The Dangers of Credit Card Fraud in Indonesia
Mixed messages abound about the scale of credit card fraud. Some quarters claim that using your credit card over the Internet is financial suicide, others quote statistics stating that online transactions are safer than face-to-face transactions. Depending on whom you speak to, anywhere in the world could be ‘fraud central’ for card skimming, and industry losses are reeled off like telephone numbers. Statistics become meaningless, and can be used to support your own argument.
As far as Indonesia, and those who live, work or visit here are concerned there is one pertinent fact about credit card fraud.
Visa International and Mastercard, the two significant service providers around the globe, currently list Indonesia as No.2 on the list of the worst countries in the world for credit card fraud occurrence by total incidents recorded.
The issue for most is how to reduce the risk of becoming a victim. To appreciate this, some understanding of the problem is required.
A credit card bears the symbol of a company that controls and regulates credit cards. A bank that is required to meet the standards set by the credit card company issues the card itself. The credit card company is non-profit making, and raises funds from charges to the bank. These charges include fines for malpractice. When a customer incurs a loss due to fraud, the credit card company underwrites it, but reclaims the money from the issuing bank.
This relationship is important because although the customer takes solace from seeing the credit card company symbol on their card, the responsibility for, and duty of care to them actually befalls the issuing bank.
Further to this, when a customer makes a purchase at a retailer, the issuing bank may not have a credit card terminal in the retail outlet. Sensibly, banks share facilities and hence any reader will be able to process the transaction. However this means that the transaction is entrusted to the processes and protocols of yet another bank.
In any country the security of card information is reliant on the banks own protocols, systems and general security levels.
In Indonesia the banking sector has had a troubled past. Many
of the banks opened in the last ten years were personal loan facilities
for corrupt businessmen. What followed were hurried mergers, Indonesia
Bank Restructuring Agency (IBRA) attempts to prevent the collapse of the
whole sector, and a faltering path toward normality. The recent Bank Central
Asia sale illustrates that there is still a long way to go.
Being without the use of your plastic cards, for however short a time, can be extremely inconvenient. A criminal can quickly spend hundreds or even thousands of dollars using your card or its details - often before you are aware that anything is amiss. There was a time when if you, the customer, were astute enough to take the carbon paper from the shop assistant when using your credit card, you could rest easy. No longer. Credit card fraud is an international business run by resourceful syndicates with industry insiders on their pay roll. The following are some methods used to obtain credit card numbers and associated information at present in Indonesia.
A counterfeit card is either one that has been printed, embossed or encoded without permission from the issuer, or one that has been validly issued and then altered or re-coded.
Most cases of counterfeit fraud involve skimming, a process where the genuine data on a card’s magnetic stripe is electronically copied onto another, without the legitimate cardholder’s knowledge.
Skimming normally occurs at retail outlets - particularly bars and restaurants - where a corrupt employee skims a customer’s card before handing it back, then sells the information on higher up the criminal ladder where counterfeit cards are made. In other cases, the details obtained by skimming are used to carry out fraudulent card-not-present transactions. Often the cardholder is unaware of the fraud until a statement arrives showing purchases they did not make.
More worryingly card details can also be obtained by ‘Chipping’ a card reader at a legitimate point of sale. Card readers need to be serviced and repaired on occasion. Cases have been discovered where a bogus service engineer attends and inserts a chip into the reader that records the card information of transactions completed on that reader. A month later the ‘service engineer’ returns and removes the chip (which now contains hundreds of card details).
In addition, in countries such as Indonesia where security is less robust, the tapping of telephone lines from card readers to the host bank, or the tapping of the banks phone lines can be achieved with a modicum of technical knowledge. There is also little chance of detection.
(Cardholders should always keep their card in sight when making a transaction)
Merchant Fraud and Ghost Terminals
To have a card reader installed a retail outlet must reach certain criteria. These are often very basic in Indonesia and hence a fraudster can easily set up a fake or ghost operation. One method is to short term lease a shop with cash, have a reader installed giving false details and then perform maximum false transactions with compromised data and counterfeit cards in the shortest amount of time possible. This can be achieved even more easily by ‘buying out’ a failing business that already has a legitimate reader installed.
Ghost terminals can be created by obtaining the reader itself, from say a failing business. With some banking knowledge the reader can be initiated with the bank under completely false details, via an automated telephone in initiation system. Once the high volume of fraudulent transactions is discovered the trail leads nowhere.
Card-not-present Fraud (Fraudulent Use of Card Details)
This crime involves using fraudulently obtained card details to make a purchase, usually over the telephone or on the Internet. A card, in a physical form, is not needed. Usually the details are taken from discarded receipts or copied down without the cardholder’s knowledge. As with counterfeit fraud, the legitimate cardholder may not be aware of the fraud until a statement is received.
More worrying in Indonesia is that criminals have been found in possession of information that has apparently been gained from the compromise of bank data. This can be obtained technically (by hacking into an insecure bank database) or with collusion of bank staff (paying them to disclose or download information).
The card information is then used to visit on line casinos and any winnings are banked as ‘laundered’ money. Crime syndicates will run 24 hour multiple computer terminal operations to gamble on line with card details until the card is blocked.
(Discard receipts carefully - shredding them if possible - and check statements for any unfamiliar transactions. See Internet Ten Point check list post)
Lost or Stolen Cards
Most fraud on lost or stolen cards takes place at retail outlets
before the cardholder has reported the loss. In other cases, the card
details from lost and stolen cards are used to make fraudulent card-not-present
To help detect fraud on cards that are not yet reported missing, the banking industry in most countries uses intelligent computer systems that track customer accounts for unusual spending patterns. Such systems are generally lacking in Asia.
(It is vital that cardholders keep cards safe at all times, and report missing cards to their issuing bank immediately so a block can be put on the card)
Mail Non-receipt of Card Fraud
The number of plastic cards stolen in the post is difficult to judge. Although still a small category of fraud, there has been a significant increase (in countries that have reliable statistics) in the last two years. This increase illustrates how criminals constantly look for other areas to exploit as fraud prevention initiatives drive them away from their usual methods.
(Contact your issuing bank if you are concerned about the delivery of a plastic card through the post)
Although evidence of identity theft on card accounts is currently minimal, there is the possibility of a rise once the chip and PIN system makes its impact since this could drive criminals to look for different ways to perpetrate fraud.
There are two categories of identity theft.
Application fraud involves criminals using stolen or false documents to open an account in someone else’s name. Criminals may try to steal documents such as utility bills and bank statements to build up useable information. Alternatively, they may use counterfeited documents for identification purposes.
Criminals try to take over another person’s account, first by gathering information about the intended victim. The criminal then contacts the card issuer, masquerading as the genuine cardholder, to ask that mail be redirected to a new address. The criminal then reports the card lost and asks for a replacement to be sent.
These types of fraud are not prevalent in Indonesia. They tend
to be restricted to more sophisticated jurisdictions with robust anti-fraud
(Cardholders should discard bank statements, utility bills and receipts carefully - shredding them if possible)
ATM (Automated Teller Machine) Fraud
Most cases of ATM fraud occur when the legitimate cardholder has written down their PIN and kept it with their card in a purse or wallet that is stolen.
An increasingly common problem is shoulder surfing - where criminals look over a cash machine user’s shoulder to watch them enter their PIN, then steal the card using distraction techniques or pick pocketing.
ATM fraud that involves card-trapping devices is also on the rise in western countries. The device retains the card inside the ATM, at which point the criminal approaches the victim and tricks them into re-entering the PIN. After the cardholder gives up and leaves, the criminal removes the device, with the card, and withdraws cash.
(Never write down your PIN and be alert when using cash machines)
Expatriate’s credit cards are rich pickings for fraudsters. They are easily identified by the first four digits of the card number as being issued by an overseas bank. They generally have higher daily and overall spending limits, and more diverse spending patterns that make fraud more difficult to detect. Syndicates will send cards created with these details to countries where they can be most efficiently used. Currently Taiwan and Japan are favorite in Asia for the purchase of luxury goods. The syndicates also seek Gold and Platinum cards for the same reasons.
(Have a locally issued credit card for use as an alternative. It will also serve as a back up should you be unfortunate to be a victim of fraud. Avoid Gold and Platinum cards if you don’t actually need the higher limits or other benefits offered.)
To combat plastic card crime, two facts need to be established at the time of a transaction - that the card is the genuine item and that the person using it is the true owner.
The introduction of highly secure chip cards in countries such
as the United Kingdom meets the first of these objectives by confirming
that a card is not a counterfeit. Chip cards also open up new possibilities
for tackling the second objective for fraud prevention - identifying the
To fulfill this second part, all face-to-face credit and debit card transactions will eventually be authorised by the customer keying in their PIN (personal identification number) rather than by signing a receipt. This method is beginning to be introduced in Europe, but due to the extensive investment needed in the card system infrastructure, will be a long time coming to Asia.
To help protect yourself from becoming a victim of card fraud, follow these tips:
- Look after your card, keeping it secure at all times and don't let it out of your sight when making a transaction.
- Carefully discard receipts from card transactions - shred them if possible to prevent 'bin divers' from acquiring information about you and your cards
- Check your receipts against your statements. If you find an unfamiliar transaction contact your card issuer immediately.
- Never write down your Personal Identification Number (PIN) and never disclose it to anyone, even if they claim to be from your card issuer or the police.
- When using a cash machine, be wary of anyone who might be trying to watch you enter your PIN and do not allow yourself to be distracted by anyone trying to talk to you.
- Report lost or stolen cards to your card issuer immediately.
- Have a locally issued credit card for use as an alternative. It will also serve as a back up should you be unfortunate to be a victim of fraud. Avoid Gold and Platinum cards if you don’t actually need the higher limits or other benefits offered.
Other useful tips:
- Sign any new cards as soon as they arrive. Ensure that you cut up the old cards as soon as the new ones become valid.
- If you carry a bag, carry it firmly with the clasp towards you. A money belt or secure inside pocket is best for valuables.
- Don't leave cards unattended in a bag, briefcase or jacket pocket in a public place and keep your bag or briefcase on your lap.
- At work keep your bag and other personal belongings locked in a cupboard or drawer.
Most internet fraud involves using card details fraudulently obtained in the real world to make card-not-present transactions in the virtual world. Card-not-present fraud on Internet transactions is low at around three per cent of all card fraud losses.
Security of Cardholder Information
The incidence of hackers stealing cardholder data from websites is very low compared to other ways criminals access card details. To protect data, the international card schemes have stringent criteria to help retailers protect their websites.
Ten-point Checklist for Internet Transactions
The vast majority of businesses operating on the Internet are honest and legitimate organisations. Due to the problems of credit card fraud here, many companies will not accept purchases with mailing addresses in Indonesia. The following ten-point checklist when shopping on the internet is recommended.
- Only use recognized and established retailers.
- Never disclose your PIN to anyone and never send it over the Internet.
- Ensure that the locked padlock or unbroken key symbol is shown in the bottom right of your browser window before sending your card details. The beginning of the retailer’s internet address will change from ‘http’ to ‘https’ when a purchase is made using a secure connection.
- Make sure your browser is set to the highest level of security notification and monitoring. The safety options are not always activated by default when you install your computer.
- Use up to date versions of web browsers, old ones are less secure.
- Ensure that the retailer has an encryption certificate. This should explain the type and extent of security and encryption it uses.
- Check statements from your card issuer as soon as you receive them. Raise any discrepancies with the retailer concerned in the first instance. If you find a transaction on your statement that you did not make, contact your card issuer immediately.
- Print out your order and keep copies of the retailer’s terms and conditions and returns policy. There may be additional charges such as local taxes and postage, particularly if you are purchasing from abroad.
- Ensure you are fully aware of any payment commitments you are entering into, including whether you are instructing a single payment or a series of payments.
- If you have any doubts about giving your card details, find another method of payment.
Our appreciation to Michael Linnitt for the contribution of this article to the community!
Copyright © Michael Linnitt
PT. Hill Konsultan Indonesia, a subsidiary of Hill and Associates.