Friday, 13 January 2017

Beware your new RFID credit cards

Christmas 2016. My wife received a Christmas present on the 25th of December last year. Not quite the sort of present that you would expect on Christmas Day, though. We were just about to leave the Nandaka Vihara Buddhist meditation centre at Cherok Tokun on that day when she received a text message on her mobile at 1.48pm. Two minutes later, another text message came in.

Both SMS carried similar messages: that her credit card had been used for two transactions. Now, the problem was that her credit card was with her, in her purse. She told me about the messages which, at first, I dismissed as a scam message. Then she showed the messages to me and I became alarmed. These weren't scam messages; these were real notification messages from UOB Bank.

I asked her to telephone the Call Centre number on the back of her card. At 2pm, she spoke to one of the call centre staff there to report the incident and immediately, her card was stopped. When we got home, I deduced that the transactions had taken place at the Swissotel The Stamford and my wife decided to call the hotel in Singapore to alert them, even telling the hotel manager of the time that the transactions had taken place.

Not satisfied with these actions, she later called the bank's Call Centre again to seek assurance that her card had indeed been blocked. She also inquired whether a Police report should be made but was told that there wasn't a need for that. However two days later when she spoke to someone at Bank Negara Malaysia's branch in Penang, she was advised to lodge a Police report. So we had one done at the Perda Police station and with this report filed, she then emailed a formal written complaint to the UOB Bank's Customer Advocacy & Service Quality department, with carbon copies to Bank Negara Malaysia and, for good measure, the Consumer Association of Penang too.

Her parting words to UOB Bank's CASQ were, "I shall hope that you will commence investigation immediately to determine how my credit card account came to be debited with these two transactions. I am very concerned and wish to say here that I am not responsible, and shall not be responsible, for these transactions and will not be paying for them." Definitely. Why should she be paying for them when these fraudulent transactions were not made by her?

This was a new RFID-based credit card that she had received not too long ago. The activation of this card was made in September, I think, and since then, she hasn't been making much use of it, preferring to use another credit card that offered her more benefits. So, this card had remained mostly in her purse. How then could her credit card details be stolen? How could her credit card be duplicated or cloned and used physically? Aren't there security features on a credit card that can alert merchants if it is cloned? How do banks account for the unused cards in their possession? How can we safeguard our credit card details in future? During the process of delivering new credit cards to the cardholders, what steps have the banks taken to ensure that the courier service personnel are trustworthy? What sort of measures are there to protect consumers who are victims of fraudulent card usages? These are just a few of the more urgent questions that need to be addressed not only by us, the consumers, but also by the banks and the authorities.

Anyway, on Wednesday, UOB Bank telephoned my wife to inform her that the Swissotel in Singapore has not put in their claims for the two transactions. Presumably, based on my wife alerting them on Christmas Day itself, they might have already taken action on the person or persons who had tried to book themselves into the five-star hotel. I really hope so. And I hope the hotel had also reported the incident to the Police over there. Such frausters should be caught and put away.

As a footnote, I must add that one of my friends in Kuala Lumpur was also hit by this RFID credit card scam recently. Also, my son told me that one of his superiors in the company he's with was also affected. So apparently, my wife's was not an isolated case. We all have to take real good care of the credit and debit cards in our possession as these are now all RFID-based cards.

A second footnote: the Police constable at the Police station told my wife that this was the first such case that had come to her (that is, the constable) notice. Perhaps, victims have not been making reports to the Police. In my opinion, they should because once more reports come in, the commercial crime division may be in a better position to pressure the banks to tighten up on their security measures especially during the delivery process which I suspect may be the weakest link.

No comments: