News

Thieves skim customer data from debit terminals

Thieves are accessing consumers' credit and debit card information by stealing point-of-sale terminals used to pay for purchases and extracting the data that many merchants fail to delete from the devices' hard drives.

Merchants not vigilant about wiping point-of-sale machines clean

Thieves are accessing personal financial information using the old-fashioned smash-and-grab method, but what they're grabbing are point-of-sale terminals, not merchandise.

CBC-TV's Marketplace has learned that many retailers are not helping the situation because they leave valuable information on the terminals where customers swipe their debit and credit cards when paying for purchases instead of wiping the data each night as they're supposed to.

It's the equivalent of leaving the store vault open and full of cash, except the cash is credit and debit card data, said RCMP Det. John Koppes of Abbotsford, B.C., who is the Mounties' computer crime specialist.

Watch "Who's Minding the Store" on Marketplace, Friday at 8:30 p.m. ET, 9 p.m. in Newfoundland and Labrador.

"In the old days, they'd go with a gun, and they would try to get into the bank vault," said Koppes. "The criminals now know that the open bank vault per se can be the point-of-sale terminals sitting on a counter top or in a store."

Retailers not clearing terminal's hard drive

There are more than 630,000 point-of-sale terminals in Canada used by big and small companies alike. Consumers use them when paying for everything from groceries to gas to restaurant meals.

P.O.V.:

Point-of-sale: Are using these terminals high risk?

The terminals process millions of dollars worth of transactions every day. Retailers are supposed to regularly wipe clean the hard drives that store the data used to make those transactions to ensure customer information is protected.

But one computer security expert said that's not happening often enough.

"Ninety five per cent of the ones that I actually see do have data on them," said Ryan Purita of Vancouver-based Sherlock Forensics. "So, although … the consumer may think their data is safe, it isn't."

Last year in Abbotsford, about 80 km southeast of Vancouver, there were 28 thefts of point-of-sale terminals.

Once thieves strike, they'll often return to the same location several times. Koppes said. In one case Koppes looked at, the same chain had been hit more than 100 times.

Purita showed Marketplace just how easy it is to get financial information from a terminal's hard drive. Purita used a simple search to uncover 400 credit card numbers and PINs from a stolen terminal.

"These are not only credit card numbers; we have debit card numbers on here as well," said Purita. "So, you can see, there's the debit card and there's the actual pin number, if you will. It's encrypted, but it's also transmitted along with this information."

So, how much is such information worth?

"Here, I got at least $50,000 worth of credit card numbers on one page," said Purita.

Stolen data turned into credit cards, gift cards

Koppes recalled a recent arrest that turned up a USB key containing pages and pages of credit card information stored in a Microsoft Word document.

"The report was 275 pages long … literally thousands [of numbers]," Koppes said.

Asked what the thieves do with that information, Koppes replied: "Make new credit cards and gift cards that are loaded up with cash from the stolen credit card numbers they have.

"You take this card and run it through the card reader, then you can re-encode it and put the stolen data on the back of the card."

Vancouver Crown prosecutor Peter Stabler, who has tried numerous credit card fraud cases, believes retailers have a responsibility to protect their customers.

"Business practices have to change and adapt to prevent this on the front line," said Stabler.

But according to the Retail Council of Canada, protecting the consumer’s information is more difficult than people think.

"We're getting phone calls every day from merchants telling us some of the most innovative ways that thieves use to break into the store, break into the databases," said council president Diane Brisbois. "There is no question the merchants have to do everything to protect the information of his and her customers.

"The challenge here is that thieves always seem to be a step ahead. I think they [merchants] are trying their best to protect everyone. But unfortunately, you can't eliminate theft and can't eliminate gangs working on systems. It's an unfortunate reality."

As far as Stabler is concerned, it's not that the bad guys are one step ahead; it's that they've discovered a weak spot that retailers are not dealing with.

"They focus on nothing else but finding the weak spots of any business practice," he said.