Paying petrol bill with your card? Watch out

Hackers around the world are getting innovative. From skimimng and cloning your credit card, to making fake sites; from using stolen cards on them to using new online trading models, the cyber thieves are working overtime to hack into your bank account.

If you think that giving your credit or debit card to a petrol pump attendant or a restaurant waiter is safe, think again. Chances are that it would be ‘skimmed’ and ‘cloned’ into multiple cards by the time you reach home, warn security experts. Card thieves are using magnetic stripe readers and encoders which are easily available in the market for $250-$600. While a card reader can read the data on the magnetic band of your credit or debit card, an encoder can encode it on to any plastic card with a magnetic band, even a normal hotel room key.

Says network security management company Appin’s founder director, Rajat Khare, “All credit cards can be cloned by simply inscribing cards with a similar magnetic band just like a hotel number is fed into a magnetic room key. These kind of card frauds are becoming common.” Banks are advising customers to subscribe to mobile alerts. ICICI Bank card products head Sachin Khandelwal said, “We have a 45% market share with about 8.5 million credit cards in the market. The percentage of card frauds is low at about 4 basis points of all transactions. Nevertheless, we shoot an SMS alert for every transaction above Rs 2,000 to all our customers. Skimming of credit cards is generally done when a customer places a mail or phone order transaction.”

In additions to mobile alerts, HDFC bank also provides an extra security layer for all credit and debit card customers. Through this facility, the cardholder can create his own additional password, which provides an additional security layer for all On-line transactions, said HDFC Bank credit card marketing head Parag Rao.

Another kind of credit fraud happens even before a new card has been received from the bank. If you have just received a new credit card from the bank, but discover that it already has a charge attached on it, don’t be surprised. Credit card number generators are freely available online (on sites like http://www.brothersoft.com) which claim to generate card numbers of various companies starting from ‘5’ (Master Card) or ‘4’ (Visa) or other digits. It also generates 13, 16, 18 or 19 digit card numbers. These generators use the same algorithms like `Luhn formula’ used by government agencies and banks to generate numbers.

“In one case, a hacker managed to crack the algorithm of a bank’s credit card generator and sold hundreds of numbers online. So even before the fresh card came into customer’s hands, they already had a charge on them. In another case, a credit card hacker set up a site and started using stolen card numbers to provide downloadable images and managed to siphon off about $2 million,” Mr Khare adds.

E-commerce portals have also become safe trading havens for hackers. It works like this: A hacker enters the stolen card number and CVV (card verification value) number, as mentioned on the reverse of the card, into an e-commerce site and buys a product. The payment is made but the buyer doesn’t take the delivery immediately. He gives the delivery date – of generally a week to 10 days. During this time, the hacker posts his costly buys (from the stolen card) on the portal for sale obviously for an even lower price. As the hacker gets a customer for his product, offered at a jaw dropping price, he gives the customer’s address as the delivery address, on the same or other portal.

He receives cash from the final customer in an electronic cash account or an escrow account from where he converts it into hard cash.

Thus during the entire transaction the hacker can manage to cruise through without leaving a trace. Says IT risk and consulting firm Mahindra Special Services Group Captain Raghu Raman, “Most hackers try and steal small amounts–just 2-3% of a monthly transaction to avoid getting caught. In large transactions, the banks usually call and ask the customer immediately to cross check whether a transaction was done by him. Hackers are also using card numbers to get a subscription or download a costly software which they in turn sell it online.”

Transacting on the web with your credit card may not be 100% safe, say net security experts. They suggest to use your credit cards only sites which are Https (Hypertext Transfer Protocol over Secure Socket Layer) and direct the transaction webpage to a payment gateway. Deleting cookies and browsing history from your computer after a transaction might also help prevent the cyber thief stealing your card number.