The Globe & Mail
Friday, December 10, 1999
page 1

Chilling debit-card scam uncovered

Major organized-crime bust reveals simple method of siphoning bank accounts

by Timothy Appleby

TORONTO -- No debit card is safe.

That was the chilling message to emerge yesterday from the arrest of dozens of alleged Eastern European organized-crime figures in the Toronto area and in several other cities.

Stealing the encrypted data contained in the millions of such cards used daily around the world used to be a complex procedure. But not any more.

Now, with a single swipe through an electronically doctored punch pad, that information can be captured, loaded on to a phony card and used to siphon off the bona fide cardholder's bank account. And the card needn't ever leave your hand.

In a consumer society where debit cards have become as common as the use of cash -- per capita, Canada has one of the highest rates of use in the world, with more than 34 million cards in circulation -- the ramifications appear enormous.

"I can say with certainty that in my opinion the entire system has been compromised. We could be talking about considerable damage to the entire financial system", said RCMP Corporal Mel Young, one of the technological experts attached to the joint-forces police group that carried out yesterday's bust.

"Obviously the technology is not safe, something new has to be developed to protect people. I can no longer say to Canadians, 'Watch who you give your card to; watch over your shoulder.' It doesn't matter. The technology has surpassed that."

Police have been aware for at least two years that the encrypted information on debit cards is being diverted and stolen. One weekend in July, about 200 Montreal residents collectively told police that amounts averaging $1,000 had mysteriously disappeared from their bank accounts.

But until the Combined Forces Special Enforcement Unit made a series of arrests in October in Toronto and York Region -- arrests that led directly to yesterday's swoop -- it was unclear how the personal identification numbers were being captured.

Yesterday, investigators explained just how easy it is.

The debit-card contraption that sits on the counter of the grocery store or gas station is replaced with another. (Gas stations are alleged to have been a particular focus for the people arrested yesterday, involving hundreds of different outlets in the Toronto area alone.)

Peeking out from that second machine, just visible if you look closely, is a set of wires, each attached to one of the numbers on the key pad.

When the card is swiped, an electronic signal is sent from the point of sale to the bank, requesting confirmation that the card holder's credit is good. Meanwhile, a second set of signals is transmitted through the wires.

That second transmission is simultaneously fed directly into a computer, which in one case in the current investigation was concealed close at hand in what was appeared to be a multioutlet power bar.

That information is then uploaded onto a phony card, which doesn't even need to be a credit or debit card as long as it has the requisite magnetic stripe.

Even a driver's licence works. In an unrelated case, RCMP Sergeant Gord Jamieson once came across a plastic hotel key that had been transformed into a MasterCard.

Several hundred fake cards were seized in the course of the current investigation. But as Cpl. Young pointed out, "You don't need that many. Once you've reached somebody's limit on a debit card, you can just reload it" with new information.

So far, debit-card information is known to have been been criminally uploaded in Toronto, Montreal, Winnipeg and the small Ontario town of Alliston, among other places.

Entire debit-card system compromised, police say

Police can only guess at the full scale of the operation. But in the course of one recent weekend, Sgt. Jamieson said, thieves are known to have netted between $300,000 and $400,000.

Gene McLean, director of security for the Canadian Bankers Association, is the first to concede that this latest twist in fraudulent credit cards and debit cards is going to send shock waves through the banking system.

"I anticipate lots of consternation and concern: 'What are we going to do?' "

Experts agree that the only solution lies in individualizing each debit card and credit card through the development of a "chip" card that is akin to a fingerprint.

For example, MasterCard International Inc. is currently developing a new kind of card called Magnaprint, which has a unique numeric value attached to each card.

"That technology's out there, they're looking at it right now, they're testing it in certain cities in the U.S., and the studies are very favourable", Sgt. Jamieson said. "But these solutions are two, three, four years away. So for the next two or three years it's going to be profitable."

The data pads are supposed to be tamper-proof, Sgt. Jamieson said: "The industry brags about it."

But now that it's clear the pads are not secure, the best -- perhaps only -- advice to consumers is that they watch their bank balances carefully.

Credit-card fraud, which the CBA reckons amounted to at least $162-million in the 12-month period ending March 31, is not new.

Nor is the creation of counterfeit credit cards. Through a technique known as double-swiping, a crooked merchant can duplicate the data on a credit card through an illegal device the size of a cigarette lighter that transmits the information and allows it to be copied.

"Skimming", as the operation is dubbed, has been a growing problem since 1997 and represented about half of all that $162-million. (Stolen cards, the acquisition of credit-card numbers over the telephone, false applications and non-payment of maxed-out cards accounted for most of the rest.)

On a relatively small scale, debit-card theft has been occurring for almost as long as the cards have been in use.

What is termed "shoulder-surfing" (peering over someone's shoulder when they punch in their four-digit personal identification numbers) has been augmented in some instances by criminals' use of concealed cameras, installed in the ceilings above automated teller machines, which photograph the PINs.

But that was only half the operation. For the card to work, that four-digit PIN had to be matched up to the rest of the information on the card, requiring a double swipe of the card through that same lighter-sized device.

Typically, that double swipe would be done in a retail outlet near the ATM, where a crooked employee would be primed to watch for certain customers.

The single-swipe electronic penetration of the debit-card system represents a sinister twist, police say, because it offers criminals a host of largely risk-free benefits that credit cards do not.

First, debit cards give access to cash rather than fraudulently obtained goods, which have to be either used or resold, typically at half their retail value or less, with all the risks that come with dealing in stolen goods.

That cash, moreover, can be substantial. Debit-card users commonly have daily withdrawal limits of up to $1,000, but the direct-purchase limits are much higher.

"We've been seeing the Russian [data thieves] going to the casinos quite a bit because unlike the ATMS, there are no maximum daily limits", Sgt. Jamieson said. "The casinos treat it as a purchase, not as a cash advance [withdrawal]."

Second, phony debit cards are used entirely at automated-teller machines or at retail outlets, with no human interaction at all. No name is needed and there is nothing to sign. The cash simply disappears from the legitimate card holder's account.

Third, weeks or months may pass before the unwitting victim is even aware of what is happening -- if then.

With credit cards, most consumers eye their monthly bill carefully.

But a bank account that is commonly used by more than one member of a family is another matter. If a $100 here and $200 there vanishes, not everyone is going to notice.

But that's not usually how it works, Mr. McLean said. More commonly, he said, "they're going to just whack you -- and you will notice it."

Mr. McLean pointed out that even though the debit-card system is under attack by organized crime, use of such cards is still safer than carrying around pocketfuls of cash, which can be lost or stolen.

And as with credit cards, banks will usually reimburse customers who have been ripped off. Before this happens, however, they have to establish how and where the theft took place.

Even if the debit-card system is overhauled -- a huge operation whose costs are sure to be directly or indirectly relayed to customers -- what then?

"Banks and credit-card companies are going to have to invest a lot of resources to develop a new technology", predicted RCMP Supt. Ben Soave, who led yesterday's operation. "But the bad guys are going to try and break whatever the banks will do."

House of Cards

Canada currently has an adult population of about 22 million -- and more than 34 million bank-debit cards in circulation.

In most cases, they can be used at any automatic-teller machine bearing the Interac or Plus logo -- and consumers used them more than 1.36 billion times last year.

At the more than 24,000 banking machines currently in use, Canadians make an average of 53 cash withdrawals a year, the highest per-capita rate in the world.

Last year, more than 320,000 retail outlets accepted debit cards, which an estimated 14.3-million Canadians used to buy goods. The average transaction was $43.62.
Source: Interac

Duplicating Data

How thieves access your debit card details:
Transaction and account details are automatically sent to the card holder's bank.
A second set of wires, installed by the thief, collects and records the details, including the card's PIN.
To gain access to the funds, the thief transfers the card details onto a false card.

Copyright © 1999 by The Globe & Mail. All Rights Reserved. Reprinted with permission.