Fraud in Canada

Now that the Visa and MasterCard liability shifts have happened and major retailers have either moved or are actively working towards EMV, you may be thinking… fraud is a thing of a past.  After all, studies have shown in countries that have implemented EMV, the fraud migrated to areas that were not protected.

While this may be true, the reality here in Canada is that we are still a very attractive target for fraudsters because one of our favourite ways to pay, debit.  Interac Debit makes up close to 60% of all electronic transactions processed in Canada and the deadline for Interac chip and pin is not until December 2015.  So until then, there can still be merchants processing Interac debit cards by using the mag swipe and pin numbers.  And mag swipe transactions are what make the fraudsters’’ eyes turn to dollar signs.

Fraudsters are still looking for ways to capture mag data and pin numbers.  And they do this by stealing and compromising pinpads.  They will target high traffic locations because of the volumes passing through the point of sales.  They will steal a pinpad and compromise it by cracking it open and installing rogue hardware that is developed to steal the mag data as it’s swiped through the pinpads and capture the pin numbers as they are keyed in by the customers.  They will then take the compromised unit and install it back at the same merchant’s location and start collecting the data.  The information is usually sent by Bluetooth to a lap remotely and stored.  They will then take this data and use it to manufacture counterfeit cards.  And the counterfeit cards are good.  Gone are the days of plugging the data on a blank card or a library card.  Today’s counterfeit cards look just like the real ones with minor discrepancies.   So to an unsuspecting clerk, they will just take the transaction and process it as usual.

There are two main ways the fraudsters are exploiting the information they’ve stolen.  One way is they will take the counterfeit cards and use them at merchant locations to purchase either fenceable goods (like electronics or jewellery) or they will hit merchant locations that offer cash back.  They’ll buy a pack of gum for a buck and ask for 100 dollars in cash back.  The second way is a much more coordinated attack.  The fraudsters will produce thousands of counterfeit cards and use “mules” to execute a fraud blitz.  Each mule will have about 10 cards that they are given in a lock box.  At a coordinated time, they will be sent the code to unlock the lock along with the pin numbers.  And their sole job is to hit ABM’s that are not chip enabled and to just start withdrawing money.  As much as they can for each card until the card is drained or the banks have blocked the cards.  These attacks have been known to produce up to $800,000 of stolen funds in a matter of 15 minutes.

Until the entire industry has moved to chip and pin, it’s the responsibility of every merchant to help try to mitigate fraud.  No merchant wants to be named as a possible source of a compromise.  It’s impossible to put a price on your reputation but shaken faith from your customers will undoubtedly affect your business negatively.

How to protect against fraud

So fraud is still an issue… so what?  You’re not on the hook for the debit card losses due to fraud… the issuing banks are.  Why should you invest money and resources to protect yourself?  How does this affect you?

Well, we touched on it a bit in the last article and it’s worth re-emphasizing… it’s your reputation on the line.  While the issuing banks and Acquirers are not allowed to disclose the point of compromise, sometimes information will get leaked to the media. (Think about the huge TJX issue a couple of years ago… that incident alone put fraud on the radar for all the major merchants).  And for smaller merchants, it’s your repeat customers and word of mouth that brings new customers in.  If there is a breach in the trust that your customers have for you, they will simply stop coming and find another merchant that supplies the same product or service.  There are thousands of horror stories that law enforcement and fraud specialists can tell you of small merchants who have had to shut down because a group of individuals put together that they were all at this one location last and decided on their own that that poor merchant was the point of compromise and therefore not to return.

Securing your pinpad is the easiest way to defend yourself.  If your pinpad is on a stand and secured to the countertop, it makes it significantly more difficult for a fraudster to come in and steal it…. let alone bring it back and reinstall it without you knowing.  Have your staff do daily checks on the pinpad.  Check to ensure the serial number matches.  Check the unit for marks that could show that someone tried to tamper.  If the pinpad is not secured, put it away when it’s not in use.  You would never leave your till opened if you weren’t standing there… leaving your pinpad in the open is the same thing.  It’s like cash on the counter for a fraudster.  If you have a multi lane location or several locations,  look into installing reactivation software.  What this does is it disables a pinpad if it gets unplugged for a predetermined period of time. For example, you can set the time for 5 minutes.  So if the unit is unplugged for more than 5 minutes, it disables the unit requiring that you call into your Acquirer to have it reset.  Any disabled units should be handled with suspicion because no unit should be unplugged for more than 5 minutes.  Most Acquirers or software providers should be able to give you more information on this type of software.

Small changes layered on top of each other is the best way to help mitigate fraud.  Just remember that the fraudsters will always take the path of least resistance.  By implementing these small changes, it automatically makes you a less attractive target and they will likely move on to the next merchant who hasn’t take these precautions.

Have a Question?

Ask One of Our Expert Merchant Account Brokers Your Question By Filling Out The Form Below. We Will Get Back To Very Quickly.
  • All questions are kept confidential and not posted publicly.
  • What is your most important question about payment processing.



About Admin

Matthew Hunt has been helping small businesses get set-up with Canadian Merchant Account Services since 2007 and helped 1000's do so. Join Matthew on Google+.


Subscribe to our e-mail newsletter to receive updates.

Comments are closed.