Be sure to play your cards right


Most people are aware of the dangers of skimming, but the criminal’s current favourite is the lesser known ‘card-not-present’ fraud, which accounts for 80-85 per cent of losses, writes AOIFE CARR

WHEN EAMONN CARROLL* lost his job at the beginning of April this year, he received a small redundancy payment. He lodged the payment to his current account to make sure ongoing obligations such as his mortgage, health insurance and utility bills were paid.

“I figured I would move some of the money to a savings account in due course, but wanted to research the best options available, and obviously wanted to have money in my account given I had lost my income and have a family to support,” he says.

Carroll last checked his account on April 11th and due to various circumstances, not least a problem with his home computer, did not check his account again until April 23rd by which time just under €10,000 had been taken from it in various fraudulent transactions using his Laser card number.

“I was stunned. In total there were 70 transactions all made online using the long number on the front of my card. I was told subsequently by my bank that this was obtained by copying the magnetic strip on the back of my card with a swipe device, probably in a shop or restaurant,” he says.

“At first, there were three to four fraudulent transactions a day, but when they realised they hadn’t been noticed it ramped up to eight to 10 a day. The transactions consisted of 13 Leap Card top-ups worth about €1,500 as well as various mobile phone top-ups worth about €700. There were large one-off purchases of electrical goods, car parts, groceries and clothing, a number of money transfers and a couple of large sterling purchases.”

“What I thought most unusual were the €300 worth of pizza and take-away orders, all made over the final weekend before I noticed the fraud and acted. In total, just under €10,000 was taken, but almost €3,000 was credited back to my account by vendors who suspected or detected fraud.” Carroll was not contacted by his bank, Bank of Ireland, to alert him to suspicious activity on his account.

“When I reported the fraud, the manager in my local branch of Bank of Ireland told me a copy of the magnetic strip on the Laser card was made, most likely at a retailer or restaurant, by swiping my card through a reader device. This gave criminals the ‘long number’ on my Laser card, which can then be used online where a pin number is not required. When reviewing the fraudulent transactions, the bank could distinguish between those made in this manner and those genuine transactions where a pin number was used by me,” Carroll says.

“The bank told me it’s likely the stolen card details were made available to a number of ‘customers’ of the original criminals, rather then all the transactions being made by a single individual.”

Once Mr Carroll made Bank of Ireland aware of the fraud, they were quick to act and his account was refunded in a matter of days. On reporting the fraud to his local garda station, the garda on duty said it was the biggest fraud of its type she had ever encountered.

Una Dillon, head of card services and communications with the Irish Payment Services Organisation (Ipso) says this kind of “card-not-present” fraud is now the most common incidence of fraud, accounting for 80 to 85 per cent of losses.

“A person’s card details are stolen and goods are bought online. The good news for the consumer is that the onus is on the retailer to prove that you made the purchase. Internet retailers need to put preventative measures in place to protect themselves,” she says.

In other words, if you see a transaction on your account that you don’t recognise you contact your bank to dispute the transaction and the obligation is on the person who accepted the transaction to prove it was genuine.

However, a tool called 3D Secure offers more peace of mind by protecting your credit or debit card from unauthorised use online, according to Dillon.

Developed by Visa (Verified by Visa) and Mastercard (SecureCode), it enables you to verify that you are the actual cardholder in a similar way to keying in a pin number at a point of sale. You can register for 3D Secure by contacting your bank or card issuer.

For retailers, 3D Secure is vital. According to Visa and Mastercard, more than 30 per cent of all payment card transactions are now carried out online so it is vital that retailers protect themselves against fraud.

3D Secure is launched through the retailer’s website and interacts with both the cardholder and their card issuer. When customers are checking out, a window appears asking them to enter a unique, personal code that has been registered with their bank or card issuer. The bank then authenticates the cardholder and provides the shop with evidence of the online purchase.

Where fraud occurs, if an online retailer is registered for 3D Secure at the time of the transaction, the card issuer is liable for the fraud and not the retailer.

Visa debit cards and Mastercard debit cards are more secure than Laser cards as they support 3D Secure.

Asked about Mr Carroll’s experience, a spokeswoman for Bank of Ireland said she could not comment on specific cases but added that any losses occurring on customers’ accounts as a result of proven fraudulent activity would be refunded in full.

She said while there had been no significant change in the frequency of card skimming, customers need to monitor their accounts regularly, protect their pin numbers and keep their cards protected.

Bank of Ireland does provide real-time transaction monitoring on its credit cards that checks for suspicious and unusual activity. It is currently rolling out Visa debit cards to its customers to replace the existing Laser debit cards and there will be real-time transaction monitoring on these cards. The full roll out will be completed in a number of months, according to the spokeswoman.

Permanent TSB has already replaced Laser cards with Visa debit cards and there is 24/7 monitoring in place to identify and respond to certain types of card activity, a spokeswoman for the bank said. “Our guidance is always for customers to also regularly check their accounts as they are best placed to identify what they deem irregular. We contact customers regarding activity on their cards where information is available to suggest irregularities,” she said.

A spokeswoman for Ulster Bank said the bank monitored all payment card transactions to prevent fraud and protect customers. “Where we identify unusual activity we take appropriate action including contacting the customer where possible,” she said. Ulster Bank migrated from Laser to Visa debit cards in 2009 and 2010.

AIB says it actively monitors both debit-card and credit-card activity on customer accounts and will contact customers to verify transactions, according to a spokeswoman. Visa debit cards are being introduced this year to its customers, she said.

A garda spokesman said debit and credit card fraud “comes in waves”.

“As one method of fraud evolves, it is detected and it stops and then another type emerges. All you can do is follow the basic rules of protection. Keep your card in sight at all times in restaurants and retailers and protect your pin number,” he said.

* name has been changed


Card-not-present fraud: This is now the most commonly reported incidence of fraud accounting for 80-85 per cent of losses. A card holder’s details are stolen and are used to purchase goods over the phone and online.

Counterfeit card fraud (skimming):Skimming occurs when the genuine data from the magnetic stripe on a credit or debit card is copied without the cardholder’s knowledge.Skimming devices can also be attached to an ATM machine. A false keypad may be used or a miniature camera may be hidden to capture the user’s Pin number. The normal transaction takes place and the user does not lose their card. The information obtained may then be used to produce the counterfeit cards; the details can also be used to carry out fraudulent card-not-present transactions (see above).

Shoulder surfing:The original and simplest way of obtaining information. It involves simply looking over a person’s shoulder at an ATM and memorising their PIN. It is teamed with an ability to get data from your card, a device that swallows your card or simply stealing your card after your PIN is obtained.

The Lebanese loop: A rather primitive device that is fitted to an ATM card slot – a small fake card slot and a loop of plastic – that seizes the customer’s card, which is then collected by removing the device.