Thursday, December 27, 2018

Card Frauds

Debit Cards are perfect plastic. Debit card fraud can be sophisticated or old types. Thieves use techniques including:

Hacking: When you bank or shop on public Wi-Fi networks, hackers can use keylogging software to capture everything 
you type, including your name, debit card account number and PIN.

Phishing: Emails can look like they’re from legitimate sources but actually be from scammers. If you click on an 
embedded link and enter your personal information, that data can go straight to criminals.

Skimming: Identity thieves can retrieve account data from your card’s magnetic strip using a device called a skimmer, 
which they can stash in ATMs and store card readers. They can then use that data to produce counterfeit cards. 
EMV chip cards, which are replacing magnetic strip cards, can reduce this risk.

Spying: Plain old spying is still going strong. Criminals can plant cameras near ATMs or simply look over your shoulder 
as you take out your card and enter your PIN. They can also pretend to be good Samaritans, offering to help you remove 
a stuck card from an ATM slot.

Fraudsters either steal your physical card by pick-pocketing, distraction thefts or Clone your card by Skimming.
Social media has all details full names, birthdays, addressess, parent's name and even pets name. Fraudsters befriend you 
and get answer of bank's security question. So keep your privacy settings checked. Using stolen, discarded, fake documents 
open an account in someone's name. Then request changes to the account or ask for a new card to be issued.
Card stolen in transit between card issuer and card holder.
Getting card details from contact less cards.

Payment Processing via Payment Gateway

A Payment Gateway is a service that authenticate & process the payment between customer and merchant. 
The payment process is as below:

1) Buyer selects the product, clicks on BUY Button in Desktop/Mobile initiating the payment from the merchant's 
   website where user info is collected.
2) This info is sent to the Payment Gateway / Payment Aggregator.

3) Payment Aggregator collects card info in a secure server and passes this through its Acquiring Bank 
   (Payment aggregator's bank) to the Card networks like VISA, MasterCard, American Express etc.
4) The Card Network checks with the Issuing bank (Customer Bank) whether the transaction can be authenticated or not. 
   If Yes, the 3DS URL is sent to the customer where he fills all the details for Authentication.
   
5) If Authenticated successfully, Consumer a/c or card is debited by the Issuing bank.
6) Issuer bank sends confirmation to the card network.
7) This is further notified to the Acquiring bank and then to the payment aggregator.

8) Payment aggregator now send a confirmation to the Merchant, who further informs the consumer.
9) The consumer also gets notified by his bank (Issuing bank) about the transaction.

Payment Gateway Examples in India are: PAYU, RAZORPAY, CCAVENUE, TRAK N PAY, Citrus Pay, HDFC BANK PAYMENT GATEWAY, PayPal, AmazonPayments, BillDesk etc.

Authentication vs Authorization

Authentication:
Authentication is about validating your credentials like User Name/User ID and password to verify your identity. 
The system determines whether you are what you say you are using your credentials. In public and private networks, 
the system authenticates the user identity via login passwords. Authentication is usually done by a username and 
password, and sometimes in conjunction with factors of authentication, which refers to the various ways to be 
authenticated. Authentication factors determine the various elements the system use to verify one’s identity prior 
to granting him access to anything from accessing a file to requesting a bank transaction. 
Sending Users to 3DS page is Authentication.

Types of Authentication:
Single-Factor Authentication – Simplest authentication method which relies on a simple password to grant user access 
to a website or a network. UserName and Password.

Two-Factor Authentication – It is a two-step verification process which not only requires a username and password, but 
also something only the user knows, to ensure an additional level of security, such as an ATM pin, which only the user 
knows. OTP too is an added level of security. This also comes under multi-factor authentication. ATM Card and PIN. 
Static Question and Answers after successful login/password. 

Multi-Factor Authentication – Most advanced method of authentication which uses two or more levels of security from 
independent categories of authentication to grant user access to the system. All the factors should be independent of 
each other to eliminate any vulnerability in the system. Financial organizations, banks, and law enforcement agencies use 
multiple-factor authentication to safeguard their data and applications from potential threats. UserName and Password and 
OTP. UserName, Password, Biometrics (fingerprint or thumbprint, palm, handprint, retina, iris, voice and face), RSA SecurID/Token. 
Sometimes it sends some basic question with answers in registered mobile and once user clicks the answer then only login is allowed. 
Also Personal Identity Verification (PIV) Card is like smart card given to employees, citizens. A smart card is a physical card that 
has an embedded integrated chip that acts as a security token. Captcha/Basic maths questions/Picture puzzle along with UserName/Password.


Authorization:
Authorization occurs after your identity is successfully authenticated by the system, which ultimately gives you full permission to 
access the resources such as information, files, databases, funds, locations, almost anything. Authorization determines what user can 
and cannot access. Once your identity is verified by the system after successful authentication, you are then authorized to access the 
resources of the system like Debiting Card. Authorization comes only after successful authentication.

Other examples of Authentication:
    One of the most common methods of detecting a user’s location is via Internet Protocol (IP) addresses. For instance, suppose that 
    you use a service which has Geolocation security checks. When you configure your account, you might say that you live in the 
    United States. If someone tries to log in to your account from an IP address located in Germany, the service will probably notify 
    you saying that a login attempt was made from a location different than yours. That is extremely useful to protect your account 
    against hackers. IP addresses, however, are not the only information that can be used for the somewhere you are factor. It is 
    also possible to use Media Access Control (MAC) addresses. An organization might set up its network so only specific computers 
    can be used to log in (based on MAC addresses). If an employee is trying to access the network from a different computer, the 
    access will be denied. An example, Monzo Bank Ltd., a mobile-only bank based in the United Kingdom, uses Geolocation to detect 
    possible payment frauds. If your last known location was, say, in France and then four minutes later your card is used in Japan, 
    that could be an indication that you are not in the same location as your card.

    Windows 8 users might know about a feature called Picture Password. This feature allows the user to set up gestures and touches on 
    a picture as a way to authenticate themselves. Even HDFC netbanking login asks you to touch picture password apart from login/password.