Experts
and investigators have found that it is easier to conduct an online
transaction on international websites without a request being made for a
one-time password (OTP), leaving customers using credit cards
vulnerable.
The experts said fraudsters only need the 16-digit card number, the card's expiry date and CVV number to make online payments on those sites. "The fraudulent transactions are found in all cases from abroad. Card-holders have to take adequate security measures not to use international services and adopt ways to make safe payments at hotels or fuel stations, from where card data is stolen," a private bank spokesperson said.
Cyber expert Vijay Mukhi was in Dubai on May 10, when he noticed that the payment for his hotel stay through his card was without any OTP. "When I made my hotel bookings using my credit card from India, no OTP was generated. Amazon US also does not use an OTP for credit cards. The use of OTP is an Indian invention. No big foreign firm uses it as it puts consumers off. Nobody wants to wait for an SMS. All over the world, cyber crime is handled more intelligently than in India. The Reserve Bank of India should ensure we swipe our cards ourselves and make IP address tracking more robust," said Mukhi.
"There are international websites which still allow transactions using credit card number, expiry date and CVV. So, OTP or iPIN can be bypassed," cyber lawyer Vicky Shah told TOI. "Normally, the OTP is a safe and secure authentication. Credit card usage and mechanisms are similar nationally and internationally. A customer who uses a credit card has to ask for an OTP. "Many banks have implemented compulsory OTP or iPIN (Internet pin) for cards used to purchase or conduct transactions online from Indian websites or payment gateways," said Shah.
He said some Indian sites allow transactions with card details, expiry date and no CVV or OTP, like SBI Maestro. Cards used on international sites without OTP will always be a challenge. Unless it's implemented and made mandatory, we will continue to see such offences. "Cops can investigate only if banks provide logs. If the IP address is from a foreign server, cops cannot do much. Instead, banks should coordinate with other banks or merchants, and get details," he said.
"The database of credit card-holders is available for sale and is bartered online. No PIN is required while conducting international transactions," cyber advocate Prashant Mali said. "I pay all my hotel bills via the same mode, sending them a scanned copy of my credit card from front and behind. The best thing is when you end your international tour, you tell the bank to issue a new card. Cops can track the accused only if KYC from banks is proper. If the money involved is little, the police and bank do not cooperate," said Mali.
The experts said fraudsters only need the 16-digit card number, the card's expiry date and CVV number to make online payments on those sites. "The fraudulent transactions are found in all cases from abroad. Card-holders have to take adequate security measures not to use international services and adopt ways to make safe payments at hotels or fuel stations, from where card data is stolen," a private bank spokesperson said.
Cyber expert Vijay Mukhi was in Dubai on May 10, when he noticed that the payment for his hotel stay through his card was without any OTP. "When I made my hotel bookings using my credit card from India, no OTP was generated. Amazon US also does not use an OTP for credit cards. The use of OTP is an Indian invention. No big foreign firm uses it as it puts consumers off. Nobody wants to wait for an SMS. All over the world, cyber crime is handled more intelligently than in India. The Reserve Bank of India should ensure we swipe our cards ourselves and make IP address tracking more robust," said Mukhi.
"There are international websites which still allow transactions using credit card number, expiry date and CVV. So, OTP or iPIN can be bypassed," cyber lawyer Vicky Shah told TOI. "Normally, the OTP is a safe and secure authentication. Credit card usage and mechanisms are similar nationally and internationally. A customer who uses a credit card has to ask for an OTP. "Many banks have implemented compulsory OTP or iPIN (Internet pin) for cards used to purchase or conduct transactions online from Indian websites or payment gateways," said Shah.
He said some Indian sites allow transactions with card details, expiry date and no CVV or OTP, like SBI Maestro. Cards used on international sites without OTP will always be a challenge. Unless it's implemented and made mandatory, we will continue to see such offences. "Cops can investigate only if banks provide logs. If the IP address is from a foreign server, cops cannot do much. Instead, banks should coordinate with other banks or merchants, and get details," he said.
"The database of credit card-holders is available for sale and is bartered online. No PIN is required while conducting international transactions," cyber advocate Prashant Mali said. "I pay all my hotel bills via the same mode, sending them a scanned copy of my credit card from front and behind. The best thing is when you end your international tour, you tell the bank to issue a new card. Cops can track the accused only if KYC from banks is proper. If the money involved is little, the police and bank do not cooperate," said Mali.
Comments
Post a Comment