November 2012 Issue

The 'Newsletter on Financial Fraud' from CustomerXPs is your monthly insight into the various new fraud types and methods used by fraudsters globally in the banking space.

This will help you stay abreast of all the latest happenings in the banking fraud space

Fraudsters crack much touted 'Chip and Pin' card format

Fraudsters have managed to crack the much touted European 'Chip and Pin' card format, raising new doubts about the effectiveness of the system. An HSBC bank customer from the Spanish Island of Mallorca became a victim of this kind of fraud when within hours of being pick-pocketed, his credit card was used in 5 different ATM withdrawals despite them having no way of knowing his Personal Identification Number (PIN).

The Method:

The fraudsters first steal the wallet of a customer and then use the credit card in different ATMs to withdraw huge amounts of cash. They are able to withdraw this despite not having any clue about the PIN of the card. The 'Chip and Pin' software stored inside the POS machines and ATMs are supposed to create an unpredictable number (UN) to authenticate each transaction, and the fraudsters are using a technique to predict this UN to clone the chip and withdraw the money.

Most UN generating equipments create the UNs by borrowing data from dates and timestamps, making the unpredictable numbers less unpredictable and this is cashed on by the fraudsters. In what's called a "pre-play" attack, executed by infecting an ATM or point-of-sale machine with malware or some other method, criminals were able to predict these numbers, gain momentary access to the customers' card's chip and compute the authorization codes needed to draw cash from that ATM. This fraud comes as a blow to the banks who had considered 'Chip and Pin' to be almost foolproof. However it is true that 'Chip and Pin' cards are much safer than normal cards

Source: NBC News

Fraudsters using RBI as a disguise for Identity Theft

A recent e-mail issued by The Reserve Bank of India (RBI) warned the general public against fraudulent e-mails being sent out by unscrupulous entities in order to capture the account details of the customer. RBI said that no such e-mail had been sent out by them and that it does not have any e-mail ids ending with the extension which was used in the e-mails.

The Method:

As per the news article, an e-mail is being sent out to the general public from an e-mail id and is also signed by RBI online offering a new online security platform. According to the mail, the new online security platform offers to prevent online identity theft in Internet banking by asking the customer to go through a two-way authentication factor before he/she properly logs into Internet banking every time.

It also asks the user to download an attachment and update details through it. Once the user downloads the attachment and fills in details, the fraudsters have access to all the details they have been looking for, most probably resulting in identity theft. The general public has been advised to not open any such e-mail from RBI or try and download the attachment on the computer.

Source: RBI

Thousands of dollars siphoned off in Employee Fraud Case

A recent article mentioned a case of employee fraud where 3 men committed a sophisticated fraud where they used their roles in the company to siphon off thousands of dollars from unsuspecting customers. The total amount of money amounted to nearly $54,000 from four customer accounts.

The Method:

An IT Manager with over 5 years' experience at a major bank in Australia used his role in the bank to access private customer details which he had no reason to view in his day to day role. Client's personal and bank information was then passed on to an accomplice who was doing data entry at the same bank. He used the private data to reset customers' telephone passwords and raise their daily withdrawal limits, before ordering replacement cards to be shipped to new addresses.

All these addresses were empty properties listed for sale. The employees then collected the replacement cards from these addresses and withdrew a total of $54,000 from four different accounts. The bank managed to catch hold of the fraudsters when local police saw one of the fraudsters rummaging through the letter boxes of the empty houses. Surveillance of these houses then helped police catch the fraudsters and inform the bank about the theft. 


New Identity Theft scam hits NatWest Bank

A new case of Identity Theft fraud hit NatWest Bank where fraudsters pretending to be from NatWest Bank were trying to steal customer information by sending out fraudulent e-mails. This e-mail was sent out to NatWest customers and originated from an e-mail id which represented the official Nat-West mail id.

The Method:

NatWest clients would receive an e-mail from an id which closely resembled the official NatWest Bank mail id asking them to fill in a customer satisfaction survey. The e-mail also would promise a reward as bait thereby drawing more customers into their trap. NatWest clients were told they have won a  $100 gift certificate, which they will receive after completing a form.

Clicking on the link included in the message took the users to a phishing page that asked for usernames and passwords. By giving away their credentials, and then their banking and credit card details to receive the reward, clients would fall victim to credit card fraud or identity theft. To stay protected from such attacks, users have been advised not to click on any such links or enter their confidential details without verifying if it's a secure webpage of the financial institution.


Related Blogs and Posts

Subscribe to Our Monthly Newsletter

Get insights & updates from the world of financial crime management in your inbox. Be on our newsletter mail list.

Subscribe Newsletter

©2018. CustomerXPs® Software