My debit card was cloned recently. Someone made a purchase worth over £200 from a Tesco Supermarket in Goole, Yorkshire (155 miles from my home) last month on a Saturday afternoon while I was at home in London with my debit card inside my wallet inside my house. I only noticed 5 days later when I was checking my online bank statement. I called my bank and told them I didn’t make such purchase at that Tesco branch on that date. After answering all the security questions, I was put through to the fraud department and was told that my debit card was cloned. The criminals even knew my PIN because my PIN is stored inside the magnetic strap at the back of my card. I was really upset and angry while also was feeling a little stupid I should have noticed the cloning device added to the slot of the ATM machine.
Every single day, 1 in 3 credit / debit card users have fallen as victims of card fraud. PIN ‘n Chip and Password can no longer protect us. Have financial institutions considered a more secured way to protect their card users? If not, I wonder how much time left before credit / debit cards become historical artefacts for display at museums.
The vulnerability of PIN and Chip has already been demonstrated through my personal experience having fallen into a victim of card cloning.
There is always a straightforward answer: “Don’t use cash then.” But before we embark to a total cashless society, I believe people, like me, still want to carry some cash around. I particularly prefer to pay cash at restaurants so that I make sure the tips will go directly to the waiting staff. If I pay by card, my tips would just be sucked into the billing system. Some waiting staff told me that they never get the tips if customers pay by card !!
So, I still need my debit card. How do I as a customer and the financial institutions as the card providers reduce, better still, and prevent card fraud?
Customer’s responsibilities:
· Be vigilant when using ATM, check any additional device attached to the card slot.
· Check whether there is an “additional” keypad on the top of the original keypad to copy your PIN code
· Survey up and down, right and left around the ATM to see whether there is an camera or video recorder pointing to the key pad to film the PIN code
· After withdrawing the cash, remain at the ATM for a couple more seconds to wait for the key pad to cool down as criminals can use thermal camera to capture the keypad and the thermal photo can show which 4 numbers have been pressed through the warmer temperature transmitted from our fingers. If possible, use a glove to press the PIN code
· If after all these measures and unfortunately your card is still cloned, please report to the Action Fraud (National Fraud and Cyber Crime Reporting Centre) online. I did that and also passed my crime reference number to my bank
Financial Institution’s responsibilities:
· Introduce 2-way authentication. Don’t just rely on PIN ‘n Chip. For example, additional random 6-digital PIN code generated by a token is required after the 4-digit PIN code is provided on the ATM
· Check frequently Insiders’ activities. It is not uncommon financial institution staff members steal data for criminality. For example, AI analytics to alert the anomaly of user behaviours to track down criminal activities amongst staff members
· Enhance Cyber Security by using the Cyber threats scanning to check external cyber-attack to the organisation’s systems to steal customer data
· Endpoint detection by checking the vulnerability of the ATM machines both physically and virtually
· Forensic examination if the ATM machines / network / internal systems have been attacked and data have been compromised
Law Enforcement’s responsibilities:
· It has been 2 weeks since I reported to the Action Fraud and I still have not heard from them. Are they working with the financial institutions to investigate the fraudulent cases? Have they tracked down and arrested the criminals? Why haven’t they kept me, the victim, informed?
· Police should work with the victims and financial institutions to take the criminals to justice
~~~~~~~~~
Disclaimers: This article was written entirely based on my personal opinions. It has nothing to do with either my current or previous organisations I am / was employed by.
~~~~~~~