Is your e-Money Safe?
Undoubtedly, there is sufficient information out there to scare you from using your debit/ credit card. We’re not here to add to that. We’re here to give you the much needed advice and information from the experts. India is considered one of the fastest growing markets in the world.
Average businesses prefer money on paper in the form of cheque or better still cash. However latest statistics show the trend is now changing. Both online credit card usage and real word plastic money is on the rise.
We spoke to Deepa Thomas, Senior Manager, Corporate Communication, eBay India to find out the trends they see in their visitors. According to her, “Although online buying in India is still in a nascent stage, it is growing at a promising rate of 38 per cent according to figures by JuxtConsult. Today 8 million people transact online, with 38 million still ‘window shopping’. 15 per cent of Indians are now transacting online. According to the Internet and Mobile Association of India, the e-commerce market in India is worth Rs. 9,800 crores.” Window shopping online is an interesting subject. You don’t even have to bother stepping out of your house. 380 lakh people visit shopping sites. This means they’re interested in buying online, but either don’t have the instruments to trade, or don’t trust the web site enough. Why is that?
Tricks of the black trade
1. Spyware: Spyware is malicious software that gets downloaded to a computer without your knowledge when you visit a web site that is either malicious, or has been compromised. Spyware programs run in the background and record information in real-time as it is being typed into a web site by a user. The software can store the information locally on the computer or forward it to a remote malicious computer.
2. Key logger applications: These are slightly more sophisticated spyware applications that can record a user’s key strokes as they are being typed on the keyboard. They can capture sensitive information such as passwords or credit card numbers even when a web site and browser have set up a secure, encrypted channel of communications.
3. Proxy servers: Proxy servers are like filters through which all the internet connections in a cyber café are sent. Based on the various settings within the proxy server, data from unencrypted browsing sessions can be captured. This could lead to personal user information tracking that can be extracted from web sites and stored for later use.
4. Phishing: With this rapid growth in the online space, you have two ways of being duped. You’ll either be scared to revealing critical personal information or enticed into greed. Phishing is a rising menace. Thomas adds, “Don’t fall for those millions you’ve won in lottery from far off Sierra Leone. In fact, these days, in what is known as social engineering, scammers track your movements and are now using cellphones, emails as well as phone calls to connect with you and get you trapped.”
Remember to check for the genuine signs of a true and verified web site. We came across one such spam email of a site that tricks you into revealing your details of Punjab National Bank. After the uninformed bait enters his/her vital information, the page directs all the information to an IP address based somewhere in Australia, before returning the home page of Punjab National Bank. We got in touch with the Head Office of Punjab National Bank in Delhi, but the response we got was these emails were common and people should be educated about it.
Online has its own advantages
It would be unfair to blame the online shopping space for scams and frauds. There are stringent measures in place to prevent users from logging in fraudulently. This has been a blessing in disguise for online shopping. It’s easier shopping with a stolen card than it is to commit fraud online. Recently, the Reserve Bank of India has made it mandatory for all transactions online to be registered by either credit service providers — Visa (Verified by Visa) and MasterCard (MasterCard Secure).
Essentially, all credit card users in India would have to register with their banks and be assigned an additional password to serve as one more level of added security.
At any point in time, eBay India has around 3,50,000 items available that you can sort by price, make, style and several other factors – all in the comfort of your home. Ebay is protected by PaisaPay, which differs slightly from PayPal. While PayPal is a wallet of sorts that behaves as an interface between your bank accounts/ credit/debit cards and the merchant, PaisaPay is a secure payment gateway exclusive to eBay India. With PaisaPay, all your information to and from Ebay India’s servers is encrypted, and secure. Besides, you can also track the status of your order through SMS.
We spoke to Rajiv Chadha, VP, Veri-Sign who shared some startling figures with us — “38 per cent of Internet users in India do not use different passwords for multiple log-ins. A minuscule five per cent adopt virtual keyboards to log in their details. Merely 11 per cent of internet users in India look out for the authenticity of the web site by looking at the security provider. Only as many as 32 per cent internet users in India create a secret question that only they can answer. As many as 83 per cent Indian internet users do not look for secure web sites (https:). Only 9 per cent of internet users in India are aware of green URL bars as the sign of a secure web site.”
It doesn’t end there. By being so casual about financial matters, Indians are just staying vulnerable to scams online. Mr. Chadha added, “There are many ways in which compromised credentials can be used fraudulently — and without the end-user’s knowledge. It is very important to also note that these activities might not occur immediately after the information is captured. The information could be sold to different parties and can be used over a long period of time”. This makes it all the more important to be aware of the various ways in which personal information can be captured and take precautions to lower the risk.
You can email spoofs@ebay.com and mention any seller you feel cannot be trusted. All intimations at this id are shared with the Indian Computer Emergency Response Team (CERT) which is a watchdog that alerts users of frauds and infections and attacks we need to be aware of.
If you have an online account, an internet banking account, or a credit/ debit card then ensuring privacy and safe custody of the card and log-in details is your responsibility.
Tips to Stay Safe Online
If you missed out on the list of security features to identify a trustworthy web site, have a look at this quick checklist.
- Avoid following links when it comes to shopping online. Always key in your own URL. It is better not to follow search engines when it comes to transacting online.
- Never share any personal or financial information on a non-secure web site.
- Always personally verify email pleas to donate or plans of earning a quick fortune (even if it be from a known person).
- Always ensure your transactions occur with an encrypted connection.
- Look out for a golden lock on the bottom of the screen, and https: in the address bar.
- When online users equipped with current versions of Internet Explorer, Firefox, Safari, Google Chrome, Opera and other browsers visit a site protected by EV SSL Certificates, the top address bar turns green and displays the name of the company operating the web site. This green bar offers immediate reassurance that they’ve reached a site whose authenticity has been verified by a certificate authority such as VeriSign, the world’s leading EV SSL certificate provider.
- Never respond to emails of urgency. They’re usually phishing.
- Block all spam emails you receive.
- Regularly login to your online banking accounts to check for any suspicious activity.
- Do not sync your financial passwords with your regular email passwords.
- When using a public computer, restrict browsing to information-only web sites such as news sites. Avoid accessing any e-banking, e-brokerage, e-commerce web sites that require you to divulge personal information such as usernames or passwords.
- Never store usernames and passwords in Internet Explorer
- Use an up-to-date anti-virus program, and ask the cyber cafe attendant on a public computer to check the toolbar to ensure it is safe.
- Always logout from transactional web sites to be sure your safety will not be compromised after you have left the system.
- Finally, clear browsing history and cookies after your session.
Be The Wise Consumer
As Arun Saxena President, International Consumer Rights Protection Council advises “always read the fi ne print. Rather than being driven by your instinct to own a credit card, remember the interest rates associated with credit.” A smart tip he gives us is to strike out points that could be used against us on the printed agreement. As he puts it, credit card companies live on consumers defaults, without which they wouldn’t be able to survive in this competitive market.”
Avoid shopping for high value products from online shopping web sites that you don’t trust, as you can never be sure of the final product being delivered. Saxena feels “for low value items, eBay seems to be a good web site because your payments are safe through PaisaPay. But it is preferable to buy from a mall as you can touch, feel, and see the color and working of the unit you are buying.”
He adds, “Keep your credit card account, Savings account and Loan account in different banks so that they cannot take out money from another account.”
Credit Card Insurance
Some credit card companies provide insurance at very low premium rates. We spoke to customer support executives of a few banks. The HDFC Bank executive said they have recently stopped all such theft insurance services and that we could get any relevant information we need from the bank’s web site. According to the web site, by informing the 24-hour customer care, any fraudulent transaction is borne by the bank. When we spoke to Citibank, we were informed that they do have a theft insurance program, but that it is a relatively new service. They haven’t received any reports of theft or loss arising after starting this service. Also, they advise the consumer to inform them of the loss and get the card blocked. Simultaneously, they conduct an internal investigation on their own and stay in touch with the relevant authorities.
Security Tips
Security tips from the American Federal Trade Commission to avoid card frauds
- Sign your cards as soon as they arrive
- Keep an eye on your card during the transaction, and get it back as quickly as possible
- Save receipts to compare with billing statements
- Notify card companies in advance of a change in address
- Report any questionable charges promptly and in writing to the card issuer
With plastic money fast replacing cash transactions, what if your card falls into the wrong hands? Of course the bank will disable the card as soon as you intimate. But it’s this interim time period that we’re concerned about.
There are certain safety measures that have been built into the system. Possibly the most fool proof of them all is having a photo debit/credit card. If the mug shot on the card does not match the person handing over the card, counter staff can easily figure out if something is amiss.
The second important safeguard is in the form of a PIN number that has to be entered each time to validate a transaction. Again there are a few banks such as SBI that offer this facility. But the most basic protection is the signature at the back. You would’ve probably noticed a block print underneath the box on the rear of the card that says AUTHORISED SIGNATURE — NOT VALID UNLESS SIGNED. This needs to be taken seriously, as the signature is a low tech first line of defense against credit card misuse. However it needs to be implemented to be effective. Do merchant establishments that have card swiping machines, ever match signatures? We decided to put this to test at some of the biggest technology stores in the hope that we’d be proved wrong. We chose large technology retail chains based on a simple logic — outfits dealing in high value products that are on the cutting edge of technology, need to up hold technological safeguards right? We created several scenarios to test real world security measures in the area of electronic transactions. We went to four different electronics retail stores throughout Mumbai. At their disposal, were two debit cards, both of which were unsigned. In fact one was a photo id card. This is worth mentioning because two operatives couldn’t look have looked so unlike each other even if they tried. When the undercover operatives used the cards they made no attempt at forging the signature of the card holder. Instead they simply signed their own names.
Target 1: Reliance Digital Store, Vashi
The store had very few customers and there was no queue near the payment counter. We used the unsigned card at this location. The clerk behind the counter went about completing the transaction without bothering to even flip over the card to verify signatures (in this case there was none). The name that was signed was drastically different from the one that appeared on the card.
Alertness — Nil
Target 2: Tata Croma, Vashi, Navi Mumbai
Here we used a signed debit card. The counter person had the card with him for quite a while but there was no effort to verify the signatures. As soon as the printed slip was signed the slip was returned without any kind of verification.
Alertness — Nil
Target 3: eZone, Bombay Central
Here we used a photo debit card. Strangely, the card was in the possession of the counter staff for close to five minutes. In the whole time, no one bothered to look up and verify the photograph. The counter person noticed however that there was no sign on the rear of the card and asked the customer to sign it, but the matter wasn’t enforced. Although in this case the staff was slightly more alert than the other times, it was only pointed out after the transaction was completely over.
Alertness — Somewhat
Target 4: Tata Croma, Lower Parel
Here again we used the unsigned card with the photo id. Neither the signature nor the photo was verified at any point of time. There was no sort of verification whatsoever. The transaction was quick.
Alertness — Nil
Implications
This raises a lot of questions. Are merchant outlets so eager to affect a sale that they don’t really care where the money comes from? Besides, what are the protections in place for the consumer if his card is stolen and purchases are made from the card. Abroad, if the card is stolen and used, the credit card company reverses the charge (once the user complains) and the merchant has to prove that the owner of the card actually used it. If the merchant cannot prove it then he has to pay a heavy fi ne. The credit card user is protected as long as he reports the loss and contests the charge on the bill. On MasterCard’s India Learning Center web site it is stated that “As a Master- Card cardholder in India, most card issuers will not hold you responsible for unauthorized purchases charged to your account, after the card issuer is notified of any loss, theft or disclosure relating to your card. If you discover any loss or theft, or suspect unauthorized activity on your account, stop using your card and contact the issuer immediately.”
There are legal issues here too. Apart from the extent of punishment a fraudster receives it is important to know whether the merchant establishments are required to verify or cross cheque the signature. We asked Karnika Seth, Attorney at law, and Chairperson of the Cyber Laws Consulting Center what the situation is from a legal standpoint. “As far as the imposter or person who impersonates the rightful holder of the card is concerned, he could be charged under Section 416 of the IPC and liable to punishment under Section 417 with imprisonment for a term of 1 year or fine or both. The actual holder of the card may also be guilty of contributory negligence if he had negligently kept the credit card which was then misused by the accused. As regards the merchant, he may not have an explicit obligation to check and verify the identity of the card holder unless specified in the contract with the card issuer. But under Torte law there is a duty of care. An hence it is in their own interest to check as if there is a credit card fraud, the merchant loses the goods or services sold, the payment, the fees for processing the payment, any currency conversion commissions, and the amount of the chargeback penalty. Usually, a credit card company will not be liable in such a scenario unless it acts negligently by not blocking the card when once an immediate notification of card being lost is made to the Bank. The banks generally bear the ‘zero liability’ on lost card clause” she said.
On Master Card’s Indian web site it is clearly mentioned that “retailers must follow specific data security requirements in order to accept MasterCard cards. MasterCard Worldwide rules and recommendations apply to all transactions – whether they occur in a store, online, or over the phone.” Under the card fraud checklist there is specific mention of comparing signatures. “The back of the card must be signed, and the signature should reasonably compare to the cardholder signature on the sales receipt. Check to make sure that it has not been taped over, mutilated, erased or altered in any suspicious manner. The word “Void” on the signature panel indicates that the signature panel has been tampered with.”
There is also the possibility of asking for photo identity for transactions. It is worth noting that at one of the establishments we noticed a board stating that photo identification will be required for purchases above Rs. 7,500. We wonder if this will work since here customers might get anywhere from offended, annoyed and even embarrassed if they’re asked for identification.
What about those little slips that you sign? How do they fi t into the whole process? Are they ever checked? In fact we decided to go ahead and try this out and the picture says a lot doesn’t it? We signed “Mc Donalds Rocks” at a Kentucky Fried Chicken (KFC) outlet. The person behind the counter looked at the signature and still continued with the transaction.
We began to wonder if this problem is unique to India. Turns out the situation is no better in the US either. We came across a hilarious blog (zug.com) in which a frustrated customer by the name of John Hargrave, went to great lengths to answer the question “How crazy would I have to make my signature before someone would actually notice?” He then goes on to narrate a rib tickling tale complete with pictures, of how he put down signatures ranging from mindless doodles to elaborate grids, musical notes and in one case hieroglyphics depicting a snake, birds and mountains, in an effort to elicit some sort of reaction. Not once was he questioned. Not once did he hear from his card issuers.
From our own experience too we are beginning to wonder if the entire signature process is a useless mechanism designed to make you just feel safe, like security checks at malls. Perhaps the safety measures in the online world are actually better. We’ve written to each of the retail chains we made purchases from to understand this issue further. We’re yet to get a reply.