As the incidence of bank identification number (BIN) attacks and other cyber threats continues to escalate, it is essential for retail banking clients to take proactive measures to protect their financial assets. In this context, it is crucial to educate individuals on the preliminary steps they can take to safeguard their funds and prevent unauthorised access to their accounts.

Card numbers on your debit/credit card are a numeric sequence that follow a set of specific rules to identify the institution, the industry associated with the card and account number with the card. BIN or issuer identification number (IIN) refers to the first six digits on a debit or credit card. BIN attacks involve a software trying thousands of combinations to guess the full card number and other details needed to carry out a card transaction.

Once a combination works, the fraudster can attempt to execute transactions at different merchants to drain the available funds with the account. Although the CVV (card verification value) is meant to ensure that the user of the card has the physical card with them, it is not a fool-proof solution to the issue of fraudsters. Most bank systems will attempt to block or decline these transactions being done by fraudsters, but some transactions might be approved in what is described as “card not present fraud”. This doesn’t mean that a bank has been hacked or compromised but it means that fraudsters are using technology for nefarious reasons.

BIN attacks have been on the rise across the region with some Jamaican banks detailing the event to their customers while others have not publicly telegraphed this information. Customers must report these fraud attempts to their relevant bank and wait for the possible 120-180-day window that some banks have to return the funds to their bank account if their debit card was compromised. If the credit card is compromised, a credit would be applied to the card.

While some people might think that the Jamaica Deposit Insurance Corporation (JDIC) could be applicable in events where money is defrauded, the JDIC only steps in which a deposit-taking institution (DTI) is unable to make a payment with respect to a deposit balance by a customer. As a result, customers are subject to the stipulations with each bank as outlined in their terms and conditions.

While a credit card is usually promoted as a quick solution to limit loss, not everyone is comfortable with a credit card. The Bank of Jamaica’s (BOJ) own statistics show that there are nine debit cards for every one credit card in the Jamaican marketplace.

Thus, customers need to consider other strategies to protect their money. One simple strategy to better protect your money is to segregate your funds in the same bank or at another bank.

Let’s say you have one bank account (account A1) at Bank A which is connected to your debit card. You can always create a second account (account A2) at Bank A which is not connected to any debit card. You would transfer most of your excess cash to account A2 and keep an amount you feel comfortable leaving in account A1. So, if you have $100,000 currently in account A1, you could transfer $90,000 to account A2. That way, if your debit card is compromised, only $10,000 is at risk. If you need to do a larger transaction size, you can always transfer money online from account A2 to account A1.

However, let’s say Bank A hasn’t created a solution for you to open a new account online or via email but Bank B offers that option. You can create a new account (account B2) at Bank B and transfer your excess funds to that account. This ensures that you’re keeping your savings in an account that isn’t connected to any debit card and is isolated from unnecessary risk.

Customers of National Commercial Bank Jamaica Limited (NCBJ), CIBC Caribbean Bank (Jamaica) Limited and First Global Bank Limited (FGB) can block or freeze transactions on their debit and credit cards through their respective online banking or mobile banking applications. Thus, you can turn off your card before you head to sleep or when you’re not travelling so that any attempts to use the card will be automatically declined. You can always turn your cards back on before you do any transaction.

The Bank of Nova Scotia (Jamaica) Limited (BNSJ) allows for customers to freeze transactions on credit cards and set transaction limits on their credit cards as well. This means that if you set a transaction limit of $25,000, any transaction above that threshold will automatically be declined.

Some banks have also enabled Mastercard Identity Check or Verified by Visa which allow for their customers to verify that they’re the person carrying out the transaction. This is usually done by receiving a one-time code via email or text to the card user to verify themselves.

Most commercial banks allow for card users to receive notifications whenever their card is used for a transaction at a point of sale (POS) terminal, at an automated banking machine (ABM) or an online transaction. Everyone should turn on these notifications so that they can be aware when transactions are being done on their card.

As technology continues to evolve, more options are becoming available for customers to reduce their risk of fraud. A major advancement is the introduction of contactless transactions through EMV (Europay, Mastercard, Visa) chip-enabled cards which allows for customers to tap POS terminals and not release the cards from their hands. That transaction is secured by a process called tokenisation which results in the original card information being replaced with a randomly generated sequence of information to process the transaction. That ensures that your personal card information isn’t exposed to different parties in authenticating the transaction.

“In June of this year [2024], Visa announced reaching a milestone issuance of our 10th billion token globally. Tokens provide multiple layers of security behind-the-scenes by protecting sensitive account information. Tokens continue to be rolled out throughout the Caribbean to enable use cases like mobile wallets and replacing cards-on-file at e-commerce sites with tokens. Also, consumers in the Caribbean continue to find that contactless transactions are fast, secure and convenient with adoption continuing to grow and representing more than 50 per cent of all transactions,” Visa Inc told the Jamaica Observer in a recent email.

Apple Pay, Samsung Pay, and other digital wallets are also set to debut in Jamaica in short order which will further bolster protection for the everyday consumer. This comes at a time when Mastercard is seeking to push more on-device biometric authentication processes by 2030 to remove the need for card numbers or one-time codes. So, there will be a time in the future when a smile or wave of the hand is all you will need to verify a transaction.

“By 2030, Mastercard aims to eliminate the need for manual card entry and one-time or static passwords by combining tokenisation, introduced 10 years ago to protect sensitive personal and payment data, with biometric authentication for secure, seamless checkout. In doing so, Mastercard seeks to ensure that every online transaction across its network can be tokenised and authenticated, making online checkout smoother and safer,” Mastercard said in a recent news release.