The hesitance to transact online is largely based on the fear of online fraud. However, this type of risk isn’t unique to online transactions alone. Just recently, I heard (from a reliable insider source, of course) of a credit card fraud perpetuated by a bank employee. The employee was working as a customer service representative for the bank’s credit card department. As such, he had access to the cardholder’s account and personal information and the authority to make changes to it, ideally, only when asked by the client. If you have a credit card and have called their customer service hotline at least once, you would know that all they would need from you to verify that you really are the cardholder is your birthday, billing address, last credit balance, last three digits at the back of the card, etc. In short, information that can easily be known to or accessed by people coming in and out of your home or office. Information plus unscrupulous employee plus insufficient security measures equals fraud waiting to happen. The employee called the bank’s customer service line, pretended to be the cardholder, verified the account successfully through information he has acquired as such employee, asked to have the billing address changed, ordered the processing of a supplementary card in his name (or most likely his bogus identity), then asked that his credit limit be increased (although, allegedly, he increased the cardholder’s credit limit himself as he had the authority to do so, purportedly to about a million pesos). The supplementary card was delivered to the new billing address and the shopping began. The employee knew the internal workings of the bank and made sure that he called for authorization before making a huge purchase to prevent the bank from holding the transaction and calling the principal cardholder first before authorizing it. It was probably about a month later after the cardholder received his billing statement when the fraud was discovered. The employee was long gone, the credit limit stretched to the hilt and the bank was left to pacify a very angry client and bear a considerable loss.
Fraud happens in any form – virtually or physically, internally or externally. The fact that information is available through public channels does not make it more susceptible to crime. Any stored information is open for misuse or abuse. Online insecurity is probably just an overblown fear. It is a fear that equally exists in the physical world. Businesses and institutions are constantly developing ways to improve the security of their database and online division. Visa, for example, has launched an online security program called Verified by Visa (as I discovered to my inconvenience because apparently you can’t purchase online tickets from Philippine Airlines anymore unless your bank is enrolled in the program. Unfortunately, the only bank in the Philippines enrolled is HSBC). Verified by Visa gives you a PIN or password other than that provided by your bank (which is usually just the last three digits at the back of the credit card) to be used when purchasing online. The program also provides a list of Visa accredited online shops and offers a sort of fraud watch program where cardholders can report internet fraud. In fact, as in the case above, companies may have concentrated their eye on disproving and fighting online insecurity so much that they may have overlooked security measures for their operations and human resources department. In the case of the bank, the employee was given too much authority without proper checks by his supervisor or the system itself. The verification system was likewise flawed. It would have been appropriate to require the customer service representative to call the client to authenticate the source of the request. When the security measure lies on such personal information, it should not be so easy to modify that information.
Ironically, had the client utilized the online banking feature available to him and checked his account regularly (*cough* paranoid *cough*), he could have detected the fraud earlier. Financial loss on the part of the bank could have been reduced. The bank could have conducted a surreptitious investigation before the culprit’s scheduled escape.
No comments:
Post a Comment