Online transaction fraud | Sunday Observer

Online transaction fraud

8 August, 2021

We are living in a world where technology is developing rapidly day by day and new inventions are being made on a daily basis. But everything that is being invented in the world has both the advantages and disadvantages. Some use these technologies in a way that harms others and they attempt to reach their goals misusing these technological means. Therefore awareness about these types of crimes will be of much importance in order not to fall a victim. When concerning the art of crimes, it is changing parallel to the development of technology. For example, a person who robs banks can do the same through an online method rather than going to the bank physically.

As well as every crime, except for a few such as murder and rape, has been converted into online methods. Also, sometimes the causation in such murder and rape crimes also may include technological means. Here, the crime does not undergo any change, but the way of committing it. To prosecute someone for a crime, there are three main elements that should be proved and established before a court beyond a reasonable doubt.

They are mens rea (mental element), actus reus (physical element), and absence of any defences. However, there are some crimes for which it is not necessary to prove the mental element, such as trafficking offences. These crimes or offences have been emphasised in many statutes in Sri Lanka. However, “cyber crime” is not classified as a separate offence in Sri Lanka’s legal system. Concerning the situation in developing countries such as Sri Lanka, the public knowledge on these matters are not at a satisfactory level and easily they fall victim to such crimes. One of the main reasons for this was most of the people, in particular the adults, are somewhat reluctant to use new technologies. However, with the ongoing Covid-19 pandemic, almost everything has undergone changes most of the people have begun using these online platforms, but some of them have no awareness about the harm that could be caused to them through these technological means Online payments are categorised as non-card transactions and are a significant goal to cyber criminals, because it is harder for sellers to verify that the purchase is made by the real cardholder.

In nutshell, an online transaction fraud occurs when a fraudster tries to steal another individual’s identity and make a transaction on their behalf, such as credit/debit cards stolen from others.

It is noteworthy that fraudsters are not constantly using the same strategies to make credit card fraudulent transactions. Due to the specific features and vulnerabilities of card-present and card-not-present transactions, hackers would adopt different approaches to access others’ data according to the type of transactions. Transactions with the card-present (CP) refer generally to payments such as in-store purchases where the credit/debit card is present at the moment of purchase.While many people connect fraud with digital payments, card-present transactions still have loopholes that allow racketeers to access sensitive information. If someone has the 16 digits of the credit/debit card, expiry date, and three digit- card verification value (CVV) or card verification code (CVC), they can make any online transactions unless there is two-factor authentication or mobile verification.

Two factor authentication means the bank would provide its customers with One Time Password (OTP) for every online transaction through their credit/debit cards. Card-Not-Present (CNP) transactions relate to transactions when a cardholder physically does not show a card for a visual inspection by a merchant at the time the payment is made.

Even while CNP payments may occur by mail, phone, or even fax, payments conducted through the internet are generally related. This type of payment is also sometimes not secure because you are giving all the details of the credit/debit card for an online platform.

Types of online transaction frauds

Mainly there are three types: Friendly Fraud, Triangulation, Clean fraud, and Identity Theft. In Friendly Fraud, when a consumer makes a digital purchase using their own credit card and then calls their credit card provider to dispute the transaction, it is considered friendly fraud. Customers will approach their credit/debit card provider in these instances, claiming that the item was not delivered, the item was returned but did not get a refund, or they don’t recall making the transaction and their credit cards have been hacked. And of course, not everyone doing this are fraudulent; in fact, these allegations may be genuine in many cases.

Friendly Fraud, on the other hand, has been a popular strategy for fraudulent operations in recent years, causing businesses, not just immediate losses but also card provider penalties. The unsuspecting consumer, the false online retailer, and the stolen data are all involved in the purchase of an order using the triangulation fraud method. In this scenario, the fraudulent merchant instantly takes the client’s credit/debit card data once the consumer has made a purchase. The products in this sort of business are generally high-priced products at bargain rates. The fraudster’s main goal is to collect data and then cancel the payment once he gets the customer’s credit card information. The fact that fraudsters utilise genuine data to perform cyber crimes makes clean fraud so difficult to identify and prevent. While friendly fraud hides behind counterfeit identities or stolen data, clean fraud hackers generally have a lot of information about cardholders and their credit/debit card information, and they utilise genuine customer data to mislead the systems.

The thief has been able to steal all of the essential actual data and utilises it to make a transaction that appears legal in this sort of fraud. Identity theft is another form of online payment fraud that is extremely widespread. The impostor acquires key details of personal information and utilises them to make fraudulent transactions on the internet in this sort of fraud. This form of fraud frequently occurs when hackers breach firewalls using outdated security systems, which is why merchants must keep their network security systems up to date at all times. Sometimes you will get a text message on your mobile phone stating that you have won a price (this price is a huge amount of money or any other gifts such as a BMW car) and then they will ask for your bank details and card details to send this amount of money. This is another popular trick that is used by fraudsters. Law related to online transaction frauds Digital laws are important in the use of information and communication technology because they offer the legal framework for utilising electronic data and digital documents for official and personnel reasons, as well as performing electronic transactions.

In addition, computers should be regulated for the behaviours which are damaging to the use of online transactions. In the Sri Lankan context of law, digital laws are being developed and up-to-now it has been developed to some extent. But with the development of the new technology, the laws should be altered, amended, and implemented to secure the people from being a victim of such updated crimes. There are few statutes that govern the provisions in relation to digital transactions and other matters connected with. They are Electronic Transactions Act No. 19, 2006, Computer Crimes Act No. 24 of 2007, Payment and Settlement Systems Act, No. 28 of 2005, Payment Devices Frauds Act No.30 of 2006, Information and Communication Technology Act No.27 of 2003 and Intellectual Property Act No. 36 of 2003. The Electronic Transactions Act No. 19, 2006 is the most significant statute for the use of technology in Government and the creation of e-Government services.

This Act is based on the Model Law on Electronic Commerce (1996) and Model Law on Electronic Signatures (2001) of the United Nations Commission on International Trade Law (UNCITRAL).In 2017, the Act was amended to bring Sri Lankan e-Commerce legislation in accordance with the UN Electronic Communication Convention (UN ECC), the only worldwide standard for e-Commerce regulation. The Amending Act No. 25 of 2017 provides more legal clarity for e-Commerce and e-Business providers that want to utilise Sri Lankan law as the relevant legislation and assure international validity for electronic transactions.

It would also secure the legal validity of other international legal instruments and cross-border money transfers, as well as the enforcement of foreign arbitration awards, allowing Sri Lanka to accelerate its transition to paperless trade facilitation through a single-window mechanism. Sri Lanka also features a comprehensive inter-bank payment and settlement system that allows for safe bank-to-bank transactions utilising electronic signatures.

The Electronic Transactions Act No, 19 of 2006 has emphasised the provision of legal recognition for electronic signatures including digital certificates.

The Computer Crimes Act No. 24 of 2007 establishes the definition of computer crimes as well as the procedures for investigating and prosecuting them.

The Computer Crimes Act No. 24 of 2007 was enacted to make an unlawful access to a computer, computer program, data, or information illegal. It also includes a mechanism for dealing with unlawful computer use, regardless of whether the culprit has permission to do so. Section 2 specifies that the Act will apply whether a person is present in Sri Lanka or outside when they commit an offence under the Act. The Payment Devices Frauds Act No. 30 of 2006 was passed in Sri Lanka to address the ownership and use of illegal payment devices.

This Act is written in the broadest terms possible to criminalise behaviour involving the use of computers or the internet to commit offences involving payment devices. Evidence (Special Provisions) Act No. 14 of 1995 has provided the admissibility for computer evidence before a court. Actually, there are no specific provisions or definitions in the Penal Code for online transaction frauds or any other cyber crimes but can be charged under the Penal code of Sri Lanka with the above Acts for the offence of theft, robbery and fraud. When you have noted any online transaction that has been proceeded without your knowledge and consent, first you should contact your bank and deactivate the credit/debit card immediately. Then if you have received any message about the alleged transaction, a screenshot of that message and bank statements should be kept securely.

If someone has been a victim of online transaction fraud, they have been provided with the opportunity to lodge a complaint with the local Police or the Police Computer Crime Division. A complaint can also be lodged with the SLCERT through its website ( or email - [email protected].

Preventive methods

There is a common quote as “prevention is better than cure” therefore always if you are secured you can get rid of being a victim of online transaction frauds. Some of the precautions which can be taken are if you’re on the phone, don’t give out your account number unless you’re speaking with a trustworthy company or online business. If you have never made deals with them before, look for reviews or complaints online immediately. Keep an eye on your credit/debit card throughout a transaction. Before you leave, make sure you get it back.

Maintain a close eye on your bank and credit card statements. Keep an eye on your credit report. Don’t disclose your credit card details on the internet unless you are aware of the website or any other online business platform. Never use a public computer to conduct a credit card transaction. Never disclose your credit/debit card details for any other third party. Always contact your bank for more details regarding any transaction which you did not make online. Don’t disclose your credit/debit card details or bank details for any unknown messages which say you have won a big price.

Always try to use a separate debit card for online transactions and CP payments. Always read the Privacy Policy and term and condition before you are signed up with any website through internet.