asking me to comfirm if it was me!

Shrinidhi Hande said...

@Bhushavali - Good Bank.. yes, the softwares are smart to detect possibly fraudulent usage