Credit/Debit cards fraud – A solution? – How to protect yourself

Now that the main methods by which fraud is conducted, here are some steps to help protect yourself. Let me tell you that in my nearly 17 years in UAE I have been almost a victim to 2 fraud attempts in my 17 years in UAE. The 1st was from the US while the 2nd was from UAE. Both affected my UAE issued credit cards.

The 1st fraud attempt took place in Jan 2020. It was a result of me ignoring common sense pure and simple. When we were visiting New York, I visited a gas station in Staten Island which clearly looked dodgy but the car was low on fuel, i was tired from driving and wanted to get home fast so I ignored common sense. The gas machine was asking for CCV/PIN so I put the PIN a couple of times and when it didn’t work. I then decided to go visit another gas station thinking that one was not working properly. Later, thank God, I discovered I was putting the wrong PIN. This incident resulted in a thief who successfully copied my credit card info but had the wrong PIN/CCV. As a result, when the thief tried to pay with my card online in a US store, the payment was rejected due to wrong CCV. I got a SMS of the rejected payment due to wrong CCV and of course called my bank and changed the credit card.

The 2nd fraud attempt took place in May 2023 when someone at 1 AM decided to use my credit card and buy something worth 47AED from a website. The payment went through without OTP so that thief decided to add my credit card to his/her UAE Amazon account and use it to pay for something worth nearly a 1000 AED. I was saved by Amazon who rejected the payment. I woke up on a call from the bank’s credit card security team at 1 AM asking me if I make the transaction as Amazon flagged it fraudulent. As expected I called my bank and changed the credit card and I got the 47 AED back as well.

The “thief” here most likely got his/her hands on the credit card information from a security breach at an online stores which saved my card information including the CCV.

So, the steps below does not offer 100% protection but they will make it harder and harder for you to become a fraud victim and minimize the loss if any.

One last thing, protection and security walk hand by hand with inconvenience. The more secure something is, the more inconvenience will be faced when using it. It is all about trade offs. Both have a price which you should be aware of (as in loss of credit card benefits for example) and ready to pay. So here we go

  1. Setup credit card spending limits. All banks now offer monthly and even daily spending limits which can be configured through their apps on your phone. For example, ADCB allows their customers to configure both daily and monthly spending limits while HSBC on the other hand allow their customers to only configure monthly spending limits for each of their credit cards. So, use this feature according to your needs and your panic level. For example, I have my ADCB cards set to 500 AED daily and 5000 monthly while my HSBC cards are setup to 1000 AED monthly. Then I adjust those limits accordingly if I need to exceed them and then revert them back to their old values once I am done. The good thing is that you get to keep all the benefits offered by the credit card The bad thing is the inconvenience this causes if you go to pay something and discover the you need to adjust the limit.
  2. Consider getting and using one of the prepaid credit cards. Those cards are topped up depending on how much you need. For example, Al Ansari Exchange offer such a card and you can top it up via a bank transfer using online banking from your phone. This is similar in a way to setting spend limits on your credit cards The good thing is if you suffer any fraud transaction(s) then only what you have in the card is lost without any further loss. The bad things are The inconvenience this causes if you get to pay something and discover the you need to top up the card. You lose all of your credit card benefits (cashback, airmiles, discounts,….)
  3. Consider using contactless payment solutions (Google Pay, Apple Pay, Samsung Pay) which hides your credit card details from merchants. They generate unique tokens (think of it as masked credit card numbers) to be used for each single transaction and can not be used more than once. The good thing is you do not need to carry your credit cards with you The bad things are Now you need to make sure your login credentials to such payment solutions are secure. To mitigate this risk, consider enabling MFA via either SMS or an authenticator app on your phone to login to such portals to make it much harder to gain access even if your username/password were compromised. The potential loss of credit card benefits (i.e cashback credit cards). You need to check with your bank if using these methods to pay your bills will cause any loss in benefits.
  4. Stop using your debit card for any purchases especially online ones. Debit cards have direct access to your bank accounts. Using them is just a BAD idea waiting to happen.
  5. Use RFID-blocking wallet which can help protect you against identity theft and fraud that might arise from electronic pickpocketing.
  6. Avoid using “Free” VPN apps on your phone. Do not try to login to your banking app while those “free” VPNs are running and connected. If you need a VPN then get a paid service where you can be sure some level of security is there. If VPN is a must for you then I would suggest to consider either PureVPN or Hotspot Shield. Still would advise against login to online banking while using those VPNs or any other VPNs.
  7. Configure WhatsApp not to download any media automatically to your phone.
  8. Do not respond to WhatsApp messages offering you free stuff, money or even a job.
  9. Make sure to use original software and Operating System on your devices. Any pirated software means it was tampered which also means there is a very high probability it might has something offering a backdoor to your device allowing an attacker to either spy on you or remotely hack your device (an example would be to install a hidden app on your phone to read your SMS messages without your knowledge)
  10. Make sure you invest in your devices security. I would suggest you buy Norton 360 or a similar application for both computers and tablets/phones. There is a Norton 360 10-device license for 70$ annually (60$ for the 1st year). Though this may sound expensive to some, I can assure you it is worth every benny if configured properly on all your devices.
  11. Use common sense. Do not open/respond any messages or open any links that you receive on SMSs even if you are actually expecting a “package”. If you are expecting something, then get the carrier phone number from their official website and call them personally.

Always remember that humans are the weakest link in any security system. If you take all the above-mentioned precautions but you are using pirated software or Operating System on your computer/tablet/phone then you are just asking to be hacked. If your computer has no antivirus protecting you from the dangers of the Web, then it is just a matter of time for you to be hacked. The same applies if you are using a jailbroken iPhone or an Android phone that was tampered with (as in installing APKs apps outside Apple or Google stores). It is no longer a question of if but a question of when.

Make it harder and too much trouble for a thief to robe you even if it causes some inconvenience to you. It is all about tradeoffs. So it would be better to suffer some inconvenience, which can be mitigated, rather than suffering a fraudulent transaction that takes forever to solve and may not get the full amount back.

Credit/Debit cards fraud – The Nightmare – How does it happen

Now that the main reasons of why this is happening I will go through how does fraud happen? To answer that, please understand that there is no magic wand by which credit/debit card information can be obtained by anyone. Anyone preforming credit/debit card fraud must have your card’s data by using one of the below 3 main methods.

  • Method 1: A leak from inside the entity issuing the card
  • Method 2: A leak from your computer/tablet/phone
  • Method 3: A leak from you personally

There are other methods but they are very rare in UAE due to the presence of CCTV cameras nearly in every corner. So tampering with an ATM, for example, is just unheard of in UAE. To be a victim of credit/debit cards fraud then mainly one of the above mentioned must happen.

Method 1 : A leak from inside the entity issuing the card

In method 1, to be fair, a leak from inside the financial entity issuing the card is very difficult but not impossible. People do not know that though the bank’s call center staff can see their security questions and their answers, they can’t see several other sensitive date. Those with access to all other details of credit/debit card sensitive information (PIN, CVV,….) are very few. Such leaks are very rare because the identity of the leaker will be found out easily in a very short time.

Most leaks are a result of either the 2nd or 3rd methods on which I will go into details below.

Method 2 : A leak from your computer/tablet/phone

In method 2, some kind of software (aka trojan horse) gets installed on your device and it is later used to transmit your keyboard actions to whoever is controlling it. These kinds of software depend on you using either pirated OS or application or has misconfigured some of the security settings on the device. They depend on fooling you enough to accept and open something simple as a word document or a PDF file or a to open a link. If the device in question is secured, then these attempts will result in many warning messages and popups alerting you that something is trying to change some settings on your device which should be enough for you to take action and stop it.

This method however is where the vast majority of leaks take place in UAE mainly because a lot of people buy and use 2nd hand phones/tablets which could have been previously hacked. The same applies to computers using pirated OS and/or applications or if the security settings on your device are turned off. In addition, very few invest in securing their devices further by using powerful antiviruses and not the free ones which offers basic levels of protection.

Method 3 : A leak from you personally

Method 3 describes itself. It is a leak from you personally. It happens when people ignore common sense. For example, people handing over their credit/debit cards along with PINs to others in order to process their payments. An example of this is when people hand over gas station workers their cards and provide them with the PIN to pay on their behalf. Another example would be when people hand over their cards to their kids and give them the PIN numbers! A child has no grasp of the dangers surrounding that plastic card and can be fooled much easier than you.

Credit/Debit cards fraud – The Ugly Truth – Why does it happen

Suffering from fraud is ugly and painful. Banks in UAE take a significant amount of time to investigate cases and resolve them. In most cases, the full amount is never recovered. Let alone that banks force victims to pay the full bill (in case of a credit card fraud) till the issue is investigated and resolved. Victims on the other hand have to wait for up to 90 days or more to get anything back.

So why fraud happens? Well, it is not rocket science. The most important 5 reasons as to why fraud happens in UAE are

  • Privacy and data protection is virtually nonexistence in UAE. There are no PCI/DSS style laws in UAE forcing merchants to encrypt their databases. The Central Bank in its notice dated 21 May 2019 ((CBUAE/BSD/C/2019/2094)) mandated all Financial Institutions operating in the Cards payment ecosystem to comply with PCI DSS but there is no mention about merchants to force them to do the same.
  • There is no law preventing merchants from keeping your credit/debit card information without your consent.
  • For the sake of easy, quick financial transactions and to save costs most bank’s payment gateways will let certain payments through without OTPs if the payment is below a certain value.
  • The vast majority of online merchants in UAE do not invest property in security. Most of them use very powerful platforms to build their online stores BUT many fail miserably, either out of ignorance or to save costs, in configuring their security properly.
  • Naive consumers who either ignore common sense or assume things that do not exist.

If we mix those reasons together, we get a recipe for a disaster. I truly hope things change in the future. I actually see the UAE on a path that ends with enacting laws in that regard to help reduce fraud and forcing merchants to take things seriously and invest properly in their security infrastructure. I just hope things progress a bit faster.

In the next article, I will discuss the main methods by which fraud is conducted.

Credit Card Fraud – What is it? And How can you protect yourself?

This article is aimed at the regular Joe and Jane. I will avoid going deep into useless technical details and/or using technical terms. I have posted a very condensed version of this article as a reply to a post on Sep 29th on Dirham Stretcher Facebook group. My aim is to answer the 3 main questions below to help the regular Joe and Jane in their daily life avoid being a victim of credit card fraud.

  1. What is credit fraud?
  2. How credit fraud is committed?
  3. What steps to take to help yourself reduce the risk of being a victim of credit card fraud?

Credit and Debit cards in the developed countries and specially in UAE are becoming an essential tool of our daily lives. The role credit and debit cards play in our daily life has grown at an explosive rate specially after Covid-19. With the lockdowns and work from home environment, ordering things online (food, cloths…. etc.) have become a way of life for so many. With the explosive growth in the number of credit and debit card holders, comes the increased risk of being a victim of credit card fraud. So, what is credit card fraud?

So you may ask, how is this possible? How can someone steal my card? How can someone use my credit/debit card to purchase stuff without my sole authorization?!

To answer these questions, we need to understand that to buy anything online in UAE, all is needed are the following

  • The credit/debit card number
  • Expiry date.
  • CCV

Please note I underlined UAE above. I did this on purpose which will be explained later below when discussing the different vectors of attack.

To answer your questions, please allow me to explain how credit/debit cards are stolen in simple terms without going into the technical part of it. Simply put, there are 3 vectors of attack used by any attacker to get your cards data.

The 1st vector of attack is the owner of the card and the way he/she uses their cards. The 2nd vector of attack is the technology used in today’s cards itself (think contactless cards for example). The 3rd vector of attack is a mixed bag and is partly outside the card’s owner control as it also depends on the merchants themselves. I will briefly explain each vector of attack.

Attack vector 1 – The human factor

As with any technology, the weakest link is the operator also known as the human factor. If you are used to hand over your cards to waiters, gas station personnel…. etc. to process your payments then, it is no longer a matter of if anymore but rather it is a matter of when.

If you have the habit to leave your cards out of your sight, then there is a 50% chance of your card being copied every time it is out of your sight. With that kind of probability, you can’t be lucky 100% of the time.

The only defense against this vector is to NEVER leave your cards out of your sight and NEVER hand your cards over to anyone to process your payment.

The same approach applies to how the card owners handle calls and/or SMS pretending to be related to their cards. For example, NEVER answer any security questions to any caller claiming to call from any bank you are dealing with even if the caller references an issue that you personally reported. What you must do is tell the caller “Please update the ticket and I will call the authorized bank phone number and check your update.”

NEVER click on URLs embedded in SMS messages and NEVER answer security questions from incoming calls regardless of how dire the situation sounds.

Attack vector 2 – The technology factor

The technology used in today’s cards introduces more risks than many really understand or anticipate. With NFC and contactless cards for example, all you need is a card reader that sweeps close enough to your card to read all its data.

The only defenses against this vector are

  1. Get a RFID/NFC protected wallets that would block your card from being read by any RFID/NFC type reader while it is in your pocket.
  2. Use technologies like Apple Pay and Samsung Pay.

Attack vector 3 – The dark forest

This is one of trickiest vectors of attack. When we shop online today, we might tend to assume certain things. For example, if the website looks professional then we might assume that it is OK. The truth is far from that. It all depends on the laws and regulations of the country where such company is based and that assuming it is an authentic company to begin with.

The reason behind this is simple. Countries where ecommerce is tightly regulated, have tons of laws and regulations in place forcing merchants and banks to, for example,

  1. Encrypt their databases
  2. Store only the last 4 digits of the card used in the transaction
  3. Encourage banks and payment processors to match card related information like owner name, home address, and phone number with the ones entered by the buyer. (this step alone will reduce fraud cases drastically)

When we come to UAE, for example, I personally don’t know of any laws like the ones stated above. Please consider that doing all these things need a significant amount of money and trained trustworthy personnel to deploy and operated these solutions.

If anyone know of a specific law in the tech sector to this effect, please reference it and I will review it and include it to this article.

Between the extra spending required by the businesses, the race to make a quick buck and the lack of laws, the customer and sometimes the merchant become the ultimate victims. As a result, any hack these companies suffer makes it very easy for the hackers to get the customers data.

Please note I am assuming here that we are dealing with authentic companies that are not doing their part in protecting their customer’s data.

There is no 100% fool proof defense against this attack but rather you need to do few things to protect yourself and reduce the risk of being a victim of fraud

  1. Do your due diligence and research the website in question before you make any purchases.
  2. NEVER save your card details on any website specially those belonging to companies based outside USA and Europe.
  3. NEVER use your debit card to pay for anything (I will explain why below).

Finally, some simple additional tips to reduce the risk of failing victim to fraud. These tips will be divided into 2 groups. Card related tips and technology related tips.

Card related tips:

  • Lookout for suspicious links whether it is in an email or SMS. Malware and spyware can easily get into your devices if you aren’t careful enough. Don’t open e-mails, links or attachments unless you know and trust the sender to stay safe. As to SMS, do not open any links embedded in an SMS.
  • Don’t be in a hurry. The more a caller try to push you and make it sounds like the sky is falling, the more you should be very suspicious and should end the call. Fraudsters will try to convince their targets by creating a false sense of urgency. All banks advertise that they do not call their customers asking for their information so you should be very suspicious if you receive a call, regardless of how dire it sounds, asking for your information. If you’re suspicious, end the call and then call your bank using the authorized number found on the back of your credit/debit card and report it.
  • Keep an eye on your SMS transaction notifications and call your bank immediately if you see something suspicious.
  • Limit the use of your debit card to ATM withdrawals ONLY. Do not use your debit card to buy anything offline (at a physical store) or online. I will explain why below
    • The reasons behind this lay in the difference between debit and credit cards. There are 2 main differences between debit cards and credit cards in fraud cases. The 1st is related to the claim process and the time taken to get your money back due to the different nature of the cards. The 2nd difference is related to the spending limits. Due to the fact debit cards are linked directly to your bank account(s), fraud claims take much longer to get your money back. From the stories I have heard, it is on average 4 to 6 months. This isn’t the case with credit cards assuming you report it right away. With credit cards, you get your funds back usually within a couple of weeks or less. Now regarding limits, with credit cards, you have control on the credit limit (aka spending limit). You can request your bank to lower your credit limit thus reducing any potential losses from fraud. This isn’t the case with debit cards as their limit is bound with how much you have in your bank account(s).
  • Lower the limit of your credit card(s) to a reasonable and manageable level. Having a limit that is 3 to 5 times your monthly salary or more for example is not a good idea at all. My personal advice is lower your limit to be equal or less than your monthly salary specially if you carry multiple credit cards.

Technology related tips:

  • Try to use Apple Pay or Samsun Pay as they will offer you some protection from vector 2 attacks as long as you do not walk around with your cards in your pocket in a non anti NFC/RFID wallet.
  • Use authentic OS on your PC/laptop. Cracked OS versions most of the time come with hidden Malware and spyware which can harvest all the information you type (they are called key loggers as they record the sites you visit and record your keyboard strokes). These Malware and spyware can be used to help a hacker steal your email, Facebook, bank account… ect.
  • Install Norton Safe Web browser extension to your browser. It is available for Google Chrome and FireFox. There is a similar product by McAfee called McAfee WebAdvisor. These products will help you identify safe websites when you google anything as they will be marked with green mark.
  • Use a properly updated antivirus software on your Phone and PC/laptop. If you favor professional paid versions, then I would recommend you check Symantec Norton 360 which I have been using for years and isn’t that expensive for a multiple platform license. If you favor the basic free version, then I would recommend AVG free antivirus.