Costados Merchant Information Costados Merchant Information Costados Merchant Information

Costados KnowledgeBase: Avoid Debit Card Swindlers...

Beware the debit card swindlers:
Even the police praise the high-tech devices that can drain your accounts
Saturday, January 24, 2009
By: Steve Buist
Source: The Hamilton Spectator

Five seconds. "We've looked at the videotape, that's how long it took," said Detective Steve Cook of Hamilton Police Services major fraud unit. Five seconds was all the fraudsters needed to install the equipment that would rig an automatic banking machine to capture the debit card information from unsuspecting users. "One guy standing behind to block the view, the other guy takes the pieces out of a gym bag," said Cook. "Five seconds, he walks away, and it's ready to go."

But this is no amateurish duct-tape-and-chewing-gum job being pulled off. To an untrained eye, it would be difficult to detect that the machine had been compromised. The level of sophistication involved in today's typical debit card fraud is staggering - tiny computer processors attached to bank machines, miniature cameras, Bluetooth wireless technology, magnetic stripe encoders, portable safes. As technology evolves, there's a corresponding evolution in criminal techniques.

Since they were first introduced here just a quarter of a century ago, debit cards have become virtually indispensable for most Canadians. Canadians are world leaders in debit card use, second only to the Swedes. In 2007, Canadians used their debit cards four billion times, in total. But our love affair with debit cards comes with a price.

In 2007, nearly 160,000 cardholders - about 1 in 200 Canadians - were victims of debit card fraud, and were reimbursed almost $107 million, an amount nearly double what it was three years earlier. "Every time we put something new out there that has the potential of either acquiring money or being used in lieu of money, you've got a criminal enterprise that's going to capitalize on that," said Garry Clement, an investigator who specializes in fraud and money laundering.

Clement is a retired RCMP organized crime expert and now the managing director of the Toronto office of IPSA International, which provides investigative services to corporations across North America. "What people have to realize is that organized crime stays so far ahead of this technology," said Clement. "From a financial point of view, their resources are significantly greater than a lot of law enforcement agencies, so the investment they can make to stay ahead of this is probably pretty scary when it comes right down to it." "It's definitely a cat-and-mouse game," added Tina Romano, manager of public relations for Interac Association, the umbrella organization that runs Canada's debit card infrastructure.

There are significant links between some of the highly organized debit card scams and members of the Sri Lankan communities in Canada and the United Kingdom, according to Clement. Some of the proceeds of those crimes, Clement added, are being funnelled to the Tamil Tigers, a militant separatist organization that is recognized by Canada as a terrorist group. "I don't think you could say it's primarily for that," Clement noted. "What you've got to realize is that country is in total turmoil. As they say, today's freedom fighter is tomorrow's terrorist. I guess it depends what side you're looking at, but are they funding some of those factions? Definitely."

Tease apart the anatomy of a highly organized debit card scam and the ingenuity of the operation is, well, remarkable. Even the police express a grudging admiration for the resourcefulness of the crooks. "I'll go 'Wow, they thought of this now?'" said Cook.

The first step in a scam is to accumulate the debit card information from unsuspecting users, via a couple of avenues - from an automatic banking machine that has been rigged, or by tampering with the portable terminals that stores and restaurants hand their customers to enter their personal identification numbers during a transaction.

On a table at the Mountain police station, Cook spreads out a couple of pieces of grey metal that were confiscated during a bust of one debit card fraud. The first piece is about the size of a paperback book and it's fitted with a debit card insertion slot. The piece is manufactured to fit over the top of a bank machine's insertion slot, complete with an authentic-looking bank logo. Built into the piece is a magnetic stripe reader and processor that captures the account information stored on the debit card. When a user inserts a debit card, the counterfeit slot gathers the information before the card gets sucked through the real slot into the machine. Because the transaction proceeds normally, the user isn't aware that something improper has happened.

The second piece is designed to fit under the top of the banking machine. A small pinhole opening has been cut into the metal so that a miniature camera can record the keypad below. Next to the camera, a small computer processor stores the video, complete with a date and time stamp. In this case, there was even a small port attached for easy downloading of the information. When account information has been captured from a debit card inserted through the phoney front slot, the camera then records the PIN that has been entered by the customer. The date and time stamp allows the crooks to match the PINs with the right card info. At some later point, the fraudsters will return to retrieve the pieces they've installed and then the information will be dumped into a spreadsheet program.

"They know this is the right colour, the right fit," said Detective-taff Sergeant Tony Belisario of Hamilton's major fraud unit, holding up one of the pieces. "It's all fabricated and then they're going to hit those same terminals from one side of the country to the other."

At a retail outlet, the thieves want to get their hands on the portable terminals used by the customers. Working in groups of two, their goal is to be the last shoppers left in a store at closing time. One of them will distract the sales staff while the other surreptitiously unplugs the debit card terminal and replaces it with a dummy replica. Overnight, the crooks will carefully open the confiscated terminal so that the security switch doesn't activate, and then a duplicate processing chip will be inserted beside the original chip. The newly inserted chip will now capture the account information stored on the magnetic stripe of the debit card when it's swiped in the machine. The duplicate processor comes equipped with Bluetooth wireless technology that will transmit the data like a radio signal that can be captured by a nearby laptop computer or BlackBerry-style device. The next morning, the thieves return as the store's first customers of the day, replace the dummy terminal with the altered terminal and then set up shop outside the store, ready to begin gathering information from the cards. You'd have no way of knowing the portable terminal has been compromised.

Once enough information has been stolen, it's surprisingly simple to make fake copies of the debit cards. A magnetic stripe encoding machine costs a few hundred dollars, and plastic cards with blank stripes can be easily purchased off the Internet at a cost of $19 for 100. The crooks will then begin encoding plastic cards with the required account information, and then write the PIN on the front of the card. The final step is the "spend" - the highly synchronized operation when the counterfeit debit cards are used to collect cash. The bank machines targeted for a spend may be spread across southern Ontario, into Quebec, and as far away as B.C.

Each team has four people - a driver, a lookout and two people inside at the automatic banking machine. Some of the team members may even be flown in from other provinces, to make it more difficult for police to identify the culprits from the security tapes. When Cook busted one operation taking place in Dundas, for example, some of the people arrested were from Montreal. The team will be told to arrive at its location at a specified time, say, 6 a.m. "It's usually not during banking hours," said Cook. "It's usually early in the morning when no one's around." The team is given a cellphone and a portable safe. At 6 a.m., a call comes in, giving the team the combination to the safe. Inside are all the counterfeit debit cards to be used during the spend, and the thieves are told not to exceed certain withdrawal thresholds with the cards to avoid setting off security warnings. And then it's like kids in a candy store. Card after card is inserted, and $480 or $980 is withdrawn time after time.

The thieves have only a small window of time before the cards will get shut down by the banking institutions. That's what prompted the introduction of safes. Teams were jumping the predetermined start time, which was reducing the amount of money that could be scooped up in an operation. The safes mean that an operation can now be completely synchronized for maximum profit.

On the other side of the equation, banking institutions are constantly monitoring transactions, looking for suspicious patterns of card activity. Within half an hour from the start of a spend, the banks will be able to identify that a fraud is taking place. The banks are able to work backwards in that short period of time to determine the common point of use where all the card information was stolen, whether it was a bank machine, retail outlet or fast-food restaurant, for example. "We'll start getting 911 calls from their investigative side, 'There's a fraud in progress, these cards are compromised, they're at these four locations on the Hamilton Mountain,'" said Cook. Once the common point and time frame for the theft of card information has been established, the banks will shut down all cards that had been used at the location, with a buffer zone of a month or two added at each end, just to be sure. And then the cycle starts all over again.

Cook doesn't want to leave you with the wrong impression about your debit card. "It's a very safe tool for obtaining things but you just have to be careful where you go," said Cook. "We tell people if you have a gut feeling that something is wrong, maybe someone was looking over your shoulder, then change your number. It's not that difficult to change it." Part of the problem, however, is that Canadians are too polite.

We think it's rude to shield the debit card keypad too closely. We assume the keypad we're handed is legitimate, and the bank machine hasn't been compromised. "When you're at a restaurant and you hand your card to somebody and they walk away with it, where do they go with it?" Cook asks. "You assume where they're going, but you didn't realize that that waiter or waitress has a drug habit and someone has said 'I'll give you $50 for every swipe you do into this machine.' Don't hand someone your card and let them walk away to wherever they go, because we are trusting," he added. "We're a trusting nation."

Cardholders who have been defrauded have their losses covered under the Code of Practice for Consumer Debit Card Services. However, a person may be liable for losses if the debit card was stolen and the PIN was written on the card or kept close to the card on a piece of paper.

Interac and the banks are taking steps to improve card security. Cards will soon come with microchips that will eventually replace the black magnetic stripe used to store information. The chip is like a miniature computer that allows the card to interact with the terminal to carry out additional security checks. By 2012, only cards with microchips will work in banking machines, and by 2015, the same will be true for retail outlets.

The complexity of the microchip cards makes them much more difficult to duplicate, as well. "Because it's like a computer, it would be too complicated and too advanced for a fraudster to even attempt that," said Romano, the Interac spokesperson.

Clement, the ex-RCMP inspector, is more skeptical, however. "When Visa and all the others came out with their holograms and said nobody will be able to capture that, what did it take them? Six to eight months?" said Clement. "The reality is initially it probably will protect for a considerable period of time, but to say it will never be cracked, I don't buy that." He said biometrics - cards embedded with your fingerprints or personal retinal scan - are probably the only foolproof security devices. "The problem there is the cost of producing those cards," Clement said. "The reality is that it's cheaper to take the fraud loss than it is to produce those cards."