How banks know when your card has been hacked

Banks can’t fight online credit card fraud alone, and neither can you.

How to tell if your card is hacked

Online credit card fraud is on the rise in Australia, but pointing the finger at any one group won’t help. It’s an ecosystem problem: from the popularity of online shopping, to the insecure sites that process our transactions, and the banks themselves.

A recent report from the Australian Payments Network found that:

  • the overall amount of fraud on Australian cards increased from A$461 million in 2015 to A$534 million in 2016
  • “card not present” fraud increased to A$417.6 million in 2016, up from A$363 million in 2015
  • 78 per cent of all fraud on Australian cards in 2016 was “card not present” fraud.

“Card not present” fraud happens when valid credit card details are stolen and used to make purchases or other payments without the physical card, mainly online or by phone.

While these numbers may seem alarming, it’s important to put them in context. Australians are increasingly carrying out transactions online; the report notes that we made 8.1 billion card transactions totalling A$715.5 billion in 2016.

The shift towards online credit card fraud also comes at the cost of other types of fraud. Cheque fraud, for example, was down to A$6.4 million in 2016, from A$8.4 million in 2015.

Still, it’s fair to ask: are the banks doing enough to keep our details secure?

The banks and security

The banks currently have a range of measures in place to protect customers from card fraud:

  • Chip and pin: Australia mandates the use of “chip and pin” technology. This replaced the need to swipe the magnetic strip on credit cards and is recognised as being more secure.
  • Two-factor authentication: Many Australian banks use text messages or tokens that generate a unique, time-limited code to help verify the legitimacy of transactions.
  • Monitoring of customer habits: Australian banks typically have a complex set of algorithms that monitor the spending habits and transactions of their customers. They frequently have the ability to identify a suspicious (often fraudulent) transaction and block it.

Overall, Australian financial institutions are investing time and technology into the prevention of fraud. However, recent allegations that the Commonwealth Bank of Australia breached anti-money laundering laws suggest that the big banks are not immune from the problem.

Data breaches and malware

Credit card fraud is going where the action is.

According to the research company Neilsen, “nearly all online Australians have used the internet to do some form of purchasing activity”. This means that Australians are increasingly sharing their credit card details with companies around the world.

Large-scale data breaches are a common occurrence. Many organisations have been compromised in some way, including Australian companies like Kmart and David Jones. A variety of personal information can be exposed, and this often includes customers’ credit card details.

Batches of stolen credit card details can be sold on the dark web to other motivated offenders. In one UK example, such details were being sold for as little as £1 per card.

Offenders are also using different types of malware, or computer viruses, to obtain the personal information of unsuspecting victims. In many cases, this includes bank account and credit card details through successful phishing attempts (or spam emails).

The liability fight

Banks will generally refund customers for any fraudulent losses incurred on their credit cards. However, customer must take “due care with their confidential data”.

There is also an onus on the customer to check their credit card statements and notify their bank of any suspicious activity.

But this may not always be the case. In 2016, the former Metropolitan Police Commissioner in the UK made headlines for suggesting that customers should not be refunded by banks if they failed to protect themselves from fraud.

Instead, he argued that customers were being “rewarded for bad behaviour” rather than being encouraged to adopt cyber-safety practices, such as antivirus software and strong passwords.

These statements were met with anger by many advocacy groups who equated them with victim blaming. It was further exacerbated by a leaked proposal by the City of London Police to shift the responsibility of fraud losses from banks to the individual.

While this recommendation was never adopted, the tension may continue to grow when it comes to fraud liability.

Looking for answers

Pointing the finger of blame at any one party is not a constructive solution. Banks alone cannot combat online credit card fraud. Neither can their customers.

There are simple steps to reduce the likelihood of online fraud: having up-to-date antivirus software and strong passwords is an important step. There are sites such as haveibeenpwned that demonstrate how vulnerable and exposed our passwords can be.

Still, it’s difficult to protect against social engineering techniques used by offenders to manipulate victims into handing over their personal details. Not to mention, the risks posed by third-party data breaches, which are beyond the control of individuals.

The introduction of mandatory data breach reporting legislation in Australia in 2017 may have a positive impact. By requiring organisations to let their customers know when their personal information has been compromised, individuals can be proactive about cancelling cards, changing passwords and taking out credit reports to check for fraudulent activity.

Businesses also need to recognise the importance of protecting their customer information. It is critical to overcome the mentality that cybersecurity is simply a technology problem or an IT issue. It should be firmly on the corporate management agenda.

Fraud is inevitable, regardless of the technology being used. Collaborative efforts between banks, businesses, government and individual consumers must improve.

The Conversation

No one group alone can effectively end online credit card fraud. Nor should they be expected to.

Cassandra Cross, Senior Lecturer in Criminology, Queensland University of Technology

This article was originally published on The Conversation. Read the original article.



    To make a comment, please register or login
    13th Sep 2018
    "There is also an onus on the customer to check their credit card statements and notify their bank of any suspicious activity."
    This is when they are closing banks everywhere and they send out statements 6 monthly even though you have asked for them monthly.
    When you ask for a non paywave card or to zero its swipe allowance and it is no longer an option.
    When checking online banking frequently risks the chance of malware picking up your password etc.
    I would hate to take on the banks over a fraudulent claim. Its a one way deal.
    Old Geezer
    13th Sep 2018
    Just get a hold punch and punch a hole in your card to cut the RFID and then no Paywave.
    14th Sep 2018
    Credit card statements must be issued monthly if you're using the card - there's some confusion there.
    Don't be afraid of this paywave technology - IF, IF a fraud is committed because of a paywave card the bank WILL refund the money.
    Did you read the above story fully - frauds on cards may sound a lot ($534m) but as a percentage of transactions in dollars it only amounts to 0.074 percent. That's a very small percentage.
    13th Sep 2018
    It would be helpful if the website link to an accounts transactions gave more than 1 or 2 lines of information. Sometimes the company you bought from online is different to the one on the statement. A customer should be able to open a link to each transaction to get more detail to verify it is a legitimate transaction.
    13th Sep 2018
    100% correct kwdh. I went through the process of cancelling a transaction that I thought was fraudulent after checking my cc statement online. Turns out the item I bought from the shop which I had forgotten about was legit but the had different business names to the shop name!
    Old Geezer
    13th Sep 2018
    My bank has a link to open that shows more information.
    13th Sep 2018
    My husband and I have both bought a special 'gadget' called Armourcard that protects all vulnerable cards within our purse and wallet. This plastic device is the size of a bankcard and uses micro-jamming technology to prevent skimmers from getting our data. It protects credit cards, drivers licences, hotel keys and cell phones. It was invented by an Aussie. We feel the cost was worth it, particularly considering the heartache and cost incurred by identity theft. The scumbags are able to use mobile phones and other gadgetry to get the info. You have to press the button on the Armourcard when using 'wave and pay' to temporarily disable it.
    Old Geezer
    13th Sep 2018
    That is a gimmick and unfortunately doesn't protect you at all. I have seen cards information swiped through them.

    You can actually wipe everything with a cell phone too. Just ask cruise ship about all their wiped cruise cards.
    13th Sep 2018
    Bit of a waste of money when the bank will reimburse you for any loss and you have to replace it when the battery is flat in a few years.

    12th Jul 2020
    Friends you are boring in your free time then go to visit

    Join YOURLifeChoices, it’s free

    • Receive our daily enewsletter
    • Enter competitions
    • Comment on articles