The Dangers of Credit Card Fraud in Indonesia
Translate this Page
Mixed messages abound about the scale of credit card fraud. Some quarters claim that using your credit card over the Internet is financial suicide, others quote statistics stating that online transactions are safer than face-to-face transactions. Depending on whom you speak to, anywhere in the world could be ‘fraud central’ for card skimming, and industry losses are reeled off like telephone numbers. Statistics become meaningless, and can be used to support your own argument.
As far as Indonesia, and those who live, work or visit here are concerned there is one pertinent fact about credit card fraud.
Visa International and Mastercard, the two significant service providers around the globe, currently list Indonesia as No.2 on the list of the worst countries in the world for credit card fraud occurrence by total incidents recorded.
The issue for most is how to reduce the risk of becoming a victim. To appreciate this, some understanding of the problem is required.
A credit card bears the symbol of a company that controls and regulates credit cards. A bank that is required to meet the standards set by the credit card company issues the card itself. The credit card company is non-profit making, and raises funds from charges to the bank. These charges include fines for malpractice. When a customer incurs a loss due to fraud, the credit card company underwrites it, but reclaims the money from the issuing bank.
This relationship is important because although the customer takes solace from seeing the credit card company symbol on their card, the responsibility for, and duty of care to them actually befalls the issuing bank.
Further to this, when a customer makes a purchase at a retailer, the issuing bank may not have a credit card terminal in the retail outlet. Sensibly, banks share facilities and hence any reader will be able to process the transaction. However this means that the transaction is entrusted to the processes and protocols of yet another bank.
In any country the security of card information is reliant on the banks own protocols, systems and general security levels.
In Indonesia the banking sector has had a troubled past. Many
of the banks opened in the last ten years were personal loan facilities
for corrupt businessmen. What followed were hurried mergers, Indonesia
Bank Restructuring Agency (IBRA) attempts to prevent the collapse of the
whole sector, and a faltering path toward normality. The recent Bank Central
Asia sale illustrates that there is still a long way to go.
A counterfeit card is either one that has been printed, embossed or encoded without permission from the issuer, or one that has been validly issued and then altered or re-coded.
Most cases of counterfeit fraud involve skimming, a process where the genuine data on a card’s magnetic stripe is electronically copied onto another, without the legitimate cardholder’s knowledge.
Skimming normally occurs at retail outlets - particularly bars and restaurants - where a corrupt employee skims a customer’s card before handing it back, then sells the information on higher up the criminal ladder where counterfeit cards are made. In other cases, the details obtained by skimming are used to carry out fraudulent card-not-present transactions. Often the cardholder is unaware of the fraud until a statement arrives showing purchases they did not make.
More worryingly card details can also be obtained by ‘Chipping’ a card reader at a legitimate point of sale. Card readers need to be serviced and repaired on occasion. Cases have been discovered where a bogus service engineer attends and inserts a chip into the reader that records the card information of transactions completed on that reader. A month later the ‘service engineer’ returns and removes the chip (which now contains hundreds of card details).
In addition, in countries such as Indonesia where security is less robust, the tapping of telephone lines from card readers to the host bank, or the tapping of the banks phone lines can be achieved with a modicum of technical knowledge. There is also little chance of detection.
(Cardholders should always keep their card in sight when making a transaction)
Merchant Fraud and Ghost Terminals
To have a card reader installed a retail outlet must reach certain criteria. These are often very basic in Indonesia and hence a fraudster can easily set up a fake or ghost operation. One method is to short term lease a shop with cash, have a reader installed giving false details and then perform maximum false transactions with compromised data and counterfeit cards in the shortest amount of time possible. This can be achieved even more easily by ‘buying out’ a failing business that already has a legitimate reader installed.
Ghost terminals can be created by obtaining the reader itself, from say a failing business. With some banking knowledge the reader can be initiated with the bank under completely false details, via an automated telephone in initiation system. Once the high volume of fraudulent transactions is discovered the trail leads nowhere.
Card-not-present Fraud (Fraudulent Use of Card Details)
This crime involves using fraudulently obtained card details to make a purchase, usually over the telephone or on the Internet. A card, in a physical form, is not needed. Usually the details are taken from discarded receipts or copied down without the cardholder’s knowledge. As with counterfeit fraud, the legitimate cardholder may not be aware of the fraud until a statement is received.
More worrying in Indonesia is that criminals have been found in possession of information that has apparently been gained from the compromise of bank data. This can be obtained technically (by hacking into an insecure bank database) or with collusion of bank staff (paying them to disclose or download information).
The card information is then used to visit on line casinos and any winnings are banked as ‘laundered’ money. Crime syndicates will run 24 hour multiple computer terminal operations to gamble on line with card details until the card is blocked.
(Discard receipts carefully - shredding them if possible - and check statements for any unfamiliar transactions. See Internet Ten Point check list post)
Lost or Stolen Cards
Most fraud on lost or stolen cards takes place at retail outlets
before the cardholder has reported the loss. In other cases, the card
details from lost and stolen cards are used to make fraudulent card-not-present
(It is vital that cardholders keep cards safe at all times, and report missing cards to their issuing bank immediately so a block can be put on the card)
Mail Non-receipt of Card Fraud
The number of plastic cards stolen in the post is difficult to judge. Although still a small category of fraud, there has been a significant increase (in countries that have reliable statistics) in the last two years. This increase illustrates how criminals constantly look for other areas to exploit as fraud prevention initiatives drive them away from their usual methods.
(Contact your issuing bank if you are concerned about the delivery of a plastic card through the post)
Although evidence of identity theft on card accounts is currently minimal, there is the possibility of a rise once the chip and PIN system makes its impact since this could drive criminals to look for different ways to perpetrate fraud.
There are two categories of identity theft.
Application fraud involves criminals using stolen or false documents to open an account in someone else’s name. Criminals may try to steal documents such as utility bills and bank statements to build up useable information. Alternatively, they may use counterfeited documents for identification purposes.
Criminals try to take over another person’s account, first by gathering information about the intended victim. The criminal then contacts the card issuer, masquerading as the genuine cardholder, to ask that mail be redirected to a new address. The criminal then reports the card lost and asks for a replacement to be sent.
These types of fraud are not prevalent in Indonesia. They tend
to be restricted to more sophisticated jurisdictions with robust anti-fraud
ATM (Automated Teller Machine) Fraud
Most cases of ATM fraud occur when the legitimate cardholder has written down their PIN and kept it with their card in a purse or wallet that is stolen.
An increasingly common problem is shoulder surfing - where criminals look over a cash machine user’s shoulder to watch them enter their PIN, then steal the card using distraction techniques or pick pocketing.
ATM fraud that involves card-trapping devices is also on the rise in western countries. The device retains the card inside the ATM, at which point the criminal approaches the victim and tricks them into re-entering the PIN. After the cardholder gives up and leaves, the criminal removes the device, with the card, and withdraws cash.
(Never write down your PIN and be alert when using cash machines)
Expatriate’s credit cards are rich pickings for fraudsters. They are easily identified by the first four digits of the card number as being issued by an overseas bank. They generally have higher daily and overall spending limits, and more diverse spending patterns that make fraud more difficult to detect. Syndicates will send cards created with these details to countries where they can be most efficiently used. Currently Taiwan and Japan are favorite in Asia for the purchase of luxury goods. The syndicates also seek Gold and Platinum cards for the same reasons.
(Have a locally issued credit card for use as an alternative. It will also serve as a back up should you be unfortunate to be a victim of fraud. Avoid Gold and Platinum cards if you don’t actually need the higher limits or other benefits offered.)
To combat plastic card crime, two facts need to be established at the time of a transaction - that the card is the genuine item and that the person using it is the true owner.
The introduction of highly secure chip cards in countries such
as the United Kingdom meets the first of these objectives by confirming
that a card is not a counterfeit. Chip cards also open up new possibilities
for tackling the second objective for fraud prevention - identifying the
To help protect yourself from becoming a victim of card fraud, follow these tips:
Other useful tips:
Most internet fraud involves using card details fraudulently obtained in the real world to make card-not-present transactions in the virtual world. Card-not-present fraud on Internet transactions is low at around three per cent of all card fraud losses.
Security of Cardholder Information
The incidence of hackers stealing cardholder data from websites is very low compared to other ways criminals access card details. To protect data, the international card schemes have stringent criteria to help retailers protect their websites.
Ten-point Checklist for Internet Transactions
The vast majority of businesses operating on the Internet are honest and legitimate organisations. Due to the problems of credit card fraud here, many companies will not accept purchases with mailing addresses in Indonesia. The following ten-point checklist when shopping on the internet is recommended.
Our appreciation to Michael Linnitt for the contribution of this article to the community!
Copyright © 1997-2015, Expat Web Site Association Jakarta, Indonesia http://www.expat.or.id All rights reserved. The information on Living in Indonesia, A Site for Expatriates may not be retransmitted or reproduced in any form without permission. This information has been compiled from sources which we, the Expat Web Site Association and volunteers related to this site, believe to be reliable. While reasonable care has been taken to ensure that the facts are accurate and up-to-date, opinions and commentary are fair and reasonable, we accept no responsibility for them. The information contained does not make any recommendation upon which you can rely without further personal consideration and is not an offer or a solicitation to buy any products or services from us. Opinions and statements constitute the judgment of the contributors to this web site at the time the information was written and may change without notice.