Peter Orenubi Oluwagbenga, the mastermind of the million-dollar credit card fraud busted in Calcutta, would not only swipe his cloned cards for jewellery and gizmos to sell later but also make bookings in star hotels, only to cancel these for cash refunds.

Police said on Tuesday that Nigerian Peter, whose Facebook profile proclaims “All I know is that Jesus is with me”, had a long history of fraud and played his cards with cunning.

“Apart from cloning credit cards issued in the US and using these in India to purchase expensive jewellery and electronic items, Peter made huge amounts of money through fraudulent hotel bookings,” said a senior officer involved in the probe.

The Lagos resident’s modus operandi was to book an expensive room for a week or so with one of the cloned cards and cancel it days before his scheduled arrival, saying he was willing to forego a percentage of the tariff if the hotel gave him a cash refund.

“He would tell the booking executive over phone that he would send an associate with a bona fide identity card to collect the refund. The designated contact would be one of his recruits in the city where the hotel was located,” the officer said.

The loser would, of course, be the bank customer whose credit card was cloned and used in that transaction.

The investigation team has also found out that Peter’s alleged accomplices in Calcutta would fly to Chennai, Mumbai or Patna to make credit card purchases and return to base the same day. “That was meant to throw the police off their trail in the event of a complaint being lodged and investigated,” said the officer.

Bank officials said there was no way of identifying a credit card fraud, or preventing one, unless customers became more vigilant. “Banks don’t get to know about fraudulent transactions or cloning of customers’ credit/debit cards until such a crime is reported,” said a senior official of ICICI Bank, the market leader in India with 8.5-million credit card subscribers.

“Cardholders are the first interface when a card-based financial transaction takes place. They can prevent any fraud by being extra vigilant about their cards,” he added.

According to credit card advisories, not losing sight of your card at a restaurant, a retail outlet or a petrol pump is the first step in card safety.

Metro had reported on Tuesday how a credit or debit card can be cloned if someone copies the encrypted data with a small card reader and transfers the data to another through special software and a card writer, which can be illegally bought online.

For online purchases, fraud-prevention measures are already in place. The Reserve Bank of India made it mandatory last year — with effect from August 1 — for all credit and debit card holders to get these registered for “3-Domain Secure”, an extra level of authentication for all online transactions.

The Card Security Code (CSC), sometimes called Card Verification Value or Code (CVV or CVC), is a security feature for credit or debit card transactions that gives increased protection against fraud. There are two security codes. The first code, called CVC1 or CVV1, is encrypted on the magnetic strip of the card and used for transactions “done in person” at merchant establishments through swiping.

The second code, CVV2 or CVC2, is required for online transactions where the “card is not present”, such as those done via the Internet, fax, phone or email. Online transactions should be done through sites that use encryption technologies. Any website that uses encryption technology has “https” instead of “http” in its URL.

Banks also advise their customers to make use of helplines to verify or confirm transactions and update their personal records. “It is very important for credit/debit card customers to always update changes in their telephone numbers so that the bank can contact them and confirm as soon as it notices an unusual transaction on the card of the customer,” said a representative of ICICI Bank, whose complaint led to Peter’s gang being busted.

On whether high-value transactions are randomly verified to curb misuse, the official said: “For transactions on international cards, we generally hold back the payment against an unusually high-value transaction for 120 days, called the charge-back period, so that any complaint regarding the transaction can be addressed.”