Online payment card fraud is a huge problem, but you don't have to become a victim. Most often, fraudsters steal card details by persuading web users to give them away voluntarily. It's possible to reduce the risk of falling for their scams by paying close attention when shopping online.
Using a payment card online has become so commonplace that we may hardly ever stop to think about the risks. But card fraud is common, and the majority of it involves online and phone purchases.
In 2011, the UK lost £341m to card fraud, and about 65% of this was 'card not present' fraud - abuse of card details in online and telephone transactions. It's a well-organised criminal business and the profit margins are huge.
Sometimes a trader will simply take your money and not deliver the goods - as in the case of 'grey' ticket sales for popular events. But this is quite rare. It accounted for just over 3% of all card fraud in 2011 and is not strictly 'card not present' fraud, it's just plain old-fashioned fraud.
'Card not present' fraudsters usually think bigger than this. They buy big blocks of stolen card details (exploiting many victims at once), so they can buy goods which are then sold on in order to launder the money. If they can get PINs as well, they may forge cards and withdraw cash in countries where the security chip on the card is still not used.
How are card details stolen?
Fraudsters may copy or 'skim' them at a physical point of sale - for example, at petrol stations (although this doesn’t happen as frequently as it used to). Such attacks are always present at a low level, with occasional booms of activity.
Many otherwise respectable shopping sites have inadequate security, and some even retain your card details for longer than is wise, or allowed by the regulations. So there's a possibility that your card details may be compromised by theft from the site or through mistakes.
But by far the most common method of obtaining your card details is known as 'phishing' – that is using a ‘spoofed’ web page to persuade you to give them away voluntarily.
Phishers themselves seldom use the card details they collect. They sell them on in bulk to other fraudsters, having tested them first by carrying out very small transactions that normally slip below the anti-fraud radar of the banks. If, for example, you find very small, unexpected donations to charities (maybe as low as a few pence) on your card statement – raise the alarm with your bank.
Attention to detail
You can reduce your exposure to card fraud by knowing what to look for and by being cautious. It’s essential to check how trustworthy a sales site is and know how to safely pay for goods online.
For a card transaction, you should never be asked for your online banking password, secret number or other bank account details. No legitimate sales site will ever ask for your card’s PIN either - it's only used at cash machines and physical, point-of-sale terminals. For 'card not present' transactions, the 3 or 4 digit 'CVV2 number' (usually on the back of the card) is used instead.
Your PIN is more useful to a fraudster than your CVV2 number, as the PIN allows direct withdrawals of cash. So never divulge your PIN to anyone - not even to someone from your bank. Knowing only your card number and CVV2 should limit fraudsters to making purchases, and card services can make checks on unusual requests to deliver goods to addresses other than the registered card address.
But some clever fraudsters have succeeded in changing the registered address for a card. So, if your statements stop arriving, this should make alarm bells ring.
Shopping sites are not allowed to store your card's CVV2 number after the transaction you supplied it for has been completed. So if you revisit a site and it lets you make new purchases without entering your card details again, be very suspicious. At the very least they're breaking the rules, and your details might get leaked if the site is attacked. You should contact them and request they delete your card details. It's much safer to re-enter them for each purchase than have them stored like this.
Word of warning
An increasing number of online shops now participate in a transaction verification system technically known as '3D Secure'. This will appear to you as "Verified by VISA" or "MasterCard SecureCode" depending on the card you use.
It's great in theory - the system sits between you, the bank and participating traders. You register your card details with it and create a password. Thereafter, when you shop with a participating trader, a window opens prompting you for your password. The system then checks that your card details and password match before allowing the transaction to complete.
This sounds fine, but it's really a way of protecting the bank rather than you. The terms and conditions can make you sign away your right to dispute any transaction made using 3D Secure, despite it not being as secure from your perspective as its name might suggest. And as the terms and conditions also prohibit you from writing down your password, it's also very likely you'll choose something simple that isn’t very secure.
And it gets worse. You can't normally opt out if you're dealing with a participating trader, so you have to use the system or your purchase can't be completed. But although the banks have spent huge sums of money warning us how to spot 'phishing' sites, the 3D Secure implementations currently in use present you with windows that have many of the visual attributes of a phishing site.
Most of the cues that could tell you the window is safe are also missing, and the window usually comes from an obscure overseas web address that has no obvious connection with the trader, your card provider, or your bank. Not surprisingly, these 'security' windows have already been spoofed by fraudsters to steal card details.
Credit cards more secure
Finally, there are several reasons why debit cards are less secure than credit cards when used online. They're not covered by a bank's 'automatic' payment protection insurance. (Having said this, it can still be difficult to get a credit card claim accepted)
Having your bank account cleaned out can be more immediately damaging to you than your credit card being hit. Credit card transactions are better monitored for patterns that suggest fraud. So, whenever possible, use a credit card rather than a debit card online, but use it vigilantly and with caution every time.
Always remember that 'card not present' fraud is not a casual enterprise. You're up against organised crime these days - the fraudsters are expert and very determined.