June 8 - The recent debit card skimming incident at the arts-and-crafts chain Michaels Stores highlights one way fraudsters are stealing debit card data. The incident continues to make news headlines at the national level in both banking and consumer dailies. The newest revelations indicate that analytics played a key role in finding the source of the data, which is not a surprise.
To summarize the Michaels Stores case, some 90 point-of-sale terminals (PIN pads) were compromised and replaced by criminals. Somehow the perpetrators managed to swap these terminals in and out of the stores. How did they manage to do so without being noticed by employees or customers? Did the swaps take place over a short period of time (which might signify a large and organized group) or were the swaps executed over a number of months (indicating that perhaps just a few people pulled it off)? On May 12, the company announced that the tampering was conducted over a three-month period.
Knowing the length of time in which swapping occurred is important on the forensics front because a short period of time likely means that a lot of POS terminals were acquired first, compromised and then swapped. This would mean a higher level of investment by the group, and thus the anticipation of a higher payback. However, the capture of a couple of skimming perpetrators in the Waterloo, Ontario region in April shows how POS swaps can take place.
One of the men would distract an employee at the victimized business late in the day while the other stole the POS terminal, replacing it with a fake. Early the next morning, just after the store opened, they would replace the original terminal, now modified to capture card data, and take back the fake one. They were caught when an alert customer noticed what they were doing and reported it to the police.
In the Michaels case, 90 terminals would be labor- and time-intensive, but doable. I have not seen any announcement yet as to how the criminals retrieved the data from the devices. It seems, however, that the return on investment for the criminals must be marginal, as fraudulent transactions on only 100 cards have been reported. They must have captured a lot more cards than that! Assuming that this is representative of the breach size, why weren’t there more transactions?
A powerful means of finding the source of debit card fraud is through common point of purchase analysis. By looking at the usage histories of compromised debit cards, one can find common locations and times that those cards were used. This is a very strong indicator that a skimming device was at that spot. It is then a process of identifying other cards that were used at the same device and canceling or suspending them before there are more fraudulent transactions.
While much attention has focused on consumer inconvenience, banks too are feeling the pain and cost of these breaches that are clearly disruptive to everyday operations.
Due to the Michaels case, Credit Union 1, with 22 branch locations primarily in the Midwest, posted this message on its website’s home page:
“Due to an enormous surge in fraudulent "Pin based" ATM transactions in California throughout the financial industry, Credit Union 1 has shut down the availability of "Pin based" ATM transactions in California only. Effective immediately, when a "Pin based" transactions occurs in California, your Credit Union 1 Visa Debit card will be "flagged" and will not be able to be used again. “
What is the financial cost to Credit Union 1 for taking this action?
For each attack, the potential size of impact varies. In some cases, there is only one victim. In others, there can be hundreds of banks and millions of account holders. To actually use cards, the most useful piece of information is the PIN. This allows the criminal to directly access cash, and elicits less attention from suspicious merchants. But even without the PIN, the card data can be used. It is important for banks to be aware of the many ways that criminals can commit debit card fraud.
What has your institution done to help reduce debit card fraud? Please let me know by writing me at Charles.Robertson(at)verafin.com.
Dr. Charles Robertson is an analyst and researcher at Verafin (www.verafin.com), a provider of a converged fraud and anti-money laundering application for banks in North America.