Author: Joseph Wagdy

Posted on

Credit Card Fraud – What is it? And How can you protect yourself?

This article is aimed at the regular Joe and Jane. I will avoid going deep into useless technical details and/or using technical terms. I have posted a very condensed version of this article as a reply to a post on Sep 29th on Dirham Stretcher Facebook group. My aim is to answer the 3 main questions below to help the regular Joe and Jane in their daily life avoid being a victim of credit card fraud.

  1. What is credit fraud?
  2. How credit fraud is committed?
  3. What steps to take to help yourself reduce the risk of being a victim of credit card fraud?

Credit and Debit cards in the developed countries and specially in UAE are becoming an essential tool of our daily lives. The role credit and debit cards play in our daily life has grown at an explosive rate specially after Covid-19. With the lockdowns and work from home environment, ordering things online (food, cloths…. etc.) have become a way of life for so many. With the explosive growth in the number of credit and debit card holders, comes the increased risk of being a victim of credit card fraud. So, what is credit card fraud?

So you may ask, how is this possible? How can someone steal my card? How can someone use my credit/debit card to purchase stuff without my sole authorization?!

To answer these questions, we need to understand that to buy anything online in UAE, all is needed are the following

  • The credit/debit card number
  • Expiry date.
  • CCV

Please note I underlined UAE above. I did this on purpose which will be explained later below when discussing the different vectors of attack.

To answer your questions, please allow me to explain how credit/debit cards are stolen in simple terms without going into the technical part of it. Simply put, there are 3 vectors of attack used by any attacker to get your cards data.

The 1st vector of attack is the owner of the card and the way he/she uses their cards. The 2nd vector of attack is the technology used in today’s cards itself (think contactless cards for example). The 3rd vector of attack is a mixed bag and is partly outside the card’s owner control as it also depends on the merchants themselves. I will briefly explain each vector of attack.

Attack vector 1 – The human factor

As with any technology, the weakest link is the operator also known as the human factor. If you are used to hand over your cards to waiters, gas station personnel…. etc. to process your payments then, it is no longer a matter of if anymore but rather it is a matter of when.

If you have the habit to leave your cards out of your sight, then there is a 50% chance of your card being copied every time it is out of your sight. With that kind of probability, you can’t be lucky 100% of the time.

The only defense against this vector is to NEVER leave your cards out of your sight and NEVER hand your cards over to anyone to process your payment.

The same approach applies to how the card owners handle calls and/or SMS pretending to be related to their cards. For example, NEVER answer any security questions to any caller claiming to call from any bank you are dealing with even if the caller references an issue that you personally reported. What you must do is tell the caller “Please update the ticket and I will call the authorized bank phone number and check your update.”

NEVER click on URLs embedded in SMS messages and NEVER answer security questions from incoming calls regardless of how dire the situation sounds.

Attack vector 2 – The technology factor

The technology used in today’s cards introduces more risks than many really understand or anticipate. With NFC and contactless cards for example, all you need is a card reader that sweeps close enough to your card to read all its data.

The only defenses against this vector are

  1. Get a RFID/NFC protected wallets that would block your card from being read by any RFID/NFC type reader while it is in your pocket.
  2. Use technologies like Apple Pay and Samsung Pay.

Attack vector 3 – The dark forest

This is one of trickiest vectors of attack. When we shop online today, we might tend to assume certain things. For example, if the website looks professional then we might assume that it is OK. The truth is far from that. It all depends on the laws and regulations of the country where such company is based and that assuming it is an authentic company to begin with.

The reason behind this is simple. Countries where ecommerce is tightly regulated, have tons of laws and regulations in place forcing merchants and banks to, for example,

  1. Encrypt their databases
  2. Store only the last 4 digits of the card used in the transaction
  3. Encourage banks and payment processors to match card related information like owner name, home address, and phone number with the ones entered by the buyer. (this step alone will reduce fraud cases drastically)

When we come to UAE, for example, I personally don’t know of any laws like the ones stated above. Please consider that doing all these things need a significant amount of money and trained trustworthy personnel to deploy and operated these solutions.

If anyone know of a specific law in the tech sector to this effect, please reference it and I will review it and include it to this article.

Between the extra spending required by the businesses, the race to make a quick buck and the lack of laws, the customer and sometimes the merchant become the ultimate victims. As a result, any hack these companies suffer makes it very easy for the hackers to get the customers data.

Please note I am assuming here that we are dealing with authentic companies that are not doing their part in protecting their customer’s data.

There is no 100% fool proof defense against this attack but rather you need to do few things to protect yourself and reduce the risk of being a victim of fraud

  1. Do your due diligence and research the website in question before you make any purchases.
  2. NEVER save your card details on any website specially those belonging to companies based outside USA and Europe.
  3. NEVER use your debit card to pay for anything (I will explain why below).

Finally, some simple additional tips to reduce the risk of failing victim to fraud. These tips will be divided into 2 groups. Card related tips and technology related tips.

Card related tips:

  • Lookout for suspicious links whether it is in an email or SMS. Malware and spyware can easily get into your devices if you aren’t careful enough. Don’t open e-mails, links or attachments unless you know and trust the sender to stay safe. As to SMS, do not open any links embedded in an SMS.
  • Don’t be in a hurry. The more a caller try to push you and make it sounds like the sky is falling, the more you should be very suspicious and should end the call. Fraudsters will try to convince their targets by creating a false sense of urgency. All banks advertise that they do not call their customers asking for their information so you should be very suspicious if you receive a call, regardless of how dire it sounds, asking for your information. If you’re suspicious, end the call and then call your bank using the authorized number found on the back of your credit/debit card and report it.
  • Keep an eye on your SMS transaction notifications and call your bank immediately if you see something suspicious.
  • Limit the use of your debit card to ATM withdrawals ONLY. Do not use your debit card to buy anything offline (at a physical store) or online. I will explain why below
    • The reasons behind this lay in the difference between debit and credit cards. There are 2 main differences between debit cards and credit cards in fraud cases. The 1st is related to the claim process and the time taken to get your money back due to the different nature of the cards. The 2nd difference is related to the spending limits. Due to the fact debit cards are linked directly to your bank account(s), fraud claims take much longer to get your money back. From the stories I have heard, it is on average 4 to 6 months. This isn’t the case with credit cards assuming you report it right away. With credit cards, you get your funds back usually within a couple of weeks or less. Now regarding limits, with credit cards, you have control on the credit limit (aka spending limit). You can request your bank to lower your credit limit thus reducing any potential losses from fraud. This isn’t the case with debit cards as their limit is bound with how much you have in your bank account(s).
  • Lower the limit of your credit card(s) to a reasonable and manageable level. Having a limit that is 3 to 5 times your monthly salary or more for example is not a good idea at all. My personal advice is lower your limit to be equal or less than your monthly salary specially if you carry multiple credit cards.

Technology related tips:

  • Try to use Apple Pay or Samsun Pay as they will offer you some protection from vector 2 attacks as long as you do not walk around with your cards in your pocket in a non anti NFC/RFID wallet.
  • Use authentic OS on your PC/laptop. Cracked OS versions most of the time come with hidden Malware and spyware which can harvest all the information you type (they are called key loggers as they record the sites you visit and record your keyboard strokes). These Malware and spyware can be used to help a hacker steal your email, Facebook, bank account… ect.
  • Install Norton Safe Web browser extension to your browser. It is available for Google Chrome and FireFox. There is a similar product by McAfee called McAfee WebAdvisor. These products will help you identify safe websites when you google anything as they will be marked with green mark.
  • Use a properly updated antivirus software on your Phone and PC/laptop. If you favor professional paid versions, then I would recommend you check Symantec Norton 360 which I have been using for years and isn’t that expensive for a multiple platform license. If you favor the basic free version, then I would recommend AVG free antivirus.