DEBIT CARD SECURITY MEASURES
Concerned over rising incidents of cyber frauds, the RBI will soon ask banks to shift to chipbased ATM cards from the existing magnet strips ones and upgrade the currency vending machines. While pitching for chip-based cards, the report said, it is difficult to copy and make their duplicates as compared to the existing magnet strips ones.
Earlier RBI has formed a group and objective of the Working Group was to provide a set of guidelines to banks covering the entire gamut of electronic banking. This would serve as a common minimum standard for all banks to adopt as well as lay down the best practices for banks to adopt in a phased manner for a safer and sounder banking environment. The Group felt that there was a need for banks to follow a consistent approach in each focus area, to minimize differing interpretations.
Group Recommendation regarding ATM cum debit card is summarized as Under.
- Provision of various electronic banking channels like ATM/debit cards/internet banking/phone banking should be issued only at the option of the customers based on specific written or authenticated electronic requisition along with a positive acknowledgement of the terms and conditions from the customer. A customer should not be forced to opt for services in this regard. Banks should provide clear information to their customers about the risks and benefits of using e-banking delivery services to enable customers to decide on choosing such services.
- Chip based cards house data on microchips instead of magnetic stripes, making data more difficult to steal and cards more difficult to reproduce. It is recommended that RBI may consider moving over to chip based cards along with requiring upgradation of necessary infrastructure like ATMs/POS terminals in this regard in a phased manner.
- It has been observed that in a shared ATM network scenario, when the card of one bank is used to perpetrate a fraud through another bank’s ATM, there is a lack of clarity on who should report such a fraud to RBI. It is the bank acquiring the transaction that should report the fraud. The acquiring bank should solicit the help of the issuing bank in recovery of the money.
- Personalization of card, generation of card through a specific algorithm and verification of the same at switch level.
- Delivering securely to customer after customer identification
- Controls around activation of card.
- Blocking of cards after certain number of attempts with wrong PINs
- An instant SMS message is sent to the customer’s registered mobile number with the bank on usage of card at any ATM, POS or E Commerce site.
‘Card skimming’ is the illegal copying of information from the magnetic strip of a credit or ATM card. It is a more direct version of a phishing scam.The scammers try to steal a customer’s details so that they can access the relative accounts. Once scammers have skimmed the card, they can create a fake or ‘cloned’ card with details from the skimmed card on it. The scammer is then able to run up charges on your account.
There are a variety of methods that may be employed to deter card skimming.
- a. Awareness among consumers, branch personnel, and ATM service technicians can result in the detection of devices added to an ATM fascia. Visual clues such as tape residue near on a card reader may indicate the former presence of a skimming device.
- b. Any servicing in onsite ATMs by external service personnel may be done in the presence of a bank official and in respect of off-site ATMs random checks by bank officials may be conducted.
- c. All ATMs including offsite ATMs need to be manned by security guards
- d. Physically inspecting the ATMs once a day. Best practices include doing a physical inspection during maintenance or cash replacement etc. by the bank or outsourced agency managing the ATM network for the bank.
- e. Enforce standards for the appearance of ATMs. Adopt visual standards for ATMs so all ATMs should look alike.Banks can ask the customers to provide / register their mobile numbers for sending an alert message for transactions done on alternate channels.
- g. Looking for anomalous activity in customer accounts. Fraud detection software isn't foolproof, but it can detect some behaviors associated with a fraudulent transaction. Updated customer contact information is critical for quickly verifying the legitimacy of transactions or stopping fraud. Deploying fraud monitoring system especially in on-line environment may be difficult and expensive but will be useful in fraud detection and timely action.
- h. The banks may consider dynamic scoring models and related processes to trigger or alert transactions which are not normal to improve preventive/detective capability. Study of customer transaction behavioral patterns and stopping irregular transactions or getting confirmation from customers for outlier transactions may be part of the process.
- i. Network with other bank security / branch officers by participating in electronic security taskforces, or even casual cooperative agreements with other local banks, can help ensure that bank's branch managers / ATM officers are the first to know when a skimmer is targeting his area.
- j. All ATM/Debit cards by default may be payable only in India, Nepal and Bhutan and if any card holder wants to use his ATM/Debit cards abroad he should either obtain separate PIN before he leaves India or international usage may be separately activated either online or through call centre.
- k. Banks may also explore usage of biometric ATM cards to illiterate customers who may not be at ease while using ordinary ATM cards.
Further, the following anti-skimming solutions can be introduced:
Jittering: Jittering is a process that controls and varies the speed of movement of a card as it’s swiped through a card reader, making it difficult – if not impossible – to read card data by the external device.
Chip-based cards: These cards house data on microchips instead of magnetic stripes, making data difficult to be cloned. It is recommended that RBI may consider moving over to chip based cards along with upgradation of necessary infrastructure like ATMs/POS terminals in this regard in a phased manner.PIN based authorization: For debit / credit card transactions at the POS terminals, PIN based authorization system needs to be put in place (without any looping) in place of the existing signature based system and the non-PIN based POS terminals need to be withdrawn in a phased manner.