Sat | Nov 23, 2024

Scanned and scammed

Crooks step up schemes targeting POS machines to clone debit, credit cards

Published:Sunday | February 12, 2023 | 1:25 AMLivern Barrett - Senior Staff Reporter

Dane Nicholson, chairman of the JBA’s anti-fraud committee, shows recovered point-of-sale terminals which had been compromised by fraudsters and used to skim sensitive information from bank cards of unsuspecting customers.
Dane Nicholson, chairman of the JBA’s anti-fraud committee, shows recovered point-of-sale terminals which had been compromised by fraudsters and used to skim sensitive information from bank cards of unsuspecting customers.

A businessman was left baffled after the card machine, or point-of-sale (POS) terminal, at his retail shop kept rejecting payment. His apprehension worsened when the absence of a unique mark on the underside of the machine confirmed that it was not...

A businessman was left baffled after the card machine, or point-of-sale (POS) terminal, at his retail shop kept rejecting payment.

His apprehension worsened when the absence of a unique mark on the underside of the machine confirmed that it was not the one linked to his thriving business, located in eastern Jamaica.

Video footage from the store’s security cameras provided some answers. A pair of crooks pretending to make a card payment switched his POS machine while the cashier was distracted.

POS machines have become a prime target for criminals, who use them to devise “very sophisticated” identity theft and other fraudulent schemes that are raking in billions of dollars, according to local fraud experts.

The Jamaica Bankers’ Association (JBA) says more than 60 machines were reported stolen from merchants last year, including 15 in the past month.

Crooks initially targeted gas stations, but have since widened their net to restaurants, pharmacies, doctor’s offices and other entities with wide customer bases, said Dane Nicholson, chairman of the JBA’s anti-fraud committee.

Gas station operators

Errol Edwards, president of the Jamaica Gasolene Retailers Association, said gas station operators have reported losing their mobile POS machines to thieves travelling on motorcycles or in heavily tinted cars.

“They either come and grab it and run to a waiting car or take the machine from the attendant to enter their PIN then skilfully switch it with another one then leave. It will look similar and everything, but by the time you realise, they are gone,” Edwards said.

But he said there have not been many incidents in recent times, noting that some gas retailers have opted to discontinue kerb-side transactions.

The stolen POS machines are retrofitted with high-tech gadgets capable of secretly capturing a customer’s card number and personal identification number (PIN), Nicholson explained.

Through collusion with employees or trickery, including switching, the compromised POS machine ends up at a business establishment, usually one with a large customer base.

At least six cashiers were arrested and charged islandwide in the last quarter of last year for their alleged roles in several identity theft schemes involving POS machines while others are under investigation, Nicholson disclosed.

“So, how it works is that you go somewhere to make a purchase and the cashier gives you a machine. You swipe your card and enter your PIN then they tell you that the machine is not working and that they will have to use another machine,” he explained.

“The second machine is usually the one that genuinely belongs to the entity and the transaction will then go through. But by that time your information is already captured in the first machine.”

Nicholson, who has disassembled scores of compromised devices, said the use of Bluetooth and near-field technology means that in some instances, fraudsters don’t have to physically retrieve the retrofitted machines.

Bogus POS machine

“They can stay within a certain proximity of the location and remotely download the data, sometimes even encrypting it,” he said during an interview with The Sunday Gleaner last Thursday, making reference to sensitive customer information mined with the bogus POS machine.

Nicholson said the information skimmed from customer’s credit and debit cards is then transferred to the magnetic strip of a blank card to create a duplicate or clone.

“This allows them to make point-of-sale purchases or withdraw cash at ABMs or if it’s a card that can conduct online transactions, they proceed to conduct e-commerce transactions.”

Around the middle of last year a handful of customers who dined at a popular St Andrew restaurant began noticing suspicious transactions on their account and alerted their respective banks.

As part of the probe, investigators confiscated and examined a POS machine that was in use at the restaurant, a source told The Sunday Gleaner.

“When the device was opened, a number of foreign objects were detected, including a skimmer, which captures card information, and also a keypad overlay, which stores customers’ PIN information,” the source said.

In the last three years, Jamaican commercial banks had accumulated fraud losses totalling just over $2 billion, the JBA anti-fraud expert said, citing figures released by the Bank of Jamaica (BOJ).

Debit and credit card losses account for approximately 60 per cent of these losses each year, Nicholson disclosed.

“Most times, the financial institution will reimburse customers for these types of activities because the customer would not be aware. So, it’s the financial institutions that underwrite the losses,” said Nicholson.

The number of credit and debit cards in circulation nationally is unclear, but approximately 1.79 million debit cards were active over the last year on the MultiLink network, Jamaica’s largest retail payment system.

The BOJ figures show that total accumulated fraud losses across the banking sector have been on the decline, moving from $791 million in 2020 to $717 million in 2021 and then to $705 million last year.

Nicholson attributed this to the roll-out of chip cards across the local banking sector. He urged consumers to stop handing over such cards to persons processing their transactions.

“Another trend that we are seeing is when you give them the card, they will either write down the information or they will set their phones in a strategic location to record or take a photograph of the back and front of your card,” he noted.

livern.barrett@gleanerjm.com

RECOMMENDATIONS

Be aware of the double swipe of your cards. Where this happens, raise it with the management of the entity to ensure that the two machines used to swipe your card are legitimate.

Stop swiping and utilise the chip and signature, chip and PIN or tap and go features of your card. This will mitigate the risks.

Stop turning over your chip/tap cards to pump attendants and cashiers. Always maintain possession of your card.

Always use your free hand to protect your PIN while using a POS machine or ABM. Persons behind you in the line sometimes engage in what is called ‘shoulder surfing’ by standing close behind you to capture your PIN.

Always ensure that your card is processed in your presence. Never allow anyone to walk away with your card. It only takes a few seconds to capture the card information.