Card fraud basically involves theft of identity or information on your cards.

The stealing can take place in one of the following ways:

1. Skimming

“This involves attaching a data skimming device in the card reader slot to copy information from the magnetic strip when one swipes the card,“ says Mohan Jayaraman, MD, Experian India.

“They also set up cameras near the machine to get the PIN,“ he adds

2. Card trapping

This is a barb that retains the card when you insert it in the machine and the card is retrieved later.

3. Shoulder surfing

If you find friendly bystanders in the room or outside who try to help you if your card gets stuck or peer over your shoulder, beware.

They are there to get you to reveal your PIN.

4. Leaving card PIN

If you write your PIN on the card and forget it in the ATM kiosk, it’s a virtual invite to be scammed.

5. Online transactions

The ease of e-shopping or online bill payment is matched by the felicity with which identity theft can be carried out on computer or smartphone.

Mumbai-based Girish Peswani knows it well. “I was in my office when I got alerts about online transactions abroad made using my credit card,“ he says. There are various ways this card information could have been stolen.

6. Pharming

In this technique, fraudsters reroute you to a fake website that seems similar to the original.

So even as you conduct transactions and make payment via credit or debit card, the card details can be stolen.

7. Keystroke logging

Here, you unintentionally download a software, which allows the fraudster to trace your key strokes and steal passwords or credit card and Net banking details.

8. Public Wi-Fi

If you are used to carrying out transactions on your smartphone, public Wi-Fi makes for a good hacking opportunity for thieves to steal your card details.

9. Malware

This is a malicious software that can damage computer systems at ATMs or bank servers and allows fraudsters to access confidential card data.

10. Merchant or point-of-sale theft

This is perhaps the most effective form of stealth, wherein your card is taken by the salesperson for swiping and the information from the magnetic strip is copied to be illegally used later.

11. Phishing & vishing

While phishing involves identity theft through spam mails which seem to be from a genuine source, vishing is essentially the same through a mobile phone using messages or SMS. These trick you into revealing your password, PIN or account number.

12. SIM swipe fraud

Here the fraudster contacts your mobile operator with fake identity proof and gets a duplicate SIM card.

The operator deactivates your original SIM and the thief generates one-time password (OTP) on the phone to conduct online transactions.

13. Unsafe apps

Mobile apps other than those from established stores can gain access to information on your phone and use it for unauthorised transactions.

14. Lost or stolen cards, interception

Transactions are carried out using stolen cards, those intercepted from mail before they reach the owner from the issuer, or by fishing out information like PINs and passwords from trash bins.

15. Cards using other documents

New cards are made by fraudsters using personal information stolen from application forms, lost or discarded documents.

Source: http://www.gadgetsnow.com/slideshows/15-ways-criminals-steal-money-from-your-debit/credit-card/Malware/photolist/55414130.cms


The chip card (EMV) era has arrived with the promise that data in retail environments will be better protected. Cardholders will have much greater security at the point of sale with their own card data. But, while it will be much more difficult for thieves to steal card data at the point of swipe, the hackers are still hacking and data is still being lost – almost daily.

Fast-food chain Wendy’s is facing a class-action lawsuit over a recent breach of its existing point-of-sale (POS) system. The Wendy’s breach comes on the heels of numerous other POS attacks at major retailers in recent years, including breaches at Michaels, eBay, Neiman Marcus, Target, and the largest of them all, Home Depot (56 million cards). Retailers have been shaken by these events; a recent study found that 100% of retailers cite cybersecurity as one of their top business concerns, up from only 55% in 2011, according to BDO, a business advisor to consumer business companies for over 100 years.

Retail customer data breaches can result in a company losing millions of dollars to class action lawsuits, possibly facing penalties for Payment Card Industry Data Security Standard (PCI DSS) violations, and irreparably harming its reputation. However, PCI compliance is not a guarantee that a retailer’s infrastructure is immune to breaches. It merely means minimum standards have been achieved.

Following are five steps merchants in any industry can take to prevent their POS systems from being compromised:

1. Have Store Personnel Monitor Self-Checkout Terminals/Kiosks

There are two methods by which POS data is stolen: by compromising the POS system itself using stolen credentials or by physically installing “card skimmers,” usually on self-checkout terminals that are not monitored. These devices, which take only seconds to install, steal payment card data and PIN information directly off the card’s magnetic stripe.

While the introduction of new chip cards will eliminate the threat of card skimmers, 42% of retailers are yet to update their payment terminals to accept chip cards – and even some retailers who have EMV-enabled terminals cannot accept chip cards because the POS software cannot yet handle them. It is imperative that such terminals not be left completely unattended. Every store should have on-site personnel who are trained to spot card skimmers and assigned to monitor self-checkout terminals for their presence.

2. Ensure that Both POS and OS Software Is Up-to-Date
Because cybersecurity is a constant “Spy vs. Spy” battle where experts find ways to patch vulnerabilities while hackers find new ways to access systems, POS software systems release frequent updates to address the most recent security threats. For maximum protection, these updates must be downloaded and installed as soon as they are released, not on a monthly or quarterly schedule. The same concept applies to operating system software; retailers and restaurants that are running Microsoft Windows should ensure that patches are installed as soon as they are available.

3. Always Change Default Manufacturers’ Passwords
Retailers and restaurants should always change the default password provided by the manufacturer as soon as a new piece of hardware is hooked up to their POS system. Default passwords are publicly available, and thus widely known to hackers; in fact, the first thing an attacker will attempt to do is access the device using the default password.

Changing default passwords is required as part of an organization’s compliance with PCI DSS standards. Likewise, software system passwords should also be changed upon installation, and then on a regular basis afterwards.

4. Isolate the POS System from Other Networks

Many retailers, restaurants, and hotels offer free Wi-Fi to their customers. The POS system should never be hooked up to this network, as a hacker can use it to access the system. Likewise, if an organization’s POS system is not separated from its corporate network, a hacker who compromises the organization’s main network will be able to access its POS system. There are two ways to achieve this: by actually segmenting the two networks or by using multifactor authentication for communication between the organization’s main network and its POS system.

The correct solution for a particular organization depends on its size and resources, so it’s best for organizations to consult a managed security services provider (MSSP) to determine which solution would best fit their needs.

5. Always Purchase POS Systems from Reputable Dealers

Retailers and restaurants have extremely thin profit margins, and the individually franchised restaurants that are popular in the fast-food industry tend to operate on particularly tight budgets. As the industry automates for the first time, it may be tempting for these small operators to seek out the best “deal” on self-checkout systems – but a POS system purchased from a manufacturer who turns out to be fraudulent is no “deal” at all, and it could result in financial ruin for that location. POS systems should be purchased only from known, reputable dealers, and if a “deal” on a system seems too good to be true, it probably is.

POS system security requires expertise in both information security and PCI DSS compliance, the latter of which is mandatory for any organization that processes, stores, or transmits cardholder data. Retailers and restaurants that do not have sufficient in-house IT staff to handle data security and PCI DSS compliance should partner with an MSSP to ensure that their POS systems are both safe and compliant. MSSPs are flexible and can tailor their solutions to fit each company’s needs, from remote monitoring to on-site security staff, either in conjunction with existing staff or on their own.

Automation has lowered labor costs and improved efficiency and the customer experience in the retail industry – and will do so in the restaurant industry – but the security of POS technology should not be disregarded. As POS data breaches continue to multiply, and especially as large fast-food chains plan to install brand-new ordering kiosks at a rapid pace, retailers and restaurants need to take proactive steps to protect their customers’ card data – and themselves from lawsuits, government penalties, and reputation damage.

Source: http://www.chainstoreage.com/article/five-ways-prevent-data-hacks-point-sale


It’s not only large companies that face cyberattacks – there are affordable steps small companies can take to protect their business data and IT systems.

You can’t assume that your small business is not a target for hackers. As many as three-quarters of smaller businesses are at risk, according to the latest Government Security Breaches Survey, with the worst breaches costing up to £300,000.

Small companies face attack from multiple angles. “Like [larger] enterprises, they face targeted attackers who are interested in intellectual property and other confidential data, as well as using smaller organisations as a way into larger ones,” says David Emm, principal security researcher at Kaspersky Lab. “And like consumers, they face random, speculative attacks that make up the bulk of the threat landscape and are distributed indiscriminately by cybercriminals.”

That’s problematic for SMEs, which are less likely to have a dedicated IT department staffed with security professionals. “SMEs typically don’t allocate resources to cyber security, and they allocate very few resources to IT,” says Andy Patel, senior manager for technology outreach at F-Secure. “This leaves them open to attack in a variety of ways. A cyber security incident is likely to cost an SME proportionally more to recover from than a well-prepared company.”

Improving the security situation at your small business doesn’t need to be expensive, and it could well save you money in the long run. We asked experts across the security industry for their tips on how small businesses can stay secure without breaking the bank.

Adopt two-factor authentication

Take security into your own hands and enable two-factor authentication on any service or device used by the company for email accounts, social media feeds or more sensitive systems. Anyone using these accounts will need an extra credential to gain access from a new device, or to change profile settings, which stops hackers from breaking in even if passwords are leaked.

“Multi-factor authentication reduces the risk of a compromise, since a password alone is not enough to gain access to an online account,” says Mr Emm. “At the very least, multi-factor authentication should be mandatory for changes to account settings.” He adds that it’s essential for companies to shut down accounts, or change login credentials, when someone leaves employment.

Two-factor authentication does add steps to employees’ login procedures, so avoid frustrating them by taking it one step at a time. “Start with the critical accounts and scale up from there as it becomes a habit,” advises F-Secure security advisor Sean Sullivan.

Get smart with email

Email is a weak point for smaller enterprises, with criminals targeting companies with malware via phishing attacks. This is where an email is crafted to look like it’s coming from a trusted source, such as a supplier or bank, but is loaded with dodgy attachments or links to malicious pages, says Trustwave’s threat intelligence manager, Karl Sigler. “Our research has found that the vast majority of companies have been targeted with a phishing attack at least once over the past year, and the number is set to increase over the next 18 to 24 months.”

Phishing messages can be sent to any email address at random, but clever hackers can also use information gleaned online – from social networks, data breaches, or even your company website – to make attacks more effective (a trick called spear phishing).

To avoid becoming a victim, Mr Patel says staff should be trained to pay attention when reading an unexpected email. “Check the sender address carefully. Don’t open attachments you weren’t expecting. If you’re unsure, ask the sender. Be suspicious of certain file types – most people don’t use zip files nowadays. If you are asked to ‘enable content’ on an office document, don’t.”

Mr Sullivan takes a different approach. “Almost everybody can spot phishing during training,” he says. “Phishing works when people are distracted – and people are distracted by tools they don’t use well. Pay for productivity training and you will end up with better email hygiene.”

Avoid ransomware threats – and don’t pay up

Ransomware is where hackers gain control of your data, encrypt it and demand a payment to hand over the key. Research by Kaspersky Lab found that 49pc of SMEs believed such “crypto-malware” was one of the most serious threats they faced , with two-thirds of SMEs reporting complete or partial data loss from such attacks.

To mitigate the threat, follow the the email security tips above, as malicious messages are a common delivery method for crypto-malware, says Mr Emm. And, ensure your company has up-to-date, secure backups, so you aren’t forced to pay criminals to get your data back.

Beyond these steps, control access to files to those who need them, to help limit the spread of malware, and ensure staff don’t have administrator rights, as that makes it easier for malware to spread more widely across your network.

If you don’t have a backup, should you pay the demand? Mr Sigler says: “We would advise against paying the ransom as there’s no reason for the attacker to keep their promise and restore the system. Communicating with cyber criminals also provides them with more information, such as IP or email addresses, which can be used in future attacks – very likely if a company is willing to pay up.”

Undertake regular assessments

It’s an industry cliché, but the weakest link in any network is the people – and this applies to company leaders, as well as the IT department. “Security assessments should not be treated as a one-time event. It’s vital to perform regular testing to keep track of the fast-moving security landscape, especially if the business expands or implements new technology,” notes Mr Sigler, adding that Trustwave research revealed that one in five companies hadn’t done any testing in the past six months, “leaving them blind to new vulnerabilities and threats”.

So, what new threats are looming on the horizon? Kaspersky’s Mr Emm warns SMEs to keep an eye on the Internet of Things (IoT), which includes everything from smart CCTV cameras to connected children’s toys. “The IoT is bringing not only risks to privacy, but also the danger that connected devices will be used as a weak link to gain access to other systems,” he warns. Perhaps think twice before buying that web-connected coffee machine for the office kitchen.

Source: http://www.telegraph.co.uk/connect/small-business/business-solutions/how-to-improve-your-cybersecurity/


Using the internet to make payments to utility, phone, credit card, insurance and other companies saves considerable time and effort. It is also a simple and convenient way to contribute to charity either directly or sponsoring participants in money-raising activities. There are, however, risks associated with online payments and you need to take care when making them.

The Risks

  • Fraud resulting from making payments over unsecured web pages.
  • emails directing you to fake websites set up to collect your payment card details.

Safe Payments

Online payments are normally part of your arrangement with a service provider as an alternative to payment by Direct Debit or cheque. In most cases, therefore, the payee will be familiar to you, but you must take care to ensure that you are on the provider’s genuine site.

  • Remember that paying by credit card offers greater protection against fraud than with other methods.
  • Double check all details of your payment before confirming.
  • Before entering payment details on a website, ensure that the link is secure, in three ways:
    • There should be a padlock symbol in the browser window frame, which appears when you attempt to log in or register. Be sure that the padlock is not on the page itself … this will probably indicate a fraudulent site.
    • The web address should begin with ‘https://’. The ‘s’ stands for ‘secure’.
    • If using the latest version of your browser, the address bar or the name of the site owner will turn green.
  • When making a payment to an individual use a secure payment site – never transfer the money directly into their bank account.
  • Check the website’s privacy policy.
  • Always log out of sites into which you have logged in or registered details. Simply closing your browser is not enough to ensure privacy.
  • Keep receipts – electronic or otherwise.
  • Check credit card and bank statements carefully after payment to ensure that the correct amount has been debited, and also that no fraud has taken place as a result of the transaction.
  • Ensure you have effective and updated antivirus/antispyware software and firewall running before you go online.

Source: https://www.getsafeonline.org/shopping-banking/online-payments/


Thanks to the ever-growing reliance on computers and the Internet, Internet fraud has been an increasing concern for civilians and law-enforcement agencies. Because tracking hackers is difficult and catching Internet frauds is even more challenging, the best protection is to avoid fraud attempts. The first part of sidestepping identity theft, viruses and other intrusions is being able to identify fraud when you see it.

Internet Auction Fraud and Non-Delivery of Merchandise

Internet auction fraud is a prevalent scam that targets consumers on auction websites such as eBay. Typically, this scam will consist of someone posting a product for sale on an auction site to “sell” the product to the highest bidder. The product, however, is either nonexistent or not the product described on the auction site. Scammers will try to collect the full funds from the winning bidder before shipping the product. This is typically facilitated via a money wire transfer, and the seller will ask for funds to be sent to a third party. In the instances where scammers ship a product to the buyer, the scammer will send a product of vastly lower value than what was purchased. The shipment will need to be signed for, which obligates the buyer to pay in full for the product, even though it isn’t the promised item. This is known as the Non-Delivery of Merchandise scam.

Spam and Identity Theft

Spam is implicated in a common form of fraud, in which bulk emails are dispersed to millions of email addresses in an effort to corrupt people’s computers, steal identities or pull unknowing individuals into paying for fraudulent products or services. A spam message will offer any number of false dealings to recipients. Popular offerings including low-interest loans, free credit report checks, sweepstake winnings and relationships with “local” singles. These types of scams require people to open a message and click on a link. This opens up the computer to a virus, worm or other “bug” that will corrupt the computer. In cases of identity theft, the bug will attempt to retrieve passwords, Social Security numbers, credit card information, home addresses and telephone numbers. Other bugs will embed themselves in the computer’s registry and damage system performance.

Credit Card Fraud

This scam requests that a consumer registers or inputs credit card information on a fraudulent website. The site may sell products or services. When a reputable, trustworthy vendor asks for credit card information, it won’t save the data without user permission and will take steps to keep user information safe. Fraudulent sites will ask for the same information as does a reputable site, but will steal the information and make purchases using the data the credit card owner gave to the website.

Forms of Investment Fraud

Various investment schemes typically target stock investors, trying to steal money and investors’ identities. Some of these scams will come in the form of an online newsletter. In these newsletters, frauds will offer inside information on stocks, for a fee, and offer false data instead of real information. Online bulletin boards have also become a hotbed of fraudulent activity. Companies often use online bulletin boards to publish information; however, a bogus board will release disinformation. A pump and dump scheme can start with a fraudulent newsletter or bulletin board where secret or private information is offered. The object of this scheme is to alter stock values. After effectively hindering a stock, the schemer will sell his or her own stock in a timely fashion for personal gain.

Source: http://smallbusiness.chron.com/types-internet-fraud-work-61078.html