Some 30,000 US credit cardholders have been fleeced but it could happen here, writes Laura Slattery
Consumers in the United States are recovering from the shock of what has been dubbed "every American's worst financial nightmare multiplied by tens of thousands of times" - a major credit card scam where passwords and codes for up to 30,000 cardholders were stolen.
It is not yet clear how many people had their bank accounts drained, credit cards hit with unauthorised charges, addresses changed and new credit cards opened without their approval. Losses were estimated at $2.7 million (€2.71 million) last week but are expected to rise.
The case has raised the question: could it happen here? The simple answer is yes, it already does, although in a series of smaller-scale incidents rather than one dramatic scam. The annual cost of fraud on credit cards issued in Ireland by the five clearing banks - AIB, Bank of Ireland, Permanent tsb, NIB and Ulster Bank - has stood at around €5 million in recent years. Figures for 2002 are not yet available.
Credit card fraud is on the increase, according to the Irish Bankers' Federation (IBF), but it is increasing in the context of a greater number of cards now on the market and a higher total number of credit card transactions.
Credit cards, which account for the bulk of plastic card fraud committed, are becoming more popular with Irish consumers and are particularly in demand during the Christmas shopping season. IBF statistics suggest that at the end of 2001, there were 1.7 million credit cards in issue in the market here, up by 200,000 on 2000.
The number of transactions is estimated at 63 million, with the value of all transactions placed at €5.7 billion. So the cost of credit card fraud as a percentage of total turnover stands at less than 0.1 per cent. That's very low, the industry body says, and broadly in line with other European countries.
Of some comfort to the victims of identity theft in the US is the fact that they will not be liable for any fraudulent charges and withdrawals made in their name. Here, the IBF reminds cardholders that they are fully protected against unauthorised transactions - save, that is, in cases where the cardholder has acted fraudulently or with negligence.
But how exactly is acting with negligence defined in these situations? "Each case is looked at individually," says Mr Eddie Ryan, head of card marketing at Bank of Ireland. "Obviously someone who writes their PIN on the back of their credit card is being negligent, but maybe that would be an extreme case," he says.
It is also negligent not to report any lost or stolen credit card immediately. Failure to act quickly may leave you liable for any losses incurred up to the time you do actually report the loss. "Thieves work quickly - so should you," Bank of Ireland reminds its credit card customers. "Certainly, most of the fraudulent use takes place in the 48 hours after the card is stolen," Mr Ryan adds.
When applying for a credit card, consumers will be asked to tick the box indicating they wish to be included in a card protection plan, for an annual premium of around €16 or a three-year fee of €39. A separate company keeps a record of all your cards.
In the event of your wallet or handbag being lost or stolen, one phone call will cancel all the cards. The issuing banks will all have their own 24-hour cancellation phonelines, but if you have more cards than you can keep track of, a card protection service could prove convenient. If the consumer loses five separate cards and cancels only four of them, they could be deemed negligent and liable to pay the full value of unauthorised transactions on the fifth card.
Consumers should check the terms and conditions of their credit cards to see how much protection they have. On standard credit cards issued by AIB, the cardholder is responsible for any loss on their card before notification up to an overall limit of €63.49. This limit does not apply when another person, for example a teenage child, has possession of the card with the cardholder's consent, but perhaps uses it to buy the entire contents of Amazon.com's home page on top of that one agreed concert ticket.
At Bank of Ireland, Mr Ryan says the cardholder is liable to about €75 for any losses incurred before telephoning to cancel, but that this charge is rarely applied and usually only in cases where the cardholder is deemed to have acted with some degree of negligence. In some cases, the cardholder will be liable for the full amount. "Someone who writes the PIN on the back of the card could be hit with all of it," he says. "You are clearly told not to do that. People say they cannot remember the PIN when they're at the ATM, but it's like putting a sign on your back saying 'free money here'." Consumers can, of course, change the PIN on their card to one that they can easily remember, and avoid the number-one mistake of making a written reminder.
"Generally, the banks tend to be reasonable with people, as long as the person is genuine and they're not saying they have lost their card, when really they're trying to avoid paying their bill," says Mr Barry O'Mahony from the Irish Payment Services Organisation (IPSO). The majority of calls are genuine, he adds.
Cardholders are advised by card issuers to take a number of precautionary steps to protect themselves from fraud and, it follows, from any liability for fraudulent transactions.
"Treat cards like you treat cash," is the simple message of these dos and don'ts, according to Mr O'Mahony, who also recommends credit card users check their monthly statements item by item.
The IBF uses another analogy: you should always view your card as the key to your account and treat it accordingly.
But the US fraud case was an inside job. A man working for a software company compiling credit reports for banks and other lending institutions stole passwords and codes and passed them on to another party, who then used the information to fraudulently set up new lines of credit under the cardholders' names. The frightening nature of this kind of identity theft is that it wouldn't matter how many precautions the cardholder took, they could still be seriously stung.
Money laundering regulations here are more stringently implemented, assures Mr Ryan. Consumers need to provide two pieces of visual identification and two certified pieces of address identification during the application process for current accounts and credit cards.
In addition, banks will monitor any unusual activity alerting them to the presence of cloned cards. "If a card is used to pay for something in Easons or Brown Thomas in Dublin and then in a shop in South Mall in Cork a short time later, that might be suspicious," says Mr Ryan. "It's very difficult to get from Dublin to Cork in 15 minutes."
