By Alexandra Shevchuk, Raiffeisenbank Russia

Raiffeisenbank and Kaspersky Lab analyzed the key trends of bank card fraud in 2019. The analysis and conclusions are based on data from Raiffeisenbank’s card transaction monitoring system, information provided by fraud analysts at Kaspersky Lab, as well as data from the FinCERT report by the Bank of Russia.

Reduced number of unauthorized “card not present” (CNP) transactions

Unauthorized online transactions using customer bank card data over the past four years have become a significant challenge for the financial industry. The main reasons are the increase in the number of card transactions, the development of distance payment services, the increase in the share of e-commerce sites. According to the FinCERT Bank of Russia Review of Unauthorized Money Transfers for 2018, the number of unauthorized CNP transactions (without presenting a card) in 2018 increased by 48.3%. FinCERT notes that the availability of payment services via the Internet shifts the interest of fraudsters from ATMs and retail outlets towards CNP transactions and remote banking services. The regulator predicts the upward trend in the migration of unauthorized operations into the CNP environment.

In 2019, according to Raiffeisenbank, the growth rate of unauthorized CNP transactions was slowing down. Despite the still large share in the total volume of fraudulent transactions in the industry, large banks have learned to detect and prevent them.

“For CNP transactions, it is important for attackers to act very quickly. If the attacker managed to lure the necessary information from the victim using social engineering, they will try to withdraw funds before the user begins to doubt something and contacts the bank,” says Maxim Fedyushkin, business development manager of Kaspersky Fraud Prevention.

Examples of the widespread attack scenarios:

 Theft of an account from online banking. This is the most dangerous option for a client of a financial institution. Upon gaining access to the personal account and transaction confirmation tools (codes in SMS or push notifications), an attacker can not only transfer funds from client accounts, but also try to use pre-approved loans.

Having only the card number, an attacker can only access the account in the Internet bank by recognizing the verification code that will be sent to the account holders’ phone. Most often, attackers try to lure them into using social engineering (they ask for a card number for identification, then they ask for a code to “cancel” a fraudulent payment and “save” money or transfer it to a “secure account”; they offer to take part in the action and ask for confirmation of identity; etc.).

Binding card data to the application store or electronic payment system. Knowing the bank card number and once having displayed the confirmation code from the victim, the attackers can attach it to the application store and pay for purchases using their mobile device. This approach can also be used for built-in purchases in games: artifacts or donations are paid from someone else’s card, and then resold to other players. There are examples where attackers create an application with a high cost (more than $ 100), buy it themselves by paying with someone else’s card, and then receive money from the owners of the application store.

Payment by card in online stores. Avoid posting photos of your own banking card or one you found on the internet. If you’ve found a card, simply return it to the bank or to the police.

 2020 forecast for CNP transaction fraud

“We expect that in 2020, CNP transaction fraud will continue to dominate the market, but many banks will block most of these transactions, so the interest of fraudsters is likely to shift towards less secure market players,” says Victoria Alexandrova, Head of the Bank Cards & Acquiring Operations at Raiffeisenbank.

CNP transactions: 7 tips to stay safe

A few simple rules will help you protect your funds from scammers:

Get a separate card for online purchases; if a credit card is used for purchases, it is better to issue a card with a small credit limit and a relatively small amount.

Open a current account for daily expenses – the card for online expenses could be paired with this one. In a mobile bank, a transfer between your accounts takes several seconds, this way your funds will be safe.

– Before buying online, make at least a brief hygiene check of the online store – look at the site, read customer reviews, etc. Check how delivery from the online store is carried out, its terms, whether there is a pickup point of goods.

Set up alerts for the card transactions in the online bank. This will reduce the risk that the amount will be debited unnoticed, as fraudsters often check the correctness of card data by making transactions for small amounts. It will also help prevent further deductions when the card is blocked in a timely manner.

Do not provide your card details to anyone. Remember that the waiter must not take your card to pay the bill in the restaurant.

Install antivirus software.

– For mobile devices, install the application to determine the income call number. Such software informs about the name of the organization and the call category: “loans”, “delivery service”, etc., and also notifies if there were any complaints of spam from this number.

Reduced POS and ATM scams

The use of counterfeit cards in ATMs and retail outlets is rapidly declining in 2019. This is due to the increase in the popularity of cash-free transactions without presenting a card, including the use of electronic wallets, the simplification of money transfer services between private individuals, the transition to cards with a microprocessor (chip) around the world and the increased security of ATM & POS systems.

According to Raiffeisenbank, the volume of fraud using fake cards in ATM and POS-terminals is steadily decreasing.

POS and ATM: 2020 Forecasts

 “We expect a further decrease in the activity of fraudsters in the use of cards compromised in ATMs and retail outlets, as contactless payments are becoming more widespread around the world. At the same time, the standards of information security of retail chains are increasing,” commented Victoria Alexandrova, Head of the Bank Cards & Acquiring Operations at Raiffeisenbank.

POS and ATM: 7 tips to stay safe

There are several simple rules that can help anyone to stay safe from the fraud schemes:

– Follow the bank’s safety recommendations when using bank cards.

– Do not accept any ‘help’ from strangers when dealing with cards at ATMs.

– Before inserting the card into the ATM, press the “cancel” button several times.

– Carefully inspect the device before entering the card – any suspicious objects may be skimmers.

– Cover your keyboard with your hand when entering a PIN code.

– Try to withdraw money from ATMs located in bank branches and other secure places.

– Do not allow to take away your card or scan its magnetic strip when paying. Use cards with a chip.