Time for a serious move to smart cards (and Aastra's mini-ATM)!
[Note for newcomers - AAH is a participant in the Mondex smart card project - click on the link to msg #2]
Chilling debit-card scam uncovered
Major organized-crime bust reveals
simple method of siphoning bank accounts
TIMOTHY APPLEBY
The Globe and Mail
Friday, December 10, 1999
Toronto -- No debit card is safe.
That was the chilling message to emerge yesterday from the
arrest of dozens of alleged Eastern European organized-crime
figures in the Toronto area and in several other cities.
Stealing the encrypted data contained in the millions of such
cards used daily around the world used to be a complex
procedure. But not any more.
Now, with a single swipe through an electronically doctored
punch pad, that information can be captured, loaded on to a
phony card and used to siphon off the bona fide cardholder's
bank account. And the card needn't ever leave your hand.
In a consumer society where debit cards have become as
common as the use of cash -- per capita, Canada has one of
the highest rates of use in the world, with more than 34 million
cards in circulation -- the ramifications appear enormous.
"I can say with certainty that in my opinion the entire system has
been compromised. We could be talking about considerable
damage to the entire financial system," said RCMP Corporal
Mel Young, one of the technological experts attached to the
joint-forces police group that carried out yesterday's bust.
"Obviously the technology is not safe, something new has to be
developed to protect people. I can no longer say to Canadians,
'Watch who you give your card to; watch over your shoulder.' It
doesn't matter. The technology has surpassed that."
Police have been aware for at least two years that the
encrypted information on debit cards is being diverted and
stolen. One weekend in July, about 200 Montreal residents
collectively told police that amounts averaging $1,000 had
mysteriously disappeared from their bank accounts.
But until the Combined Forces Special Enforcement Unit made
a series of arrests in October in Toronto and York Region --
arrests that led directly to yesterday's swoop -- it was unclear
how the personal identification numbers were being captured.
Yesterday, investigators explained just how easy it is.
The debit-card contraption that sits on the counter of the
grocery store or gas station is replaced with another. (Gas
stations are alleged to have been a particular focus for the
people arrested yesterday, involving hundreds of different
outlets in the Toronto area alone.)
Peeking out from that second machine, just visible if you look
closely, is a set of wires, each attached to one of the numbers
on the key pad.
When the card is swiped, an electronic signal is sent from the
point of sale to the bank, requesting confirmation that the card
holder's credit is good. Meanwhile, a second set of signals is
transmitted through the wires.
That second transmission is simultaneously fed directly into a
computer, which in one case in the current investigation was
concealed close at hand in what was appeared to be a
multioutlet power bar.
That information is then uploaded onto a phony card, which
doesn't even need to be a credit or debit card as long as it has
the requisite magnetic stripe.
Even a driver's licence works. In an unrelated case, RCMP
Sergeant Gord Jamieson once came across a plastic hotel key
that had been transformed into a MasterCard.
Several hundred fake cards were seized in the course of the
current investigation. But as Cpl. Young pointed out, "You don't
need that many. Once you've reached somebody's limit on a
debit card, you can just reload it" with new information.
So far, debit-card information is known to have been been
criminally uploaded in Toronto, Montreal, Winnipeg and the
small Ontario town of Alliston, among other places.
Police can only guess at the full scale of the operation. But in
the course of one recent weekend, Sgt. Jamieson said, thieves
are known to have netted between $300,000 and $400,000.
Gene McLean, director of security for the Canadian Bankers
Association, is the first to concede that this latest twist in
fraudulent credit cards and debit cards is going to send shock
waves through the banking system.
"I anticipate lots of consternation and concern: 'What are we
going to do?' "
Experts agree that the only solution lies in individualizing each
debit card and credit card through the development of a "chip"
card that is akin to a fingerprint.
For example, MasterCard International Inc. is currently
developing a new kind of card called Magnaprint, which has a
unique numeric value attached to each card.
"That technology's out there, they're looking at it right now,
they're testing it in certain cities in the U.S., and the studies are
very favourable," Sgt. Jamieson said. "But these solutions are
two, three, four years away. So for the next two or three years
it's going to be profitable."
The data pads are supposed to be tamper-proof, Sgt.
Jamieson said: "The industry brags about it."
But now that it's clear the pads are not secure, the best --
perhaps only -- advice to consumers is that they watch their
bank balances carefully.
Credit-card fraud, which the CBA reckons amounted to at least
$162-million in the 12-month period ending March 31, is not
new.
Nor is the creation of counterfeit credit cards. Through a
technique known as double-swiping, a crooked merchant can
duplicate the data on a credit card through an illegal device the
size of a cigarette lighter that transmits the information and
allows it to be copied.
"Skimming," as the operation is dubbed, has been a growing
problem since 1997 and represented about half of all that
$162-million. (Stolen cards, the acquisition of credit-card
numbers over the telephone, false applications and
non-payment of maxed-out cards accounted for most of the
rest.)
On a relatively small scale, debit-card theft has been occurring
for almost as long as the cards have been in use.
What is termed "shoulder-surfing" (peering over someone's
shoulder when they punch in their four-digit personal
identification numbers) has been augmented in some instances
by criminals' use of concealed cameras, installed in the ceilings
above automated teller machines, which photograph the PINs.
But that was only half the operation. For the card to work, that
four-digit PIN had to be matched up to the rest of the
information on the card, requiring a double swipe of the card
through that same lighter-sized device.
Typically, that double swipe would be done in a retail outlet near
the ATM, where a crooked employee would be primed to watch
for certain customers.
The single-swipe electronic penetration of the debit-card
system represents a sinister twist, police say, because it offers
criminals a host of largely risk-free benefits that credit cards do
not.
First, debit cards give access to cash rather than fraudulently
obtained goods, which have to be either used or resold,
typically at half their retail value or less, with all the risks that
come with dealing in stolen goods.
That cash, moreover, can be substantial. Debit-card users
commonly have daily withdrawal limits of up to $1,000, but the
direct-purchase limits are much higher.
"We've been seeing the Russian [data thieves] going to the
casinos quite a bit because unlike the ATMS, there are no
maximum daily limits," Sgt. Jamieson said. "The casinos treat it
as a purchase, not as a cash advance [withdrawal]."
Second, phony debit cards are used entirely at
automated-teller machines or at retail outlets, with no human
interaction at all. No name is needed and there is nothing to
sign. The cash simply disappears from the legitimate card
holder's account.
Third, weeks or months may pass before the unwitting victim is
even aware of what is happening -- if then.
With credit cards, most consumers eye their monthly bill
carefully.
But a bank account that is commonly used by more than one
member of a family is another matter. If a $100 here and $200
there vanishes, not everyone is going to notice.
But that's not usually how it works, Mr. McLean said. More
commonly, he said, "they're going to just whack you -- and you
will notice it."
Mr. McLean pointed out that even though the debit-card system
is under attack by organized crime, use of such cards is still
safer than carrying around pocketfuls of cash, which can be lost
or stolen.
And as with credit cards, banks will usually reimburse
customers who have been ripped off. Before this happens,
however, they have to establish how and where the theft took
place.
Even if the debit-card system is overhauled -- a huge operation
whose costs are sure to be directly or indirectly relayed to
customers -- what then?
"Banks and credit-card companies are going to have to invest a
lot of resources to develop a new technology," predicted RCMP
Supt. Ben Soave, who led yesterday's operation. "But the bad
guys are going to try and break whatever the banks will do."
HOUSE OF CARDS
Canada currently has an adult population of about 22 million --
and more than 34 million bank-debit cards in circulation.
In most cases, they can be used at any automatic-teller machine
bearing the Interac or Plus logo -- and consumers used them
more than 1.36 billion times last year.
At the more than 24,000 banking machines currently in use,
Canadians make an average of 53 cash withdrawals a year, the
highest per-capita rate in the world.
Last year, more than 320,000 retail outlets accepted debit
cards, which an estimated 14.3-million Canadians used to buy
goods. The average transaction was $43.62.
Source: Interac
DUPLICATING DATA
How thieves access your debit card details:
1. Transaction and account details are automatically sent to the
card holder's bank.
2. A second set of wires, installed by the thief, collects and
records the details, including the card's PIN.
3. To gain access to the funds, the thief transfers the card
details onto a false card.
|
