In
Keyloggers: Why Banks Need Two-Factor Authentication I described how some banks in Asia use SMS-based one-time-passwords (OTP) to authenticate on-line transactions. I followed up with
The Magical ATM Card and SMS Message in Thailand where I described how one airline company in Thailand is fighting back against credit card fraud using an SMS PayCode coupled with an ATM transfer to pay for booked flights.
More and more banks in Asia are offering anti-fraud services for users where they receive receive an SMS message that details any change in their account balance and/or point-of-sale (POS) transaction with both debit and credit cards.
Some of the POS SMS notifications are so fast that when I present a VISA debit card to a merchant I normally will receive an SMS message detailing the transaction before the merchant returns for my signature. However, there remains an unfortunate lag in the SMS "balance change notification service," which is different than the POS SMS notification service, that often lags minutes to hours behind balance changes. I assume this is because of latency between the POS transaction and the corresponding change to the back-office account ledger because the latency appears longer during peak transaction periods.
As this story goes, I should have been using my local card with these anti-fraud services, and not by US-based card, a few weeks ago because my US-based VISA debit card was cloned sometime on or before August 8th. I am quite careful with my debit cards, so I was surprised the magnetic strip was cloned at a POS merchant. The fraudster made more than 7 fraudulent transactions beginning on August 8th for a total of over $2500 USD, mostly on August 11th. I discovered the fraudulent transactions only because I was viewing my account transaction history on-line.
The majority of the fraudulent transactions would not have occured if the US bank provided SMS-based transaction notification services to customers. The first transaction with my cloned VISA debit card was less than $50 USD (I assume the fraudster was “testing the water” so to speak). If I was using my more advanced VISA debit card with real-time POS notification services, I would have received an immediate SMS message detailing a POS transaction in Bangkok, when I was physically far away from Bangkok in Chiang Mai. I could have immediately called the bank (or logged in) and blocked the debit card, limiting potential losses to the bank or the merchant to one fraudulent transaction, not seven or more.
In addition, a few banks in Thailand also offer what they call a Web-Shopping VISA “card”, a virtual card, where you can go into your on-line account (verified by SMS OTP as mentioned in an earlier post) and request a VISA debit card number (with expiration date, CCV etc). You set the limit from 0 to as much as 15,000 USD per day; and you can login to your account and change this limit anytime (authenticating your change request with another SMS-based OTP). You can also block or cancel this virtual VISA card number anytime and apply for another one.
One of our most comment information security models for managing security threats and violations is "Detection, Prevention and Response." Providing real-time SMS-based notification services to financial services customers is a cost effective real-time detection and prevention technology that works.
In addition, there are many variations of using SMS messages and your cell phone for security, including authentication, authorization and detection. These cost effective security and anti-fraud services work quite well and I am a bit surprised that banks in the US (to my knowdege) do not (yet) provide these cost-effective security services to their customers. Please comment if you know of other banks with similar SMS-based security services.
Note: This post is a revised version of my earlier article,
Technology Tales from Thailand: KBank Fraud Management.
More...
08-30-2008
