THE LIKELY CAUSES OF CARD FRAUD IN NIGERIA AND SUGGESTED WAYS TO MITIGATE SAME
CAUSES OF FRAUD
SUGGESTED WAY FORWARD
1
Opening cards to all kind of payment channels (ATM, POS, Web and Mobile) expose cardholders to all manner of risk.
· Banks to give customer options to choose channels for using his card.
2
Card not present (Use of card information on web or Point of Sale (POS) without the physical card)
· Second level authentication should be mandatory for all “card not present” transactions
· Each bank to set transaction limits for its customers for Card Not Present Transactions.
3
Phishing emails/text messages purporting to be from Banks,CBN,Switch, or other reputable organizations in order to obtain card details from cardholders
· Enlightenment campaign on protection of PIN/card details for cardholders
· SMS alerts for all card payments.
4
Counterfeiting/cloning of cards
· Fast-track the migration to chip+PIN or EMV card to make cloning difficult.
· All terminals should be EMV compliant
· Disable fall back of data of EMV card to magnetic stripe details where the CHIP fails to function.
5
PIN Brute Force: Attempts to guess PIN of cardholders using a system approach.
· Banks to have real-time online monitoring tools for PIN entry attempts
· Automatic deactivation of card after unsuccessful PIN attempts (like 3times).
6
Prepaid Card issues: Loading cash card from ATM cards without limits or adequate controls. Enabling card to Card transfer on this scheme.
· All card issuance should be subjected to CBN approval and based on approved Guidelines
· Set limit for card to card transfers, POS and web payments or outright deactivation of card to card transfer.
· Restrict Prepaid card usage for particular schemes such as payment of school fees or payment of fuel at filling station ie restricting the prepaid cards to the a single web site or terminal tied to the scheme.
7
Never Received Issue: Fraud using a card that is yet to be received by a cardholder
· Activation of cards should only be done after delivery.
· Enable external banking facility only after the cardholder has collected the card and PIN.
· Banks to segregate the process of PIN handling and card activation.
8
Internal compromise within the bank or a Switch
· Segregate the duties of PIN handling and card activation.
9
Merchant compromise
· Proper due diligence should be done on all merchants before POS is given to them.
· Categorise merchants by transaction limits that would be set based on trends of their sales.
· Introducing a second level authentication for high volumn POS transactions.
· E-payments without second level authentication should be allowed for schools and airlines only subject to a maximum limit set.
10
Friendly compromise between cardholder and his associates
· Enlightenment campaign on protection of PIN/card details for cardholders
· SMS alerts for all card payments that will enable the cardholder to block such card if fraudulent.
11
Card skimming: Use of fake key Pad or other scheming device to get card details
· Fast-track the migration to EMV cards
· Regular ATM monitoring
12
Shoulder surfing at ATM locations to steal card information
· Position the ATMs in such a way that cardholders’ PIN entry would be protected
· Cardholder education on PIN protection
13
Transactions with same card details performed at different locations (eg Lagos and Enugu) within unimaginable timeframe (eg. 10 minutes)
· Mandate banks to have a standard convention of naming all their terminals with their identification number and location addresses
· Collaborative efforts by all Banks and switches to set adequate roles in their fraud monitoring software to decline such transactions that fall below the set roles.
· Once the above is achieved, banks should have an online monitoring system to track such transactions and disallow it.
14
Cash retract issues: Allowing ATM to take some currency notes back after dispensing
· Banks to disable cash retract and release card after cash
15
Dispensing error
· Banks to be proactive by automating the reversal of dispensing error in respect of “on us” transactions.
· Banks that fail to respond within 72 hours on dispensing error in respect of “not on us” transactions should be debited accordingly
· Standard charge back procedures of Visa and MasterCard should be explored
