Subscribe

Online shoppers beware

Never mind being mugged in a mall this festive season; fraudsters are moving online, and the banks can't exactly stop them.

Nicola Mawson
By Nicola Mawson, Contributor.
Johannesburg, 30 Nov 2011

The festive season is upon us. That means long queues, shopping sprees, malls full of people driving trolleys into the back of innocent bystanders' heels, and a cash crunch come mid-January.

Money may well be safer under a mattress.

Nicola Mawson, deputy news editor, ITWeb

It is also likely to mean more people will opt for the convenience of shopping online. No queues, no last-minute panicked dashes to the mall, and at least you won't have to drive all the way to the store to check whether the item you want is in stock.

What could be better than relaxing behind a PC, or a smartphone, ordering nice gifts that will arrive via courier, saving the hassle of breathing in car fumes and wading through a sea of shoppers?

Personally, I'm not so sure that saving myself the hassle and going online is worth it.

Easy money

The festive feeding frenzy is also a time when criminals rub their hands in glee. As more shoppers move online, fraudsters won't even have to glove up, they can simply steal credit card details from somewhere and off they go.

I've recently heard of quite a few people who have suddenly received SMSes or e-mails telling them they spent thousands of rands online, when they did no such thing. I have been a victim of this type of fraud twice in the past few months.

Ironically, all the people I've spoken to, who have become unwitting victims of fraudsters, are very tech-savvy. They, and I, know better than to dish out information such as PIN numbers and the three-digit verification code on the back of cards.

Yet, SA's banking sector does not seem to be able to explain exactly how fraudsters are getting away with swiping people's details to buy goods online. Reasons I've heard from my bank range from: “you were phished” to “your card must have been scammed at an ATM”. Seriously?

Other explanations I've had include:

* Phishing kits are bought or fabricated by the fraudster.
* Victims are harvested through the Internet or other data sources, mainly for e-mail addresses.
* Victims are mailed a phishing e-mail requesting card credentials (card number, expiry date and CVC), as well as the “Secure Code” or Verified by Visa password.
* Harvested credentials are used to commit card-not-present fraud on e-commerce sites.

Blame game

Frankly, most of those are nonsense explanations that amount to shifting blame from the bank to the consumer, so they don't have to fork out for people's losses.

I can argue all of my bank's excuses away very quickly: I've never entered my details into a phishing site, I know better; I had never even used my credit card online; I had never used the card in question at an ATM.

Despite this, the bank has yet to tell either myself, or the other people I know who have fallen prey to scammers, just how these crooks get away with this sort of crime.

Which leaves me to surmise my own answers: the banks either don't know, or even scarier, are powerless to stop this sort of fraud.

Net1, which owns EasyPay, has come straight out and said online shopping is not safe, because credit cards are based on a legacy system that has not really been upgraded in 50 years and the system is full of holes.

As far as EasyPay is concerned, the banks are just passing the buck because they are powerless to stop the problem.

EasyPay has been used as a channel by fraudsters to rip off unsuspecting people. It's simple, steal credit card details, buy electricity through the site, and sell it at a discounted rate. Voila - pure profit.

EasyPay argues that it abides by all the rules and has a valid security certificate that is up to date, and can't be held liable because it's done nothing wrong. The problem, it says, is with the outdated credit card system that simply has not kept up with the times.

Oh sure, now there's chip and PIN. But, when the little chip is defaced, the card defaults to the magnetic strip anyway, allowing people with card skimmers to carry on with business as usual.

And yes, there's also Visa's 3D secure and MasterCard SecureCode, which are once-off online validation systems implemented by the card giants. That's super, I validate my card once, and then someone steals the details and can shop without the need for anyone to double-check that I'm me. Nice.

The problem with these systems is that the banks have put in all they need to from their side and can then wash their hands of any problems.

Follow the money

Yet, there is some hope for consumers. Banking ombudsman Clive Pillay previously explained banks can't always prove a customer has entered a fake site, and sometimes don't act quickly enough to prevent further fraud after the phishing has started.

The ombud's office awarded R2.16 million to consumers who were the victims of phishing attacks last year, and the single biggest payout was R289 000.

However, what has yet to be explained, in a way that makes absolute sense, is how this fraud is really happening. The question is, are there enough audit trails for banks and merchants to follow the money?

My experience indicates banks can't follow the trail all the way back to when the card details were compromised, because I simply have not had any feedback, months after lodging a proper fraud case with the bank.

Money may well be safer under a mattress.

As far as I'm concerned, the banks are letting all of us down, and they are doing so at a time when fraud will pick up. It is the silly season after all.

Share