The recent rise in card holders’ loss of money in their bank accounts has revealed security loopholes in the banking system even though banks put the blame for
card fraud on clients.
Online scams on the rise
Hoang Thi Na Huong, a Vietcombank ATM cardholder in Hanoi, last month lost VND 500 million (over USD 22,000) in her account overnight even though she did not make any transactions. Huong only got the bank’s notice of her account’s deficit the next morning without receiving any OTP (one time password) for the transactions either via SMS or the Vietcombank app on her smartphone as usual.
Vietcombank (Bank for Foreign Trade of Vietnam) stated this was not its security fault, saying the cardholder fell victim to a phishing attack, a kind of fraud in which attackers try to steal information such as login credentials or account information by impersonating an entity or a person in email, chat or another communication channel.
The bank said there was ground to believe that Huong had visited a malicious website where she provided all crucial information of her ATM account to the scammers.
According to Vietcombank, Huong followed a bogus website at https://creatingacreator.com/kob/1/index.htm using her mobile phone on July 28. She lost all the credentials of her bank account at this website which was still shown in the internet browsing history on her smartphone, the Tuoi Tre (Youth) online reported.
The scammers then accessed to her account and transferred the money to many other accounts opened at three different banks in Vietnam, then withdrew VND 200 million via ATM in Malaysia. Vietcombank managed to freeze the remaining VND 300 million just in time.
Unfortunately, the case of Huong is not exceptional these days. The number of people losing tens of millions to billions of dong in their bank accounts has recently risen sharply.
Early this month, Hanh, a Vietcombank visa debit card holder lost over VND 22 million for four transactions about which she had no ideas. In July, Nguyen Si Thanh, a DongA Bank client in Binh Duong province, was shocked to learn that over VND 70 million in his account vanished into thin air while over VND 120 million in his wife’s account at HDBank also evaporated even though they made no transactions or withdrawals. Other cases involved a Ho Chi Minh City-based company which lost VND 26 billion in its VPBank (Vietnam Prosperity Joint Stock Commercial Bank) account and a VIP client of SCB (Saigon Joint Stock Commercial Bank) who claimed to lose over VND 4 billion.
|Clients conduct transactions at An Binh Bank’s Trung Yen branch, Hanoi __Photo: Tran Viet/VNA|
Who is to blame?
In most cases, banks blamed on clients’ carelessness, while saying their payment systems were safe given their increased investment in advanced security technologies.
A Vietcombank senior official told the online Vnexpress that clients’ loss of money was mostly due to their revealing card details to their relatives or other people.
Experts agreed card holders’ lack of vigilance in protecting their information secrets was to blame, but pointed out there must have been problems with the banks’ security system, saying usernames and passwords were not enough to ensure complete safety.
A bank payment system could not be said to be safe when there were still accounts which lost money against their holders’ will, the experts said, pointing to security loopholes in Vietcombank payment system in the case of Huong where she did not receive any OTP for the transactions made by the scammers.
Lawyer Truong Thanh Duc, chairman of the Members’ Council of Basico Law Company, said customers’ loss of money at Vietcombank or VPBank showed weaknesses of the banks’ security layers which failed to guarantee strict safety for customers. He stressed banks must be held responsible as their system’s lack of security put customers at risk.
Experts agreed a bank could not avoid liability when an incident occurred to a customer by simply saying the case was under police investigation. Banks often put the blame on customers’ fault so as to avoid compensation though they actually had the responsibility to manage money of their clients and keep it safe.
The experts remarked that banks’ investment in security for customers did not match their booming services in recent years, citing the number of scams growing along with the banks’ use of new technologies in payment services, including internet banking and card payment.
At present, only 30 percent of banks in Vietnam possessed a certificate of PIC DSS (Payment Card Industry Data Security Standard), which was created to increase controls around cardholder data to reduce credit card fraud, according to SCB General Director Vo Tan Hoang Van, saying the application of this standard system would help find safety loopholes and weaknesses in the process of issuing and operating bank cards.
But banks were reluctant to apply this system as it required complex operation and qualified human resources at high cost.
In the race to lure clients, banks appeared to only stick to developing services and increasing utilities for card holders without paying adequate attention to their service quality, particularly security to protect clients’ money, the experts said.
Statistics showed that the number of bank card users and online payment in recent years recorded a two-digit annual growth but banks failed to provide sufficient information on account security for their customers.
The information customers often received from bank counselors when being offered to open bank accounts and use cards was mostly about these services’ utilities and conveniences rather than about skills and cautions to avoid card frauds. In most cases, card holders had to learn security skills by themselves to protect their money, the expert said.
Banking experts also agreed the process for transactions between banks and clients was still lax, from opening accounts to comparing signatures and seals of account holders, citing a common practice that many VIP clients left all formalities to open accounts or withdraw money to their accountants or even bank staff to complete.
Solutions to be taken
To increase safety for customers, banks should tighten their OTP security by tracking the devices customers use to make online transactions, network security experts said. The system should be able to recognize that a user was making a transaction from a different smartphone or computer rather than the usual one, and ask him to confirm if he was actually the customer and not a hacker, the experts said, adding Google and Facebook always notified users whenever there was a sign-in from an unfamiliar device or location.
Commercial banks should install anti-skimming devices and software at ATMs, the Department for Prevention and Control of Hi-tech Crimes suggested at a conference on security and safety in online and card payment held by the State Bank in Hanoi early this month.
The Department urged commercial banks to review and strictly follow online and card payment steps, stressing the need to require internet banking registration and certification directly at banks, not online, and increase certification layers and steps and other security solutions before payment transactions were made.
Addressing the conference, State Bank Deputy Governor Nguyen Kim Anh asked the State Bank’s Payment Department to study and issue local chip card standards for banks to change from magnetic cards.
The Deputy Governor instructed banks to review their operation processes, technology infrastructure and human resources of their payment and card payment systems for reporting to the State Bank in late October. He also ordered banks to regularly check and increase security devices for ATMs, such as camera, incident alert and theft prevention systems to detect illegally installed devices.
According to the State Bank, the number of bank cards issued nationwide hit over 107 million by the end of July, as compared with 32 million in 2010 and 2.7 million in 2005.- (VLLF)