As a result of the COVID-19 pandemic, “there was a 62% increase in shoppers over 60 years old. More than 170,000 adult New Zealanders shopped online for the first time during the first six months of 2020.” In this essay, I would like to dig a little bit deeper into the payment card security controls used in New Zealand from a victim’s point of view.
Recently, I suffered from a credit card scam, and thought about how this happened and how a similar situation could be prevented in the future. I have a habit of checking my credit card transactions via my bank’s mobile application regularly, the reason being that my payment card issuing bank (which is Bank of New Zealand), will never allow me to set text notifications to my registered mobile number whenever there is any transaction over certain predefined amount. This was a little strange to me back to several years ago when I newly migrated to New Zealand, as I took those instant transaction text notifications for granted previously.
On the night of November 27, 2020, I did my regular transaction checking via the banking mobile application, and found there were two surprising transactions with the merchant code of United Airlines, which until now I have never purchased any flight tickets / services / goods from. This charged me twice for NZD $1905.48 with the code reference USD130430 (I guess this implied that it was a foreign currency transaction of USD $1304.30). I called the bank’s 24-hour hotline to report this fraud case immediately. Another surprise came when the hotline officer told me he could not do anything, as the payment status at that time was shown as “PENDING” and the bank will only take action when the transactions were “STATEMENTED.” As a security consultant, I was thinking that could imply some other more serious criminal activities may have been happening on top of this “simple” fraud, which could link to more serious criminal activities including irregular immigration, trafficking of human beings, drug smuggling and terrorism according to what I remembered from an INTERPOL report published in 2019. The hotline officer was friendly and told me to calm down, telling me the bank will raise a dispute for the reported transactions in 30 calendar days, and my current card will be suspended and a new replacement card will be delivered to me in five working days. He also reminded me that I still need to pay for those transactions in the meantime.
Another surprise came into me the next morning when I received an email with the subject “Bank of New Zealand - Your BNZ Visa card has been added to Apple Pay”.
I did not have any knowledge of the card number suffix mentioned in the email and I called the bank hotline again to try and understand what was happening. The officer told me that the card with an unknown suffix is my new card and customers’ Apple Pay or Google pay will be auto re-connecting with the new card to minimize the inconvenience due to the absent of physical cards. I expressed my security concerns about such an arrangement, but she gently remined me the bank security is very advanced and there was nothing to be worried about. I tried my best to accept that and asked if it is possible to make sure Visa Secure will be enabled on my new card. The officer told me it is enabled by default, but the adoption of such security feature is up to the merchants (from my personal online shopping experience in New Zealand, I have never encountered any Visa Secure checking when using my BNZ credit card). I then tried to clarify what the second factor of my Visa Secure checking will be, and the answer was another surprise: it will be always the last three digits of your access number, which is printed at the back of your credit card! That means the two required factors to authorize an online transaction for Visa Secure enabled merchants co-exist on the same medium, the credit card itself.
At the moment of writing, I still have no update from my card issuing bank.
I cannot change what happened, but I wanted to do something to prevent a similar situation happening in the future.
The mobile application of my card issuing bank provides some good functions to control the card security. For the time being, I am always disabling the online purchases and shopping overseas functions and will only enable them right before the actual online shopping check-out, disabling them immediately after the online transaction completed. This could be a good solution to protect yourself under the currently available security controls.
I also checked information regarding 3D Secure Authentication (an additional layer of security to make online shopping transactions safer by authenticating a cardholder’s identity at the time of purchase, Visa Secure is one of them) implementation from one of the common payment gateways used by many New Zealand merchants, only ASB and Westpac merchants are mandatory to enable this security feature.