A Fraud tsunami
In the movie “The 13th Warrior”, the unwary protagonist, Ahmed Ibn Fadlan, travels with a trade caravan through Volga steppes when a rider comes, screaming at the top of his lungs: “The Tatars are coming! The Tatars are coming! Run! Run for your lives!”.
A certain degree of knowledge in the world of online fraud and its looming changes in Israel makes one feel inclined to issue an urgent word of warning to the compatriots, roughly along the lines of the rider above. A tsunami of fraud is coming, and the country is, of course, ill-prepared.
There are two reasons for the upcoming sharp uptick in card payment fraud. One is the shift to online; the other is a threat from abroad.
Displacement by technology
Card payments in Israel evolved towards replacing the legacy magnetic stripe technology with the newer chip and contactless method. Consumers were repeatedly told to recall their PIN codes, which are now required for card-based payments in stores. And while the old way of payment is still supported, it will inevitably vanish.
While a bit less comfortable for the cardholder, the new method is much more superior when it comes to security and fraud prevention. Despite multiple attempts to break or circumvent the technology, a chip card is virtually impossible to copy.
This means that fraudsters, who formerly stole magnetic stripe values to create counterfeit cards, will now shift to channels less secure, namely telephone and online payments. This happened in the past in the EU and Canada, to name a few, and is already happening here.
Of course, there are means to protect eCommerce – namely, the 3DS 2.0 protocol, which forces the cardholder to identify themselves by, for instance, a one-time code sent via SMS. And while this protocol is rarely implemented on Israeli websites, the payment providers will catch up with it very soon.
People at the center
This means that, inevitably, fraudsters will turn to social engineering, capitalizing on the sad truth that no amount of protection for the card will help if the owner willingly gives away security codes and one-time passwords. That means putting people at the center.
Now, the Israeli market is relatively small and predominantly Hebrew-speaking. This limits the quantity and the quality of “local talent” able to effectively execute electronic transaction fraud by social engineering: there is simply much more money to make elsewhere, in places like the United States or the United Kingdom. Still, the technology push out of the brick-and-mortar space will definitely affect the increase of fraud in that segment.
However, Hebrew is not the only language that is widely spoken in Israel. There are, for instance, about 1.5 million Russian speakers, most of them native. And sadly, this cultural diversity gives cross-border fraud a way in.
In the former Soviet Union, especially in Russia, financial fraud based on social engineering is an established industry, turning around hundreds of millions of dollars every year. It is often operated from inside a prison (where, formally, no phones are allowed) and to the scale of entire scam call centers, including one run from Russia’s official Prison Number One in Moscow.
And while Russians, Ukrainians, and Belarussians are getting wiser and harder to fool, the eyes of these fraudsters turn to expat markets – and have dialed in on Israel.
Already there are reports of calls made from “security call centers” of card companies, asking to confirm the card number, the CVV, the one-time password – all the sensitive data that the card payment industry relies on to ensure the authenticity of the cardholder. And since the people are ignorant to devious ways of the criminal and are trustful, these scams will be successful, drawing more and more crooks into action.
Be Ye Ready
Sadly, there are very few technological solutions for this type of attack. The only way to reliably prevent a massive-scale fraud is to educate the cardholders, again and again, which details they should never give away under any circumstances (PIN or one-time password from the text message) and which – only to a trusted merchant or agent (full card number, expiry date and the 3 or 4 digit CVV code).
It seems inevitable that educational campaigns on social media and TV will eventually become state-mandated if not state-supported. This, however, will take considerable time, which is another way to say grant a window of opportunity for the perpetrators.
In the meantime, the only thing we can do is increase awareness through the good old word of mouth. Warn your elderly relatives, your children, and your friends. Be wary yourself. Share this article. After all, praemonitus praemunitus.