Beware! Your ATM’s CVV number can be used to defraud you

Beware! Your ATM’s CVV number can be used to defraud you

By Mohammed Dahiru Lawal

No doubt ATM debit and credit cards are very convenient methods of financial transactions. These cards have eliminated the need to visit the bank branch each time to withdraw cash. However, with this ease in transaction comes a rising case of card frauds and unauthorized transactions on the account of bank customers. 

Each of these cards has a card verification value (CVV) printed at the back or front of the card and with access to the cards’ CVV, full card number, customer name and expiry date, fraudsters can conveniently wipe out money from customers’ bank accounts by using the details to engage in online transactions with other retailers. 

Reported cases of this pattern have been on the rise lately, especially as we approach the bank fraud frenzy season – Christmas and New Year. 

Recently, a Kano based housewife lost over two hundred thousand naira to fraudsters by giving out her CVV and other card details. After disclosing her details, she was at the verge of disclosing her husband’s card details to the fraudulent callers who posed as bank officials when her husband returned home, thereby rescuing the situation. 

“They told me they were from our bank and they needed to do an upgrade on I and my husbands account but i have to furnish them with details of our ATM Card, so as soon as i gave out my card details they requested for my husband’s own, just as i was about to reel it out for them my husband returned and was baffled that i was holding his ATM card and was talking to someone on the phone,” Hauwa Sulaiman, a 34years old Housewife in Gandu Area of Kano told “A Karkada kunnuwa” a popular Hausa programme on Rahama Radio 97.3fm Kano, Monday Night. 

“As soon as i snatched the phone from her and attempted to speak to the callers at the other end, they hung up and just then, we started seeing debit alerts on her phone one after another to the tune of NGN240,000,” Mallam Sulaiman, Hauwa’s husband and a Kano based businessman explained further. 

Such cases are rampant and have dominated the airwaves recently, particularly in Kano. 

Understanding ATM, Debit and Credit Cards

An Automated Teller Machine (ATM) card is a payment card or dedicated payment card issued by a financial institution which enables a customer to access their financial accounts via its and others’ automated teller machines and to make approved points of purchase retail transactions. ATM cards are not credit cards or debit cards, though some ATM cards also function as debit cards, which may be used to make purchases online and at retail establishments. Such cards have visible Visa, Mastercard, Discover, or American Express logos, while Debit cards, also known as check cards, do everything ATM cards do but can also be used for purchases anywhere credit cards are accepted, including retail stores and online sites. The funds from these transactions are taken directly from your checking account. On the other hand, Credit Cards let you borrow from your credit card issuer. Funds do not come directly out of your checking account. You will have a loan balance for any advance you take that you must pay off at a later date. Since it’s a loan, your credit card comes with interest charges.

What is CVV?  

This is a three-digit (most commonly) or four-digit (on American Express cards) unique number printed on the card. This code is required to complete a transaction. Its purpose is to prove to the retailer that the customer has the card in his or her possession.

What is the CVV number used for?

All financial institutions that issue credit or debit cards have developed a system in which every card is provided with a unique CVV code. This code is required to complete any monetary transactions that are carried out with the card. CVV number is different from the PIN number which is like a password to complete card transactions. CVV number is present on the back side of your card on the magnetic strip. It verifies that the card is physically available with the individual using it during the transaction.

CVV Protects You against Fraud, but…

Debit and credit cards are mainly used for online transactions or for other virtual payment gateways. These portals are not allowed to save any information about the CVV number of the cardholder since it is against the Per Payment Card Industry Data Security Standards. Hence, even if the vendor has all the other details of your card, they cannot access the CVV. This makes it impossible for anyone to misuse your card information. So if there is a breach in the data security of the credit card issuing company, the CVV is not stored in the databases. This makes it impossible to use your credit card for transactions without the CVV. However, it is the same system that fraudsters can use to wipe out your account balance, but how? They steal your details through the following techniques: 

How Your CVV, Other Card Details Can Be Stolen

There are about four primary malware attacks against PCs designed to steal credit card details, including the CVV. These are phishing, infostealers, keyloggers, and browser insertion malware.

Phishing is based on the use of social engineering to persuade users to visit a malicious website. This can be via a disguised link in the email, a link to a look-alike but false website, or links embedded in an attachment. Once the user visits the fallacious website, further social engineering is used to persuade the victim to enter card details, which are captured and sent to the criminal.

Keyloggers comprise malware of varying sophistication that can watch for triggers (such as accessing a bank site or major retailer) and then capture the keys typed at the keyboard. Any card details are recognized, recorded, and sent to the criminal.

Infostealers are generally smash and grab raids. If a PC is infected, the malware scans the system and steals confidential data – including any payment details it can find. This can often be achieved in a matter of seconds. More persistent infostealers may also drop a keylogger for longer term activities.

Browser insertion malware will infiltrate the victim’s browser. It usually focuses on just one or two of the major national banks or major retailers. When it detects the user visiting one of these sites, it overlays its own copy of the bank’s login form or retailer’s payment details form. Data entered into these identical but false forms is captured and sent to the criminal. 

However, a very common technique used by the fraudsters use in Kano and most part of Nigeria; therefore, is Vishing which is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies (mostly claims of being bank officials) in order to induce individuals to reveal personal information, such as bank details and credit card numbers.

But How Can We Stay Safe? 

Here are some tips for keeping this key three/four digits and other credit card details safe: 

Don’t share your number with people who call you. Don’t ever give your CVV number to someone who calls you, even if that person claims to be working with your card provider. Credit card companies and banks won’t call you and ask for this information. If someone does, it’s a scammer. Hang up.

Don’t fall for email phishing attempts. Never provide your ATM credit or debit card information, including your CVV code, to people who ask for it through emails. Scammers often send phishing emails to victims asking that they verify their credit card information to prevent shutdowns of their accounts. This, too, is a scam. Banks will never contact you online to ask for this information.

Often, these scam emails will ask you to click on a link. The page you land on will request that you enter your personal or financial information. Once you do, a scammer will have your information and can begin making purchases in your name.

Don’t send your ATM’s credit card or debit card information in an email. Sophisticated cybercriminals can scan your emails, looking for credit card numbers. Never send your credit or debit card numbers or CVV codes to anyone by email.

For PCs we need to use a good and up-to-date anti-virus product. That will detect and block most malwares. We need to be security-aware, to recognize and ignore phishing attempts. And we should keep our browser fully patched and/or consider using a more secure browser.

The researcher produced this information literacy article per the Dubawa 2021 Kwame Kari Kari Fellowship partnership with PRNigeria to facilitate the ethos of “truth” in journalism and enhance media literacy in the country.