While the Cambodian banking industry continues to mature, more and more Cambodians are carrying their savings on the plastic cards in their wallets and using ATMs.
According to the National Bank of Cambodia’s 2014 Annual Report, there are a total of 940 ATMs across the country. Correspondingly, the 36 commercial banks, 11 specialised banks and 39 microfinance institutions have issued 31,261 credit cards and approximately 1.3 million debit cards.
While Cambodians are slowly gaining confidence in plastic, the risk of fraudulent activities increases if proper security measures are not in place.
For instance, in late 2013, a Malaysian and a Sri Lankan national were prosecuted for stealing $133,198 using some 80 fake cards. In 2014, five locals were handed down prison sentences for stealing $2.7 million from Canadia Bank in what was deemed ‘an inside job’ as the 30-year old mastermind, Yet Sopheacktra, was formerly in charge of creating ATM cards at the bank. He received a five-year prison sentence.
More recently, in a case that saw the fraudsters thwarted, three Bulgarian nationals were caught trying to use a skimming device to steal customers’ bank details from a local ANZ Royal ATM. While this case shows that proper security can prevent illegal activity, it also shows that card theft is far from easing.
“Usually card skimming is only for magnetic stripe cards where data can easily be stolen. Our advice is that every bank should be going onto chip cards. But of course that does not mean that it is foul-proof because fraudsters are always trying new approaches to get your data security,” said Cynthia Liaw, CEO of Maybank Cambodia.
While card skimming is the most rudimentary form of identity theft, typically involving an electronic machine that can be placed inside an ATM to store data and then replicated onto fake cards, it can also involve a small camera being placed on the machine to read the victims’ PIN code.
“If there is a card skimmer attached to an ATM, our company would be immediately alerted,” she said.
To add further consumer protection, Maybank also monitors accounts closely for behavioural changes, especially for overseas transactions. If an account is showing erratic behaviour, the company calls the customer to verify if these transactions are valid.
“Banks have to be vigilant in not only protecting the customers, but in protecting the industry as well,” she said. “The banks in Cambodia and Indochina in general could be an easy channel for the criminals to pick up funds because they think that regulations in the country are lax.”
Other banks have adopted more high-tech ways in reducing fraud at ATMs. Foreign Trade Bank was the first company to roll out biometric security at their machines that use fingerprint-recognition technology and voice-instruction equipment in 2009.
“The introduction of a biometric at our ATM and Point of Service network has improved the processing time and helped our customer without a need to remember a PIN code. Another advantage is that a biometric cannot be comprised or shared with others as in the case of a PIN code,” said Gui Anvanith, general manager and board member of the FTB.
While the costly technology has yet to be implemented across the banking industry, he did note that some microfinance institutions have adopted the same technology.
But without chip-based standards and regulation, Maybank’s Liaw believes that many local banks are vulnerable to fraud.
“Malaysia has a local chip standard for all the banks as does Singapore. Basically, most banks in more developed countries will have multiple safeguards and applications installed on the chip,” she said.
While the proprietary debit cards that are widely issued by local banks are magnetic stripe cards, the data stored in chip-based cards are encrypted and difficult to clone, she explained.
Additionally, the chip contains an embedded microprocessor that generates a unique code for each transaction to increase the security level.
However, Liaw said, for a developing country like Cambodia, the costs of implementing a chip card standard can outweigh the risks due to the cost of reissuing client’s cards and upgrading ATMs.
“One of the easier ways is to issue Visa and Mastercard services with each card. That is a lot more cost-effective,” she said.
Cambodia’s largest bank, Acleda Bank, announced earlier this year that it will invest an additional $40 million to its current capital of $226 million to expand the growth of credit services domestically and abroad to boost its electronic banking infrastructure.
While Acleda offers both proprietary debit cards as well as ones partnered with Visa or Mastercard (called EMV cards – short for Europay, MasterCard and Visa), In Channy, president and group manager of Acleda said that the “bank is in the process of replacing all ATM cards with EMV starting next year”.
Hemalis Duong, general manager of Techenture Consulting, a systems provider for many local banks, explained that while local banks have primarily focused on combating cyber threats like online scams, hacking, and phishing attacks by putting in secure servers and firewall protection, internal banking security is something that is often overlooked.
“Many local banks don’t take internal data security seriously. For instance, if you have a company smartphone or laptop that can access critical information remotely, data can easily be hacked, stolen or even sold,” she said. “Banking security is not only about protecting against external threats, but internal threats as well.”
According to Liaw, another simple cost-effective strategy that local banks could employ is to put in place transaction and withdrawal limits at ATMs, something that many local banks lack.
“I wouldn’t want to say that there is an increasing trend of fraud in Cambodia, because as we have seen, there are already fraudsters here. The threats can come at any moment and banks have to be vigilant and step up security,” she said.