Banks under siege

Multiple fraudulent schemes uncovered in recent months have left a number of Jamaican banking institutions and their customers with losses or “potential exposure” amounting to nearly $1 billion, local authorities have confirmed.

The sophisticated schemes target weaknesses in the processes which manage offline point-of-sale (POS) transactions, credit card refunds and customers’ personal information, forcing nearly all banks and financial institutions to implement new rules for related transactions.

SIGNIFICANT CHUNK FROM FRAUDULENT OFFLINE TRANSACTIONS

Fraudulent offline POS transactions account for a significant chunk of the losses and financial exposure, and “usually involve 99.99 per cent collusion” with unscrupulous merchants, insiders disclosed to The Sunday Gleaner.

They typically involve the use of a cloned bank card to process a transaction – usually for millions of dollars – on POS devices that are deliberately taken offline, one insider explained.

Point-of-sale machines were developed with an option for them to operate offline during disruption to Internet service or emergency situations, one cybercrime expert told The Sunday Gleaner.

According to the expert, a POS terminal that is offline is unable to communicate between the bank that owns it (the acquiring bank) and the one that issued the card (the issuing bank) being used in the transaction.

“As such, the acquiring bank is not able to pass the authorisation off to the issuing bank before actually getting approval,” he explained.

Seeking to take advantage of this gap, fraudsters are reportedly approaching merchants offering to pay them a small percentage for use of their POS terminals to process a fraudulent transaction, one insider charged.

“For example, if they are going to process a transaction for $20 million, $2 million is for the merchant,” the cybercrime expert said.

After taking the device offline, the fraudster processes the transaction by entering the 16-digit card number on the bogus card, the card verification value number and the expiry date along with an ‘authorisation code’ associated with the transaction, he further disclosed.

“Even though the standard authorisation code is six digits, if they put in a three-digit number or a two-digit number, it is going to accept it because it is not communicating with the financial institution,” the expert explained to The Sunday Gleaner.

Next, the fraudster inputs the value of the transaction, which does not need to correspond with the available balance on the card.

“So you can have a card with only $1 on it, but process a transaction in offline mode for $20 million and it will be approved,” the expert said.

With some banks providing same-day or three-day settlements, the cash is “automatically” credited to the merchant’s account after the transaction is ‘approved’ and the POS device is brought back online.

The fraudulent transaction is usually detected when the settlement file is routed through the Visa or MasterCard network for approval.

“So the merchant would give the fraudster $18 million and keep $2 million and then by the time the transaction comes back from the credit card company to say the transaction is fraudulent, there is no money in the [merchant’s] account to offset the chargeback that will come in,” the expert said.

This practice is a “clear” breach of the agreement signed between merchants and financial institutions for the use of POS terminals, one insider asserted.

According to the insider, the agreement “clearly” outlines the steps merchants must follow before an offline transaction is processed.

As a result, law enforcement officials disclosed that “several” merchants are facing criminal prosecution for conspiracy to defraud.

Other merchants have had their accounts restricted, while some have opted for payment arrangements to reimburse the affected financial institutions.

The Financial Investigations Division (FID) confirmed to The Sunday Gleaner on Friday that it is “actively” probing 11 cases at two financial institutions that have “potential exposure of hundreds of millions of dollars” and expects to get additional cases.

The FID, which falls under the Ministry of Finance, is the state agency tasked with enforcing Jamaica’s Proceeds of Crime Act (POCA).

PERSONAL DATA BREACH MORE SINISTER

The scheme that targets customers’ personal data is more sinister, according to insiders, who disclosed that customers at the targeted financial institution had their login credentials changed without their authorisation.

The cash is then transferred out of the customer’s account to multiple accounts of money mules linked to the fraudsters, one source explained.

Fraudsters who mysteriously gained access to sensitive personal data for customers at one financial institution were able to siphon off J$52 million and US$322,000 from several accounts, according to the FID.

The Sunday Gleaner is withholding the name of the institution.

Keith Darien, principal director of the FID, disclosed that six such cases were uncovered and that 16 persons have been arrested and charged for various criminal offences under POCA.

CREDIT CARD REFUND SCHEME ‘PREVALENT AND LUCRATIVE’

The credit card refund scheme exploited weaknesses in the system that allowed a merchant to process refunds to a debit or credit card within days without having an “original transaction”, the cybercrime expert explained.

“So, the merchant account is going to be debited for a transaction that was never processed originally. So, what they are doing is taking money from the merchant who will end up losing money at all times,” he explained.

That cashback, he explained, is typically sent directly to a cloned bank card that is in the possession of fraudsters.

“They can then monetise it by shopping online or doing whatever they want,” said the expert.

Financial institutions have since implemented measures such as verified and/or delayed refunds to ensure they can spot and cancel suspicious transactions in time, one banking executive told The Sunday Gleaner.

One fraudulent credit card refund transaction involving more than $20 million is currently under investigation by the FID, the agency confirmed.

Banking insiders say the scheme is “very prevalent and lucrative” for fraudsters and has been used to fleece millions of dollars in goods and services from merchants across several industries.

“Several merchants have lost significant sums from it,” said one insider, noting that gas stations, supermarkets, hardware and liquor stores are among the businesses often targeted by fraudsters.

‘UNPRECEDENTED RISE’ IN FRAUD CASES

The FID head noted that like other law enforcement entities, the agency is seeing an “unprecedented rise” in the number of fraud-related cases being referred for investigation.

“Our intelligence is pointing to the fact that a lot of the fraud being encountered is enabled, in some way, by persons connected to the financial institutions,” Darien told The Sunday Gleaner yesterday.

Dane Nicholson, chairman of the Jamaica Bankers Association’s anti-fraud committee, noted that the group is aware of the various fraudulent schemes in existence and warned merchants against colluding with fraudsters “because they will ultimately be held liable for the transactions”.

Nicholson also urged business operators to ensure that they follow the established policies and procedures set out in their merchant agreement for the processing of specific transactions.

The FID acknowledged that some financial institutions submit “high-quality” reports of suspicious transactions in keeping with their obligations under POCA.

However, Darien noted that the entity, like other investigative agencies, is finding it difficult to recruit and retain staff, including police personnel and financial forensic examiners, which impacts the timeliness of completing investigations.

He said this, coupled with some “very large and complex” high-public interest fraud cases that have surfaced in recent months, including the alleged US$10 million fraud at the investment firm Stocks & Securities Limited, means that “prioritisation needs to take place”.

Some cases are referred to the police and the Major Organised Crime and Anti-Corruption agency, he disclosed.

“But rest assured, no stone is left unturned in bringing perpetrators to justice,” Darien insisted.

livern.barrett@gleanerjm.com