Archive

Archive for the ‘Canada’ Category

What to do in case of credit/payment card fraud: real life example!

This weekend E-Crime Expert encountered a financial fraud which happened to us in real life. Money was fraudulently withdrawn from our (Dan’s) account. Luckily, we immediately identified the fraud which enables us to cancel the card and report the fraud in order to be reimbursed.

1.      How it could be detected:

i. Go log into your online banking account (Fig. 1)

(I am using a mobile platform for my online banking)

Fig. 1.

photo 1

ii. Type your user name or card number and password (Fig. 2)

 Fig. 2

photo 2

iii. Select one of your accounts and then go through your transaction records carefully and see if there is any transaction you do not recognize (this is how I identified the fraud in my VISA account).Fig. 3.

Fig. 3

photo 3

iv. Most likely the fraudulent transaction will be from a service provider or vendor that you had nothing to do with it (as it happened in my case) Fig. 4.

 Fig. 4

photo 4

2. What to do if you suspect fraudulent activity:

 Despite your best efforts, there is still a chance that you will become a victim of payment card fraud. You will save yourself time and worry by following the steps below:

  • Call your financial institution immediately. You can find the phone number easily on the back of your card (Fig. 5).

Fig. 5 photo 5

 It may want to cancel your current card and mail you a new one. Check to verify that your mailing address has not been changed.   

  • If you still have your card, but fraudulent purchases have been made on the account, call your financial institution, and ask them to issue you a new one.   
  • Contact the national credit bureaus to let them know you are a victim of fraud. They will place a “Fraud Alert” on your file. You can also request copies of your credit report, which you should review carefully. For North America:                                   Equifax: 1-800-465-7166 or www.equifax.ca
                                                                                TransUnion: 1-866-525-0262 or www.tuc.ca
  • Diligently check your statements in the following months to make sure the problem has been completely resolved.
  • Report the fraudulent activity to the proper authorities, including the police or to the Internet Crime Complaint Center:

i. Mastercard:

To successfully fulfill your mission of how to contact MasterCard fraud,

  • you can call 800-627-8372.
  • If you’re not in the United States, contact MasterCard fraud by calling 636-722-7111.
  • If it’s an emergency related to possible fraud, MasterCard will accept international collect calls.

ii. Visa:

  • Call the bank or other organisation that issued your card, if you know the telephone number. They will immediately block your card and organise a replacement
  • If you do not have your card issuer’s telephone number, use the menu on the Global Card Assistance Directory page for help. 

To use the Global Card Assitance Service Directory Click here.

From the pull-down menu choose the country you are in now. Call the telephone number that appears in the right-hand box. Calls might be free but may carry local telecom fees if one dials using a mobile phone or calls from within a hotel.

If outside the US please make a reverse-charge call to +1 303 967 1096, if within the US, simply dial +1 800 847 2911.

3.  What you need to be prepare to provide when calling:

  • The name of your card issuer
  • The type of card — for example, Visa Electron, Visa Classic, Visa Gold
  • The country where the card was issued

It will help if you can also tell them:

  • Your 16-digit Visa/MasterCard account number
  • If you have your own card account or a partner card
  • Your name as it is printed on the card
  • The address where your statement is sent
  • Your home telephone number
  • How the card went missing or what transaction you find illegitimate
  • Other personal details that will be used as a security check to confirm your identity
  • The identity of the primary cardholder, if you are the secondary cardholder.

4. Tips to stay safe:

i.                    How to prevent identity theft

Identity theft involves acquiring another person’s identification information (such as a social insurance number or any unique identifier) without a person’s knowledge for the purpose of impersonating him or her to commit fraud. The best defense against identity theft is to prevent thieves from getting the information in the first place.

Here are guidelines to follow:

  • Never leave your purse or wallet unattended – keep your personal data and information guarded at all times.   
  • Sign your credit and debit cards in permanent ink as soon as you receive them.   
  • Call your card issuer if a new or reissued card does not arrive when expected.   
  • Don’t carry your social insurance card, birth certificate, or passport in your wallet or purse unless it’s absolutely necessary. Cancel any inactive payment card accounts.   
  • Never throw away receipts in a public trash container. When disposing of receipts or old statements, be sure to destroy the areas where the account number is visible. In general, you should keep all your receipts in a safe place to refer to if you suspect suspicious activity.
  • Check your statements frequently and carefully. Be sure you are familiar with all account activity on the statement. If you find an unauthorized or questionable transaction, call the appropriate organizations immediately.
  • Do not write your credit or debit card account number on a cheque, or use it for identification when paying by other means.
  • If your social insurance card or driver’s license is missing, contact the appropriate agency immediately.
  • Never give any payment card, bank, or social insurance information to anyone by telephone, even if you made the call, unless you can positively verify that the call is legitimate and there is a true need for the information.
  • Keep a list of all your credit accounts and bank accounts in a secure place so you can quickly call the issuers to inform them about missing or stolen cards. Include account numbers, expiration dates, and telephone numbers of customer service and fraud departments.
  • Make a note of when your financial statements arrive each month. If your statements stop arriving, contact your bank immediately.
  • Obtain a copy of your credit report once a year from one of the national credit bureaus. You are entitled to a free copy of your report if you are denied credit. Otherwise, most credit bureaus will charge a small fee. If the report data is incorrect, write the credit bureau immediately and keep a copy of your letter.

 ii.                  How to prevent fraud while using your payment card

Payment cards are used everyday by billions of people throughout the world. By following the steps below, you will significantly reduce the chances of fraudulent activity occurring on your account:

  • When making a purchase, keep your card in view at all times. Retrieve the card as soon as the transaction is complete and make sure it is yours.
  • Memorize your passwords and personal identification numbers (PINs) so you do not have to write them down. Be aware of your surroundings; make sure no one is watching you input your PIN.
  • Never sign a blank receipt slip. Draw a line through any blank amount lines that appear above the total amount line.
  • Save all of your receipts so you can refer to them at a later time. Never discard your receipt in a public trash container.
  • Do not provide your account number over the phone unless you are positive the call is legitimate and there is a legitimate purpose to disclose your account number. Never provide your number over the phone if you didn’t initiate the call.
  • Avoid saying your account number aloud at a merchant location or over the phone if others can hear.

iii.                How to prevent fraud while shopping online

Shopping online opens up a world of choices and convenience – as well as some risks that require extra vigilance. Here are some tips to ensure that your online shopping experience remains safe and enjoyable:

  • Make sure you are doing business with a reputable Internet merchant. Check with the Better Business Bureau or provincial and local consumer agencies to find out about past complaints or experiences from other customers. You can also look for the following information on the website to check if a merchant is reputable:
    • Privacy policy – A reputable website often has a clearly stated privacy policy in an accessible place. Read the privacy policy so you know exactly how the merchant intends to use your information.
    • Information about the offer – make sure you learn all you can about the offer, including the delivery date, terms of warranty, cancellation policies, how to contact the company if you have questions, etc.
    • Information about the merchant – make sure to find the company’s physical address and telephone number.
    • Security – Reputable websites often provide information about how they protect your financial information when it is transmitted and stored.
  • Guard your personal information. Don’t provide information that you are uncomfortable giving. Never give anyone the password that you use to log on to your Internet Service Provider or online bank account.   
  • Keep records. Print out all information about your online transaction and keep it in a safe place to refer to at a later time.   
  • Pay with a payment card – as this is often the safest way to pay online. In North America, the cardholder has the right to dispute charges if the goods or services were misrepresented or never delivered. Also, you are not responsible for fraudulent purchases made on your account.   
  • Make sure the merchant that you are dealing with has proper security measures in place. Your computer browser can tell you if the place where you are about to send the information is secure. Look for an unbroken key or closed lock at the bottom of the browser window. If you cannot determine this, do not put your credit or debit card information over the Internet.
  • Hover the weblink on the browser you are using to see if there is no hidden link from a fake or illegitimate cloned website.

iv.                 Setting up your best security for your Visa Card:

Visa has developed several layers of fraud prevention and detection systems and programs, giving you multiple checkpoints for security to protect your business and make transactions more secure. Visa’s Layers of Security complement each other and work together, so by implementing multiple services you can help reduce your risk of fraud.

The Layers of Security:

Layer # 1 – Chip & PIN

Many Visa cards now contain a micro-computer chip that securely stores encrypted information to complete transactions. As well, Personal Identification Numbers (PINs) are used for cardholder authentication when chip cards are used in Canada. This helps make counterfeiting virtually impossible.

Layer # 2 – Verified by Visa

The Verified by Visa (VbV) program is a worldwide service that confirms a cardholder’s authenticity in real time. This helps protect merchants from fraudulent transactions and chargebacks, while protecting cardholders from unauthorized use of their Visa cards.

Layer # 3 – Three-digit Code (CVV2)

The CVV2 is a three-digit security code on all Visa cards that helps ensure a customer making an online or phone purchase has a genuine Visa card in hand.

Layer # 4 – Address Verification Service (AVS)

When fraudsters try to order online, by mail or by phone, AVS can help stop them in their tracks. Account number information obtained from a receipt or a stolen card does not include an address or postal code. AVS checks a cardholder’s address and/or postal code against the card issuer’s records in real time, giving you the opportunity to stop a transaction if desired.

Layer # 5 – Visa Advanced Authorization (VAA)

Available through most card issuers, VAA lets you immediately identify and respond to emerging fraud patterns and trends. As transactions are processed through VisaNet® Advanced Authorization, VAA evaluates an authorization request data in real time and assesses and assigns a risk rating – helping you better identify potential fraud.

5.      Additional contact numbers for Canada only:

MasterCard Issuer Security Phone Numbers in Canada:

ATB Financial: 1-800-661-2266
BMO Bank of Montreal: 1-800-361-3361
Bridgewater Bank: 1-866-398-4404
Canadian Tire Bank: 1-800-459-6415
Capital One Canada: 1-800-481-3239
CIBC:   1-800-663-4575
Citibank Canada: 1-800-305-7259
Credit Union Electronic Transaction Services: 1-800-567-8111
Direct Cash Bank: 1-888-466-4043
GE Money Canada: 1-800-243-2222
HSBC Bank Canada: 1-866-406-4722
MBNA Canada: 1-800-379-2744
National Bank of Canada: 1-888-622-2783
Peoples Trust: 1-866-452-1138
President’s Choice Bank: 1-866-246-7262
RBC Royal Bank: 1-800-361-0152
Sears Canada: 1-800-288-9965
Walmart Financial Services Canada: 1-888-925-6218
Wells Fargo Financial: 1-888-295-0050
     

 If you have any question you could contact: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Advertisements

Transfer mechanisms of personal data from EU to third countries

January 8, 2013 2 comments

This Article explains the concept of transferring personal data from EU to third countries, what those third countries mean, the principles for making such transfers legitimate and the derogations from these principles, and last but not least, the transfer mechanisms of personal data to third countries.

Considering the legal requirements of the Directive 95/46/EC, Article 25
the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if… the third country in question ensures an adequate level of protection…this Article provides three legal mechanisms for such transfers:

-Standard Contractual Clauses – for single Organizations or entities

Binding Corporate Rulesfor multinational Organizations or entities

-Safe Harbor Agreement principles – for Organizations or entities located in the U.S.

The Article provides Organizations or entities with all current available mechanisms for data transfer from the European Union to third countries, regardless if those Organizations are independent-single entities or multinational ones.

This Article was written by Dan Manolescu. If interested, you could read the full Article published by InfoSec Institute here.

If you would like to find out more about InfoSec, you could visit this page here.

Dan Manolescu is now a frequent contributer for InfoSec Institute.

If you have any questions please contact us at: dan@e-crimeexpert.com

Privacy versus Data Protection

November 27, 2012 6 comments

Today, E-Crime Expert presents the main similarities and differences between privacy and data protection concepts mainly from two different legislative perspectives:  Canada and the European Union (EU), and briefly from the United States (US).

Also, this blog post provides the main privacy and data protection legislative acts from Canada and EU as a useful resource for those interested or working in this field.

Last but not least, you could find bellow the full EU Data protection revision 2012 package.

I.      US versus EU versus Canada

-The United States (US) and European Union (EU) have different concepts regarding personal information and private data, such as Privacy in the US versus Data Protection in the EU.

US’s approach to privacy focuses on narrowly applicable legislation.

  • sector-based,
  • with a mix of legislation,
  • regulation and self-regulation,
  • focusing on the protection of personal information by specifically addressing a particular industry sector (i.e. medical information, online transactions, credit check, etc)
  • regulating data collected by the federal government

EU has a more comprehensive approach.

  • set of rights and principles for personal data treatment (processing),
  • without considering that the data is held in the public or private sector,
  • protects just natural persons not legal entities
  • the relation between data protection and the economic value as a proper balance between fundamental rights and free flow of information (which has economic value).
  • by granting data protection as a fundamental right, the aim is to protect the individuals but also to encourage the free flow of information, giving data subjects legal certainty and encouraging them to not negatively affect the exchange of information and data

-Canada – similar level of protection to the EU one.

  • Privacy is regulated by the government at the federal and provincial level:
    • The Privacy Act (federal level for private information held by the gov),
    • PIPEDA (federal level for private sector),
    • PIPA (provincial level for private sector, Alberta for example),
    • FOIP (provincial level for public sector, Alberta for example),
    • HIPA (federal level for health information),
    • HIA (provincial level for health information, Alberta for example)
  • The difference between Canada and EU
    • Canada’s legislation regulates both organizations and individuals privacy rights and access
    • EU’s legislation regulates the individuals’ rights (no organizations)
    • Canada gives to the individual the right to access their data or other individuals’ or organizations data along with their privacy protection right under the same Act (The Privacy Act, FOIP)
    • EU gives to the data subject the right to protection of their personal data under one single act (Directive 95) and to access data for public interest under the Transparency Regulation (1049)-no others personal data could be accessed in the private sector (just for law enforcement)
  • Canada enacted different acts for different data categories (private-PIPA, public-FOIP, health-HIA, children-Child, Youth&family enhancement act, etc)
  • EU has the same Legislative Act (e.g. Directive) but with different degrees of protection and limitations based on the data categories sensitivity (identification, medical, criminal, etc).
  • Canada sets forth a minimum time for information retention when EU sets forth a maximum time for data retention
  • in Canada information sharing is done based on Information Sharing Agreements (local, federal, international)
  • in EU the data transfer has three layers of protection for exchange locally within the same institutions, bodies, organizations, between EU member states, or internationally (with third countries).

 II.      Privacy versus data protection

  • The concept of privacy and data protection is not the same.
  • Data protection has a privacy dimension, but it is narrower in scope than the privacy concept, “as the privacy encloses more than personal data” (i.e. private life, private home, private correspondence, etc.)
  • From a different angle, it encloses a wider area, “since personal data are protected not only to enhance the privacy of the subject, but also to guarantee other fundamental rights, such as the right to freedom of expression, or the right to know what data is gathered about you,  to have access to your data, to ask for modification or deletion of your data, etc”
    • Furthermore, data protection gives individuals the right to know
  • What personal data is collected,
  • on what legal grounds,
  • how it is used, for how long it used and kept,
  • and by whom.
    • specifically grants data subjects with the rights to access, modify,   update or ask for deletion of such data

 III.      EU legislative framework

IV.      EU Data protection revision 2012 (to reflect the new technological developments and to provide a consistent legislative framework across EU):

Click here to access the new proposed EU Data Protection regulation

  • It was proposed a Regulation versus the existing Directive. A Regulation is better, as it is immediately and more uniformly implemented into the Member States national law.
  • Data subjects
    • increasing responsibility and accountability – companies would have to notify their clients of any theft or accidental release of personal data
    • clarifying that where someone’s consent is required before a company reuses their personal data, they need to give that consent explicitly – people would also have access to their own private data and be able to transfer it to another service provider more easily
    • reinforcing the ‘right to be forgotten’ – people will be able to have their personal data deleted if a business or other organization has no legitimate reasons for keeping it
    • applying EU rules when personal data is processed outside Europe – people would be able to involve the national data protection authority in their country, even when their data is processed by a company based outside the EU
    • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services
  • Good for business
    • A single set of rules would encourage a more consistent application of the law across the EU. Businesses would have clear rules on how to treat personal data
    • Companies would only have to deal with a single national data protection authority in the EU country where they have their main operations (saving businesses an estimated €2.3bn a year)
    • The obligation of appointment of a data protection officer for organizations with 250 employees and over (private sector
    • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data
    • Companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours)
    • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed
    • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens
    • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company
  • Better enforcement
    • The new rules would give national data protection authorities powers to enforce the EU rules more rigorously
    • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data. For the new Directive click here.
  • Next steps
    • The proposals is aimed to encourage more online commerce by improving consumer trust – contributing to economic growth and job creation. The new Data protection proposed legal framework (Regulation+Directive) must be approved by the European Parliament and Council before becoming law.
  • Commission Proposals on the data protection reform: legislative texts

Source: Directorat General Justice of the European Commission

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog

%d bloggers like this: