Home » Blogs » shrichris's blog

A brave new world of credit card theft, identity theft, ATM fraud, passport forgery....

Submitted by shrichris on May 15, 2006 - 6:56am


Information Security is still to come of age in India but the fact that it is definitely one of the priorities can be gauged from the fact that today's Chennai edition of "The Hindu" carried three different articles on the subject.

On the front page, a bonanza of cyber crime, phishing, credit card forgery, ATM fraud, passport forgery and the UK connection.

Credit card racket busted - A U.K. based gang behind the operations

In the Opposite-Editorial page,

How to foil the identity thieves

By Lisa Bachelor

"Buying a shredder isn't enough in the battle against laptop criminals"

Finally in Business Review,

Security aspects of IT infrastructure

"The requirement is a cyber space ecosystem that is conducive for deployment of IT in a variety of areas"

Here are some other stories of ATM fraud from the same newspaper.

Youth held for ATM card fraud

Wednesday, September 07, 2005

International credit card racket busted

Thursday, Apr 29, 2004

It is interesting to note that India's thousands of ATM's are decommissioned terminals from providers like Diebold. Considering that the expertise to bypass magnetic strip enabled cards that these ATM's cater to can be found on high streets in London, it is not surprising that the UK connection has surfaced. The next few years will see a surge in ATM and credit card fraud - not just simple card theft and insider attacks,but threats from highly organized and technically competent crime rings from India and abroad, with expertise floating in from crime rings in the west that have already exploited loopholes on their home turf, and looking to sell expertise for a share of the Indian pie.

One suspects that till the losses from crime outweigh the profits from using older "proven insecure" technology, more secure technologies like smart cards will not be seen on a wide scale in India. How soon or how late newer technologies like smart cards are introduced remains to be seen. I believe that economics aside and to a small extent, the fact that unlike the west, most ATM's in India still have a guard at every location, 24x7, will actually delay the introduction of newer technology, in favor of the human element. Cheap labour may still trump secure technology!

Interesting times ahead !

Sriramkrishnan Srinivasan

»

great blog

Submitted by Tickets (not verified) on August 4, 2006 - 6:19pm.

One megalomaniacal idea would be to be able to identify the location of a card like what is done for a sim card and use that to validate or invalidate a request from a card.

»

ways to mitigate credit card fraud

Submitted by partha on May 16, 2006 - 1:57pm.

I am sure credit card companies would come up with innovative (non-technological) solutions to credit card thefts... A couple of things that immediately come to my mind are...1.) Call and confirm if the amount being requested is above a certain value.2.) If two successive usages come from two geographically diverse areas, call and confirm..One megalomaniacal idea would be to be able to identify the location of a card like what is done for a sim card and use that to validate or invalidate a request from a card...Im sure some enterprising organizations would already be doing such stuff...any info along these lines? 

»

>> 1.) Call and confirm if

Submitted by shrichris on May 17, 2006 - 4:45am.

 

>> 1.) Call and confirm if the amount being requested is above a certain value

When you are making a purchase, supposedly you will have to be reached by mobile phone. What if your phone is out of range ? Should the transaction be declined ? Would you be inclined to use your card if this happens frequently ! Would you like to be called at each check out counter especially when there is a long queue? What is its Christmas and you are inclined to make larger purchases. Imagine the queue behind you!

>>2.) If two successive usages come from two geographically diverse areas, call and confirm..

This is done regularly by companies like Visa and Mastercard, except that calls are never made at the exact time the purchase is being made. Then again, is it realistic to expect a person to have a mobile phone in each country he is travelling to  ( which becomes an important consideration when you take the case of a legitimate user travelling extensively) There is a significant time delay between purchase and contact. The customer's liability is reduced when he has taken sufficient care to protect his card, not revealed his pin etc.

>>One megalomaniacal idea would be to be able to identify the location of a card like what is done for a sim card and use that to validate or invalidate a request from a card...

Perhaps, but again the points raised earlier regarding reachabilty need to be considered. There are more interesting privacy issues - for example in Europe it would  be illegal for a mobile company to provide tracking data to a third party unless that body is a legal authority that has made a formal request.

Of course there are catches to each one of these supposed privacy laws and we can have a separate discussion of the reality of privacy today.

There are no clear cut answers. However as I wrote, it is often better to tackle certain basics properly. Magnetic stripe cards are certainly not the way to go. Even if better technology like smart cards are introduced, this is no silver bullet. You can still use a credit card to make a purchase by phone or Internet. This leads us to "card not present" frauds where a malicious user (maybe a family member) simply memorizes your number and pin. Interestingly card reading terminals are to be rolled out this year or next for individual customers in Europe to prove that the card is present when an online purchase is being made.  I am sure ways to bypass this will also come to light soon.

Security has no clear cut answers. Its always a cat and mouse game. However, relying on proven insecure technology , under whatever assumptions is certainly  not a bright thing to do.

Sriramkrishnan Srinivasan

»