White paper Biometrics and the mitigation of card-related fraud The Aadhaar scheme, primarily envisaged to provide every resident proof of identity, holds a great deal of promise for other applications as well. The banking sector, especially, stands to gain immensely from effective implementation of this project. The Aadhaar card, which will bear an individual s biometric data and serve as a unique ID, can potentially help mitigate a multitude of banking-related problems, such as identity theft and credit and debit card fraud, to name a few.
Facts and figures The financial services sector, comprising banks, insurance companies and other non-banking financial companies (NBFCs), has always been vulnerable to fraud. By definition, bank fraud refers to the criminal offence of knowingly executing or attempting to execute a scheme or artifice to defraud a financial institution or to obtain property owned by or under the control of a financial institution by means of false or fraudulent pretenses, representations or promises. Data compiled by the Reserve Bank of India throws up astounding figures, pegging monetary losses due to credit card fraud at about INR 948.64 lakhs in the quarter ended December 2012, a massive increase over the INR 492.98 lakhs for the quarter ended September 2012. The corresponding number of fraud cases during the two quarters was 1,590 and 1,327 respectively. Types of fraud By and large, the most common types of fraud that an individual is susceptible to can be classified as Electronic Fraud, Identity Theft, Credit/Debit Card Fraud and Cheque Fraud. This paper will focus primarily on the whys and wherefores of credit and debit card-related fraud, ways to address them and most importantly, the means of prevention. More on card-related fraud The advent of credit and debit cards in India brought with it the attendant risks. Card-related fraud was initially limited to unauthorized usage of stolen or lost cards. As card usage gained popularity and prevalence, so did the incidence of fraud and the ingenious methods employed in its perpetration. Advancements in technology that aided banking processes were in turn used to swindle unsuspecting people. Today, perpetrators have a whole repertoire of card frauds. Card reading devices are used to capture electronic data from the magnetic stripe on the card, which is then used to create duplicates. This, in banking parlance, is referred to as skimming. Oftentimes, hidden cameras or false Personal Identification Number (PIN) pads are used to obtain personal access codes for debit cards. Fraudsters also intercept cards being transported through courier and retrieve sensitive information pertaining to an individual s account and card details. Unscrupulous merchants may also use cards to replicate a transaction already carried out at their establishments. Information from the stolen card is used to place a request for a new card, resulting in identity theft. Helpful tips to prevent card loss/fraud With due care and common sense, the majority of credit/debit card frauds can be averted. The first thing to do upon receiving a card is to sign on the reverse side. Apart from being vigilant of their belongings at all times, cardholders need to be mindful of their surroundings while using their cards. At ATMs or merchant establishments, they should use their hand or body to shield the PIN from onlookers. They should keep an eye on the card and never let it out of sight. Upon completion of the transaction, they must double check that the card is safely back where it belongs. It is also important to procure the transaction record and retain it for future reference. Timely verification of account balances with the billing statements can confirm that all transactions have been documented. Any discrepancies need to be addressed promptly. Lost cards or those left behind in the ATM should be reported without undue delay. Most banks have customer service help lines that can be contacted at any time of the day or night. PINs should be committed to memory and never disclosed to anyone. It is advisable to choose a unique number entirely unconnected to other personal numbers such as one s telephone number, date of birth or the like. Telephonic or online transactions should be conducted with utmost care and credit/debit card numbers or other personal details should never be given away, unless when dealing with a trusted merchant. Credit card statements should be scrutinized carefully and any unauthorized transactions should be intimated to the card issuer promptly within 30 days of receipt of the statement or any other time limit specified by the bank. Failure to do so would be deemed as agreement to pay the outstanding amount. It is therefore important to keep the bank and card issuer updated on current contact details. What banks can do While it is primarily the cardholders responsibility to safeguard their cards, banks also need to take proactive measures to hedge their risk of contingent losses due to fraud and put in place an enhanced system of checks and balances. One such effort is the CBI s Bank Case Information System (BCIS), which will include the name of bank fraudsters. The database will be made accessible to field functionaries in the banking sector and will help banks to keep a check on the fraud committed by known fraudsters. 2 Infosys
Technology also plays a key role here by minimizing the incidence of card related fraud. It is in this context that the Unique Identification Authority of India-implemented biometric identity card called Aadhaar can be used as an additional security layer for most card based transactions.
The UIDAI angle Technology also plays a key role here by minimizing the incidence of cardrelated fraud. It is in this context that the Unique Identification Authority of India-implemented biometric identity card called Aadhaar can be used as an additional security layer for most cardbased transactions. Biometrics in banking With this unique identity card set to become mandatory for opening of new bank accounts and eventually for all existing ones as well, card payment mechanisms can be tweaked to incorporate an individual s biometric data. For instance, at ATMs and card swiping machines, apart from the PIN, an individual s fingerprint and/or retina can be scanned before the transaction is completed. This ensures that the person in possession of the card is indeed its rightful owner. In case of any mismatch, the system can abort the transaction and raise a red flag in the form of a text message to the registered mobile number, so that the concerned individual can take appropriate action. So as to tide over any technical snags in recognizing biometric data, there should be an override option whereby the cardholder receives a one-time password (OTP) in order to complete the transaction, as in the case of net banking. Successful completion of the transaction should, as always, be communicated to the account holder s registered mobile number. To enhance this further, the system should always randomly prompt the fingerprint to be authenticated with an option for the user to reset it X number of times ( X to be decided by the banks) at which time the system should request for another fingerprint to be verified. This would help avoid inconvenience to genuine users who, for various reasons such as an injured finger might not be able to authenticate a particular biometric requirement, which would result in a mismatch and consequently, a failed transaction. Biometrics demystified While on the topic of biometrics, it might be worthwhile to examine what exactly it means. By definition, biometrics refers to an automated system that can identify an individual by measuring physical and behavioral uniqueness or patterns and comparing them to those on record. Biometric systems typically work with fingerprints, retina, DNA etc. With the unprecedented spurt in Internet-based businesses and the growing need for accurate verification of an individual s identity, biometrics presents itself as a simple and convenient solution. The various types of biometric technology available include facial and fingerprint identification, hand geometry, iris and retina recognition, DNA testing etc. Benefits of biometrics in banking The move to integrate biometric technology with the existing banking setup can prove to be extremely beneficial, despite major challenges in terms of upgrading systems and processes. The most obvious advantage would be the significant reduction in credit/debit card fraud. Unauthorized usage of cards can be mitigated as there would be a system in place to double check a person s identity. Such a system would also necessitate the presence of the cardholder at the time of transaction, thereby discouraging card theft. Thanks to the unique nature of the biometric parameters, which are impossible to forge, any attempt at card misuse would be effectively thwarted. The road ahead With the Aadhaar wheels set in motion and the entire project slated for completion in a couple of years, banks need to work handin-hand with the UIDAI to integrate the two entities to help create a safer banking environment. Besides creating huge monetary savings, this would also foster a feeling of security and trust towards banks and banking in general. References 1. businesstoday.intoday.in/story/creditcard-fraud-tips-prevention-debitcard/1/22667.html 2. www.anz.com/personal/ways-bank/ security/online-security/threatsbanking-safety/fraud-types/ 3. www.indianexpress.com/news/creditcard-frauds-amounts-to-rs-948.64-lakhin-dec-quarter-govt/1083433/ Rekha Hansraj Thakkar Senior Consultant, Product and Domain Consulting, Finacle, Infosys 4 Infosys
About Infosys Finacle Infosys Finacle partners with banks to transform process, product and customer experience, arming them with accelerated innovation that is key to building tomorrow s bank. For more information, contact finacleweb@infosys.com www.infosys.com/finacle 2013 Infosys Limited, Bangalore, India. All Rights Reserved. Infosys believes the information in this document is accurate as of its publication date; such information is subject to change without notice. Infosys acknowledges the proprietary rights of other companies to the trademarks, product names and such other intellectual property rights mentioned in this document. Except as expressly permitted, neither this documentation nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, printing, photocopying, recording or otherwise, without the prior permission of Infosys Limited and/ or any named intellectual property rights holders under this document.