If time permits, see the article below

+++++++++++++++++++++++++++++

It is a shame that we have the high level of ATM card fraud in Nigeria when most (if not all) of the fraudulent activities could be checkmated or prevented.

Truth be told, there is no where in the world that experiences the embarrassing high level of ATM card fraud simply because the implementation of the technology in Nigeria is characterized by ineptitude, lack of knowledgeable programmers and security experts that could guide and implement a secure transaction channel regardless of the level of education of the ATM card users.

Basically, all the entities involved in the ATM card business are to blame with varying degree of blame based on the contribution to the clearly avoidable mess we are in today as regards ATM card transactions and fraudulent practices.

These are the ATM gateway providers, the participating banks and the ATM card users themselves.

We need to understand the way the ATM card transactions currently run today so as to understand the inherent avoidable risks and loopholes that many people take advantage of to defraud ATM card holders through unauthorized withdrawals.

ATM withdrawals - Card holders are provided with ATM cards with unique numbers tied to the main account and a user changeable 4 digits PIN number. All that is needed to access one's account is the ATM card and the PIN number. So, anyone that has access to the ATM card and the PIN number automatically has access to your account and can effectively empty the account.

We hear that people can print (or clone) these ATM Cards with any existing card number and with the correct pin the newly cloned card can be used to access the same account. This is totally unacceptable because just a single extra security layer is all that is required to shut out any ATM cards that are not printed by the originating banks.

Online ATM payment - This is the most embarrassing implementation of an online payment gateway I have seen in the world. Just an ATM card number and a PIN number and I am ok to make payments online with ATM cards? This is a professional blunder that cannot be excused.

From Interswitch website - "WebPay - Provides the simplest and quickest method of integrating e-commerce websites to the InterSwitch payment platform".

Is it simple? Yes. Is it the quickest method? Probably yes. Is it safe? No.

The web is inherently an unsafe place. The web is full of sophisticated scammers that are aware of or even ahead of technologies that are used online.

I have a Mastercard and I cannot use this card to make online transactions without address verification - address that must match the address of the card holder as entered or recorded in the Mastercard account.

Some merchants may even request for shipping address verification and once there is a mismatch the transaction is aborted. Sure merchants like these may lose sales but not having to deal with fraudulent payments and maybe refunds and/or charge backs are enough for some merchants to stick to these options.

What this means in essence is that the ATM card we carry about in Nigeria is not well suited for online transactions. In fact, it should not be used for online transactions without address verification and an extra security layer that can make it impossible for anyone to use someone else's ATM card to make unauthorized payments online.

It is clear that the 2 major ATM card usage in Nigeria are implemented in an unsafe manner. I believe that the level of ATM card frauds in Nigeria is grossly under reported and the card providers seem to be at a loss as to what to do.

Technology can be used and abused. Every single IT related hardware comes with basic configuration to make installation and deployment easy for users. It is the duty and responsibility of the owner to implement security policies and features to lock down the hardware to prevent fraud, abuse and for audit purposes if need be especially when something goes wrong.

Now, it is time to indict those that are responsible for the problems

The payment gateway providers - By far this is where the major problem lies considering the fact that they provide the gateway for ATM card transactions in Nigeria without thinking through our unique environment that is far from a trust based society.

Regardless of the type of cards used for these ATMs an extra parameter like serial number of any ATM card printed could be used as an extra authentication parameter which would make it impossible for any cloned card to work if the correct naming scheme is employed in the generation of the serial numbers.

To a very large extent this will make it nearly impossible for one to use another person's ATM card without being in possession of the card as at the time of usage.

Then, the current practice of using these ATM cards for online transactions without any form of address verification should be stopped immediately and necessary changes made in the online transaction engine to make the process safer.

If not that our GSM operators are lagging behind even in GSM/VOIP gateway implementations based on current but stable standards and protocols a basic outbound initiated IVR calls could be implemented to call GSM numbers of the respective card holders to confirm transactions before flagging them off as successful transactions.

Randomly generated codes could be sent via SMS on a totally different channel (GSM) to achieve the same level of security by confirming transactions only when the cycle is complete.

The expertise necessary to update and/or implement these changes that will transform the ATM card transactions (whether done online or with the physical ATM) I believe is within the country. The work necessary to make these changes are not complex and won't take up to a month to initiate and complete.

The Banks - Why would Mr A who may never use a computer that is connected to the internet have an ATM card that could be used by a fraudulent person to make online purchases?

Why expose innocent card holders to the avoidable risks that they are neither aware of or interested in being aware of?

By default, all ATM cards should be disabled for online transactions. Only customers who explicitly request for activation of the feature should have the ability to use the card online.

Chances are that anyone wanting to use the card online would be literate enough to know or to be informed about the risks and dangers of using these cards online.

This will also reduce the number of potential targets for online scams based on compromised cards.

The ATM card user - This is where you get to see different types of people ranging from the innocent to the outright stupid and greedy people who end up being defrauded in their quest for easy wealth and winning bonuses for draws and competitions they never took part in.

Someone receives a text message informing him/her that he/she has just won N1M and should proceed to a website to enter information including ATM card number and PIN number. This person to begin with never entered for any draw but is eager to get the N1M and in the process is stupid enough to provide both the ATM card number and PIN number to an unknown person.

First things first, do these people even understand the essence of the PIN number? Why would someone that wants to credit your account ask for your ATM PIN number when the PIN number is only used when you want to take out money or make payments from the account?

While I agree that the banks and the payment gateway providers have a lot of work to do to make the ATM card transaction more secure the stupidity being exhibited by Nigerians as regards some of these social engineering based identity theft cannot be excused.

The way forward

Let the ATM payment gateway providers provide additional layers of security especially in the area of online transaction. Let the banks reduce the number of potential target cards by disabling the online card usage feature by default and enable them based on request. Let Nigerians stop being greedy and stupid especially when it has to do with claiming winnings and prizes for competitions and draws they never participated in.

Unfortunately, today it seems our blue chip organizations and even the GSM providers have turned to promotions, gambling and other schemes to make money and in the process have turned Nigerians into a people that wait for lucky draws and prizes to make money instead of using their God given brain, knowledge and talent to initiate and grow businesses that would provide services and products to people around them.

It is obvious that the rate of ATM card fraud went up as more and more promotions were introduced leading to the identity theft scheme that Nigerians have devised to steal money from ATM card holders.

While we are it, let us not forget the "insider". Most fraudulent activities could be facilitated by active or passive support by the employees of the payment gateway providers, the banks or even the ATM card users themselves.

So, while we complain about the embarrassing high level of ATM card frauds in Nigeria it is sad to note that indeed almost all the present risks and loopholes can be managed, mitigated and/or even eliminated if every single entity takes responsibility of its actions and do what is not only safe to do but what makes the most economic sense.
++++++++++++++++++++++++++++++


About the Author

Afam Nnaji is the Chief Technology Officer @ www.justwebservice.com