Banking security has been a very hot topic as of late after two major systems glitches disrupted technical operations at two leading Philippine banks, BPI and BDO. Representatives of both banks had to testify at the Senate and reassured the lawmakers and the public that customer data remains safe and that the situation has always been under control at any point in time.
But how safe are our transactions really?
Part of the move toward more secure banking environment is the shift toward the European MasterCard Visa (EMV) chip technology for card transactions. The BSP extended their deadline from January 1, 2017 as originally set, to June 2018 for issuing EMV-compliant cards to all clients. Local banks frequently claim that credit card fraud will largely be eliminated by the shift to the EMV technology and away from the old magnetic stripes on all credit cards.
So why are there still so many fraudulent transactions being reported even though most of the big banks had by now shifted to the new technology?
Let’s first have a quick look at the different types of card fraud, as cited below. The better you understand how scammers can use your data, the more measures you can take to protect yourself.
• Lost or stolen cards: Report and block your card immediately to minimize any damage.
• Account takeover: This happens when a fraudster gets access to the personal information of a cardholder and reports a lost or stolen card to the bank then obtains a new card in the soon-to-be-victim’s name.
• Counterfeit cards: When a card is “cloned” from another and then used to make purchases. In Asia Pacific, 10 percent to 15 percent of fraud results from malpractices, such as card skimming, but this number has significantly dropped from what it was a couple of years ago, largely due to EMV.
• Collusive merchant: When merchant employees work with fraudsters to defraud banks and customers. A popular method is to swipe the card twice, once through the payment terminal and once through a skimming device that collects all data from the card. The stolen card is often sold to a fraudster on the “darknet.”
• Card-Not-Present (CNP) fraud: Credit card fraud can be perpetrated against you if the account number and expiry date of your card are known. The fraud may be by way of mail, phone or internet and does not require your physical card to be present, unless the merchant requests the card verification code. To ensure the card works, a criminal may attempt to process a small transaction. Scrutinize your bank statements for these types of charges. They are often only the beginnings of a major fraud attempt. This form of fraud has been on the rise since the rollout of the new EMV technology.
Cards with only a magnetic stripe are more prone to data theft because the data on the stripes is not encrypted and static. Fraudsters could easily skim data off your cards, embed the details onto a blank card and use it for all kinds of transactions. EMV is going to be safer in that regard as the chip holds your data encrypted and creates unique transaction codes that cannot be used again. If a hacker stole the chip information from one specific point of sale, typical card duplication would never work because the stolen transaction number created in that instance wouldn’t be usable again and the card would just get denied.
When the UK, one of the earliest adopters of EMV technology, switched to the technology, it saw a 75 percent decrease in credit card fraud at brick-and-mortar stores over eight years. Fraud, however, did not disappear but merely moved to online transactions, more elaborate ATM fraud, and to other markets where EMV technology was not yet in use. MasterCard recorded a 54 percent drop in counterfeit fraud costs among its EMV-ready merchants from April 2015 to April 2016. Conversely, they also saw a 77 percent increase in counterfeit card fraud year-over-year among merchants who had not yet moved to EMV, or were in the process of doing so.
This is where the banks have clearly failed to educate their consumers. In fact, banks and credit card issuers primarily benefit from EMV. Retailers who do not adopt EMV readers (or are using the old point-of-sale terminals) leave consumers susceptible to curb fraud. Due to the high cost of most EMV readers, many small businesses are unable to adopt them. These merchants still require customers to swipe their cards, which means they are not yet taking advantage of the chip-technology.
Even more important is to understand the EMV fraud liability shift that also benefits banks but creates a headache for the smaller merchants. If a merchant has not yet updated his payment terminals to be able to accept EMV-compliant cards, the merchant would be liable for the fraudulent transaction. This can be very costly for smaller merchants who want to offer card payments but have not updated their systems with the latest technology.
A very popular way among scammers trying to obtain credit card information in the Philippines is through the public networks. If you connect your phone or laptop to such a network in, for example, a hotel or a restaurant, be very careful with entering personal information. Understanding how your payment cards work is the first step toward protecting yourself from fraud and to actually enjoy the convenience of electronic payments.
Moritz Gastl is the managing director of MoneyMax.ph, a financial comparison website aiming to help Filipinos save money through diligent comparisons of financial products.