The popular websites we shop with every day are the “weakest link” exposing our credit and debit cards to hack attacks, industry experts have warned.
The Australian Payments Clearing Association (APCA) published new figures on Friday that confirmed the online world is increasingly the battlefield of choice for thieves, as tap-n-go slowly makes ATM skimming obsolete.
In the most recent financial year, ‘card not present’ fraud — where criminals steal the number and security code, not the plastic itself, and go on a shopping spree — increased by 24 per cent to $402 million, or just over three-quarters of all fraud on Australian cards, APCA reported.
Online shoppers are increasingly at risk as a result, APCA chief executive Dr Leila Fourie told The New Daily.
“It’s not a matter of getting more dangerous, but that more of us are shopping online — and as tighter measures are proving effective in combatting bricks and mortar retail fraud, fraudsters are moving online.”
This is nothing new. Many readers may have already fallen victim to the annoying process of cancelling compromised cards and nervously waiting for fraudulent credit transactions to be rescinded or stolen debit payments reimbursed.
What gets little attention is that the websites where we trustingly ‘checkout’ hundreds of dollars worth of goods could be exposing us to these attacks.
Rod Tasker, an internationally-recognised payments expert with more than 20 years’ experience, said merchants are the “real source of exposure”.
Hackers steal thousands of card numbers each year by creating computer programs that constantly attempt to guess the administrator passwords of the websites we shop with, Mr Tasker told The New Daily.
“It’s just a numbers game. As a hacker, you know that somewhere there will be somebody whose login is ‘admin’ and who uses ‘password’ as their password.
“If you start today and you create a bot that goes through every IP address throughout the world, this time next year you’ll probably have found a bunch of card numbers.”
There is no shortage of advice for online shoppers. Consumer group CHOICE has a handy guide, as does ASIC, the Commonwealth Bank, Bank Australia, and even the Queensland government, among many others.
Often overlooked is the fact that poorly protected merchant websites are one of the main vulnerabilities.
The root of the problem is retailers who capture and store credit and debit card details on their own web system, rather than ‘hosting’ a payment provider (such as Paypal) on their checkout page.
This was backed up by Eftpos, the Australian debit payments company. Its experts said they have refused to provide an online payment option because it has been too difficult to properly protect shoppers from fraud.
“Technology has not been sufficient to support Eftpos’ entrance while maintaining our key value proposition, which is security. But we’re looking for tactical ways of doing that,” Eftpos head of acceptance Lucy Anderson told The New Daily.
Basically, if you type out your card number when buying something, you’re doing it wrong.
How to bypass merchants
Samantha MacLeod, cyber security expert at ME bank, confirmed that online shoppers should never enter card information directly.
“Establish an account with the likes of PayPal. This will enable you to purchase from sites that have been verified and although you are using your credit card, you have purchase protection should anything go wrong,” Ms MacLeod told The New Daily.
While Paypal is one of the most popular, there are a growing number of services provided by trusted companies that bypass the potential insecurity of merchant websites.
These services allow the customer to save their credit or debit card details, and then enter a username and password to process the actual payment.
The Commonwealth Bank has also released CommBank Checkout, a similar service.
But take personal responsibility too
While he identified merchants as the “weakest link”, payments expert Rod Tasker was careful to note that our own “slack behaviour” also gets us into trouble.
There are many ways for criminals to steal card details that have nothing to do with online shopping, he said.
A thief might rifle through your trash looking for credit card statements. You might foolishly leave your logins and passwords saved on a phone or tablet that is later stolen. Or you might open a ‘phishing’ email that contains a virus.
ME’s cyber security expert Samantha MacLeod said card scams are “more common than ever” over the holiday season. Her advice was:
- Thoroughly research a website before buying from it. Look at the ‘about us’ or ‘contact us’ sections. Do they have a local phone number? Are they contactable? Do a quick search on them with important search criteria like “complaints”, “fraud”, “stolen” and “overcharged”, and read the reviews
- Don’t click on links in emails or SMS that claim to be from PayPal, your bank, or other business which may have your personal information. If you think that there is a chance it’s legitimate, go direct and enter the website details manually
- If shopping on a computer, make sure you have virus protection and that all software is up to date
- If you’re on a device, make sure you are using the latest operating system
- Use second-factor verification if your credit card provider or bank allows it. After every purchase, an email or SMS will pop up and ask: did you really just buy a bunch of lottery tickets in Moscow?
- Closely monitor your credit and debit card statements
- Use sites like the ACCC Scamwatch site to get hints and tips on how to identify fake web sites