Play your cards right to avoid a scam

Illustration: Colin Daniel

Illustration: Colin Daniel

Published Jan 26, 2014

Share

If you have received an email about a courier who stole R40 000 out of a customer’s bank account in a counterfeit card scam, don’t panic – it’s a hoax, the South African Banking Risk Information Centre (Sabric) confirmed this week.

Although it’s based on an actual scam that took place in Australia about six years ago, there have been no reports of anything similar happening here. But that does not mean that you shouldn’t take heed. Counterfeit card scams are a problem, Clive Pillay, the Ombudsman for Banking Services, says.

The latest data from Sabric shows that:

* Counterfeit credit card fraud losses increased by 27 percent last year and contributed 39 percent of the overall credit card fraud losses in 2013;

* Card-not-present fraud losses increased by 16 percent last year and contributed 48 percent of the credit card fraud losses in 2013; and

* The banking industry’s losses due to fraud perpetrated with South African-issued credit cards increased by 22 percent last year.

The hoax story doing the rounds shows how easy it is to fall for a scam, and how counterfeit card fraud happens. The story circulating goes something like this: a consumer gets a phone call from someone claiming to be from a courier company. He asks the consumer if she will be at home to receive a delivery, which requires a signature. He later arrives at her home and presents her with a gift of flowers and wine. The deliveryman can’t tell her who the gift is from, but claims that a card will be delivered separately.

He then asks her to pay a “delivery verification charge”. He says this is a fee to prove that he delivered the package to an adult of legal drinking age. She believes him and offers to pay the R30 fee in cash. But the deliveryman says the courier company takes payment by credit or debit card only – for accounting purposes and for the safety of courier staff. Couriers are less likely targets for robbery if they are not carrying cash, he explains. She believes this, too.

Her husband takes out his bank card and the deliveryman inserts it into a card-reading machine. He is prompted to enter his PIN.

Apparently, the card-reading machine “skims” the card details off the magnetic strip on the card and this information is used to clone the card. The cloned card is then used over the following few days to steal R40 000 out of the consumer’s bank account.

The writer says they reported the case to the police, “where it was confirmed that it is a scam and several households had been similarly hit.

“Warning: be wary of accepting any ‘surprise gift or package, which you neither expected nor ordered, especially if it involves any kind of payment as a condition of receipt … Above all, the only time you should give out any personal credit or debit card information is when you initiated the purchase or transaction. Pass this on. It may just prevent someone else from being swindled.”

Personal Finance forwarded the email to Sabric, the Ombudsman for Banking Services and the big four banks.

Kanyisa Ndyondya, the media manager for Sabric, says no such incidents have been reported to our law enforcement agencies, and directed Personal Finance to a website called Hoax Slayer. According to the website, a scammer used this scheme in Sydney, Australia, in November 2008 and was apprehended and charged. Similar schemes have been used by criminals elsewhere in the world. However, the warning that is circulating derives from the 2008 version, and there are no police or media reports to suggest that the scam is currently in use, the website says.

Pillay says scams like this one highlight the importance of protecting not only your PIN, but also your card. Never let your card out of your sight when making payments, even if you have a “chip-and-PIN” card. A chip-and-PIN card is one that has a microchip embedded in it, and to use the card you have to enter your PIN. The micro-chip stores information used to verify the authenticity of the card and your PIN. The information on the microchip cannot be stolen in the same manner as that on the magnetic strip.

The “vast majority” of South African-issued credit cards are chip- and-PIN enabled, according to a Sabric report titled “Card Fraud South Africa 2013”.

However, these cards still have magnetic strips, which means that data can be stolen off them, Kalyani Pillay, the chief executive of Sabric, says.

While it may be possible, there have been no reports of counterfeit chip cards, Pillay says.

In his book Essential Guide to Payments, Walter Volker, the chief executive of the Payments Association of South Africa, says that, as long as there are ATMs and point-of-sale terminals that are unable to read the chips, “magstrip will remain the fall-back alternative to chip card technology”.

This explains in part why some retailers still swipe the new type of card. Pillay says another reason chip-and-PIN cards have magstrips is so that they can be used in countries that are not yet “EMV-compliant”. (EMV stands for Europay, MasterCard and Visa, and it is a global standard for chip cards.)

She says that if you have a chip-and-PIN card, you should insist on it being inserted, not swiped, when transacting in South Africa.

Roy Pillay, senior manager for card fraud at Nedbank, says that if you still have an outdated magnetic-strip credit card, you should go to your bank and demand a chip-and-PIN card.

Because of the enhanced safety features of chip-and-PIN cards, the banks are also replacing magnetic-strip debit cards with chip-and-PIN enabled cards.

The Sabric report warns that:

* Counterfeit card fraud facilitated by the theft of card data through card skimming remains a threat;

* Card-not-present fraud will continue to increase, as seen in European countries after chip-and-PIN cards were introduced;

* Bulk cardholder data continues to be compromised through the infection of computer networks by malware; and

* Lost and/or stolen card fraud will increase, as seen in other EMV-compliant countries.

Definitions

* Counterfeit card fraud is fraud perpetrated with a card that has been illegally manufactured using information stolen from the magnetic strip of a genuine card.

* Card skimming is the copying of encoded information from the magnetic strip on your card. Fraudsters use the data to encode counterfeit, lost or stolen cards. Cards can be skimmed at ATMs or at points of sale, which is why you should never take your eyes off your card while transacting and never accept help from anybody at an ATM. Hand-held skimming devices are usually small black pocket-sized objects that fit into the palm of the hand. ATM-mounted skimming devices are difficult to recognise because they are made to match the look and feel of the ATM. Therefore it is advisable to inspect the ATM machine and cover the PIN pad with your free hand when entering your PIN.

* Card-not-present fraud happens when neither the card nor the cardholder is present when the transaction is conducted – for example, when orders for goods are placed telephonically and when purchases are made over the internet, by mail order or fax. Retailers are unable to physically check the card or the identity of the cardholder during such a transaction. The card user becomes anonymous and is able to disguise his or her true identity.

Related Topics: