A credit card holder of an international bank in Bangladesh got a phone call from her bank last week. She was asked if she had made two transactions that day of about $450 from Spain and New Jersey.
She was dumbfounded. Not only that she was in Dhaka, the places the bank mentioned were nearly 6,000km apart.
She had become one of the latest victims of identity theft in Bangladesh.
Fraudsters, a few days earlier, had captured data of several debit cards from a point-of-sales (POS) terminal at a merchant's outlet. The terminals are calculator-like devices used for swiping cards.
They made cloned cards and used them to make off Tk 6 lakh from six ATM transactions before the banks could smell something fishy.
Identity theft, with fraudsters taking advantage of weaknesses in the cards, ATMs, POS and banks, is on the rise in Bangladesh but banks do not always report these incidents, industry insiders said.
They have their goodwill and reputation to protect. More often than not, banks quietly compensate the victims and avoid audits by the regulator, sources in several banks told The Daily Star.
The victim, whose magnetic-striped card was cloned and used by fraudster in Spain and New Jersey, said, “The old-fashioned cards [magnetic-striped] can easily be cloned and fraudsters take this chance. I am surprised to see why banks do not go for chip and PIN cards to ensure customers' security.”
The banks are going for more secure methods but apparently not at the desired pace.
Subhankar Saha, spokesman and executive director of Bangladesh Bank, said the central bank warned banks about frauds at POS terminals and ATMs, but security measures were yet to be taken despite a year and a half had gone by since the biggest ever ATM frauds in the country.
Between February 6 and February 12 last year, fraudsters made away with Tk 25 lakh using around 40 cloned cards.
The gang, led by a foreigner, used data skimmed off in six ATMs in the capital to make the cloned cards.
Investigators later detected that the gang had stolen data of over 1,200 cards and had committed more frauds at POS terminals than at ATMs.
A few days after the fraud, Bangladesh Bank asked all banks to tighten security, including installing anti-skimming devices at their ATM booths. It also instructed banks to make their cards chip-based and phase out the magnetic-stripped cards.
According to a recent survey conducted by the Bangladesh Institute of Bank Management (BIBM), 67 percent ATMs have anti-skimming devices and 52 percent cards are EMV-compliant.
EMV stands for Europay, MasterCard, and Visa, and is a global standard for inter-operation of integrated chip cards, which are used at POS terminals and ATMs for authenticating credit and debit card transactions.
It said if an EMV-compliant card is used at a non-compliant ATM, the card holder could be vulnerable to identity theft.
The study also shows that the most frequent types of fraudulent activity resulting from a cyber intrusion reported by banks were ATM /Point-Of-Sale schemes (23%).
Bangladesh Bank is aware of the rising identity thefts, but it cannot do anything unless it gets report from banks.
“We have recently got complaints from some banks about card frauds at a POS terminal of a merchant in Dhaka. We are investigating the issue and have already identified the merchant point,” said Subhankar.
He said data of some debit cards were captured at the merchant point and fraudsters took away Tk 3 lakh through six transactions at ATMs.
According to Bangladesh Bank, there are over 30,000 POS terminals in the country.
Abul Kashem Md Shirin, managing director of Dutch-Bangla Bank, said, “The POS terminals are vulnerable because these are not EMV-compliant.”
According to industry insiders, fraudsters make counterfeit cards with data skimmed off cards used at the merchants. Most cards that get counterfeited are foreign.
Dutch-Bangla Bank's Abul Kashem said, “E-commerce transactions are becoming risky and dangerous.”
The BBIM survey found that 30 percent banks have Online Payment Gateway Service for e-commerce payment processing. As of December 31 last year, 928 online shop owners and merchants are selling products using bank's payment gateways.
Kazi Saifuddin Munir, managing director of IT Consultants that run Q-Cash, the largest private payment switch in Bangladesh, said the use of cloned cards at merchants was on the rise.
He said fraud of debit cards is tough as it is directly linked to the core banking system of banks. However, compromise between merchants and bankers could make fraudsters' lives easier.
“The central bank should introduce a chip-based card that will be used only domestically,” he said, citing example of Malaysia, Hong Kong, China and India where domestics cards have been introduced to ensure security.
According to BIBM, banks spend too little to ensure security. Their budgets' cyber security expenditure slightly increased to 5.2 percent in 2016 from 4.7 percent in 2015.
Only two banks in Bangladesh comply with Payment Card Industry Data Security Standard (PCI DSS) as of December last year, it said.