The region's reluctance to invest in credit security makes it an easy target for ID thieves and fraud. Plus, tips on how to protect yourself.
ID thieves seize on vulnerable market
Hisham Wynne did not notice the Dh8,000 charge to his credit card until he received his statement, but he knew he definitely could not have booked that trip to Zurich, Switzerland. The plane ticket was purchased from somewhere in Europe. The card, however, was with the 25-year-old writer and radio commentator in Dubai, where he lives.
He filed a complaint with the bank that issued the card, but seven days later it happened again - to his other credit card, from the same bank. It was another plane ticket to Zurich, this time for Dh7,000 and purchased from somewhere within the former Soviet bloc.
Mr Wynne never went to the police and never got his money back from the UK-based bank, whose local operations have since been bought by Abu Dhabi Commercial Bank.
His experiences are also not unique. Most of us know at least one person who has been a victim of credit-card fraud in the UAE. In 2008, a number of banks in the UAE stopped the use of their ATM, debit and credit cards abroad after a massive breach of the country's financial network.
The ubiquity of these stories probably contributes to the trepidation with which many in the UAE approach online shopping. A survey conducted last year by MasterCard said that 45 per cent of cardholders in the Emirates did not feel safe shopping online. Another, conducted by Visa in the same year, stated that 37 per cent were "extremely" or "very" concerned about fraud.
Mike Smith, Visa's head of risk management for Asia Pacific, Central Europe, the Middle East and Africa, wants to reassure customers that their perceptions of fraud are higher than the actual instances of it occurring.
With roughly 1.9 billion cards in circulation, Visa is the world's largest card payment provider. According to its records, cases of fraud have decreased globally for the past three years.
Mr Smith says credit-card fraud in the GCC has declined by 27 per cent, or from US$0.08 (29 fil) per $100 to $0.05 per $100. The average size of the fraud is also half of what it was only two years ago.
"As a region, the GCC, the rate of credit-card counterfeiting dropped between 2009 and 2010," says Mr Smith, who was in the UAE this month for the Visa Security Summit.
The UAE, however, seems to be bucking the regional and global trend. According to a study conducted by ACI Worldwide, a UK-based payment provider, Dubai ranks in the top five markets for risk to card holders. Last year, 28 per cent of respondents said they had been a victim of credit-card fraud, a year-on-year increase of 75 per cent. Between 2007 and 2008, the numbers of credit-card related fraud reported to the police doubled. The actual figures could be higher because many people, such as Mr Wynne, choose not to go to the police.
Mr Smith says a global standard of technology, known in the industry as EMV (Europay, MasterCard and Visa), which employs an integrated chip, has reduced card-related fraud "to almost zero". The technology, in which an electronic chip is embedded in a credit card, has become the norm in places such as Australia, Hong Kong, Europe and the UK, but is only just catching on here.
Only a handful of banks in the UAE are offering credit cards with EMV chips, but the Central Bank is looking at mandating the technology, as well as other security features to help protect consumers.
Similar to the chip technology is what is called "two-factor authentication" for online shopping. In many countries, when a customer purchases an item, they are taken to a second page and asked to enter a password and then a one-time code sent to the cardholder via SMS. Holders of foreign-issued cards, such as Visa and MasterCard, will be familiar with the terms "Verified by Visa" and "MasterCard SecureCode". This feature is nearly guaranteed to prevent the fraudulent use of stolen cards, but again it is only beginning to catch on in the Emirates.
If the technology is so effective, why, then, has it not been implemented everywhere? There is a reticence by merchants and banks to make the necessary investments, Mr Smith says. "It's an investment. A chip card does cost more than a pure magnetic stripe card."
The rise in chip-related transactions is on the rise, which is what Mr Smith attributes to the regional decrease in fraud related to counterfeit or stolen cards in the GCC. In 2009, banks in Bahrain began rolling out chipped credit cards after a mandate issued from that country's central bank.
E-commerce, however, remains largely devoid of these enhanced security features. "Two-factor authentication in this part of the world is on the relatively low side," Mr Smith says. "So we are seeing e-commerce fraud as becoming more prevalent. That's one of our challenges: to get two-factor authentication implemented around the world."
These technologies are, however, only a piece of the puzzle. Mr Smith says everyone must play their role. Between the time you swipe your card and the signature printout appears, a complicated procedure takes place. Your card number is sent from the terminal to a set of servers owned by a payment company. That information is then sent to your card issuer, which checks your available balance. If any of the links in the chain are compromised, the card information can be stolen.
The breach of the UAE's financial networks in 2008, which left many without access to their bank accounts and credit cards, occurred when a payment processor's system was compromised. Only this month, more than 360,000 credit cards issued by Citibank in the US were compromised by hackers who exploited a vulnerability in the company's online banking website.
According to Mr Smith, these sorts of attacks are constantly occurring and the fraudsters shift targets and regions depending on the vulnerabilities. He says everyone needs to be more proactive about eliminating risks to their credit cards. For the cardholders, it's about using "common sense". For the banks, the merchants, the regulators and payment processors, it means being proactive in implementing the latest technologies to protect their clients.
"In a perfect world, every card would be chipped and every transaction online would have some level of dynamic authentication," he says.
Visa launched a website to educate consumers about credit-card fraud. Its tips include:
Prevent online fraud by keeping current with your software and virus protection, create strong passwords, ignore e-mails from senders you don’t know. Use your pop-up blocker, download files only from sites you know, and sign up for e-mail or text “transaction alerts” from your bank to keep track of your purchases.
When travelling, tell your card issuer where you’re headed and for how long. Note card numbers, balances and issuer phone numbers and keep them in a safe place.
Stop retail or ATM fraud by reviewing receipts before you sign them and monitor your statements. Keep copies of ATM and sales receipts for your records. Be aware of your surroundings. Guard your PIN from fraudster “shoulder surfing” and report missing cards quickly.
Fight phishing by considering all e-mail requests for personal information to be suspicious. Do not respond to such e-mails or enter information on questionable websites. Check the legitimacy of the inquiry by contacting the number on the back of your credit card, and report any suspicious e-mails or websites to your financial institution.