&
The Financial Post
Monday, January 12, 1998

Plastic bank jobs

Holdups are too dangerous for today's sophisticated bank robbers. Far better to steal electronic cash in scams that net close to $100 million a year

by Peter Kuitenbrouwer

Somewhere in the Toronto area, a machine owned by a gang called The Big Circle Boys is stamping out counterfeit credit cards. Their nifty feature: the user doesn't get a bill. The statement goes instead to the home of a legitimate cardholder whose plastic is safely tucked in his wallet but whose card code has been, literally, swiped and copied onto a fake. The machine is probably small enough to fit into a suitcase.

On Dec. 15, police arrested 12 people in Toronto, two in Saskatchewan and one each in Calgary and Vancouver and laid at least 50 criminal charges in connection with the knockoff charge card scam. Also arrested earlier: two bank employees and two retail employees.

The next morning at the local RCMP detachment, Cpl. Paul Jamieson proudly posed with stacks of very real-looking fake cards: TD Gold Elite Visa, ScotiaBank Visa Gold, TD Emerald Visa, Hongkong Bank of Canada MasterCard, even University of Toronto TD Visa, all nicely packaged in Ziploc bags. Also on the table: stacks of counterfeit $10, $20, $50, and $100 bills and magnetic strip readers of various sizes. ILLUSTRATION

But conspicuously missing after a 20-month investigation: the machine that encodes the cards.

"Unfortunately, we weren't able to identify the factory that embosses and encodes the cards", says Jamieson. "It's still out there operating. It's right here in T.O., which we know because a person places an order for a card and can get it delivered in an hour."

There are now 30.2 million credit cards in circulation in Canada, and rising. The code-swiping job is just the latest blow in an escalating assault on Canada's chartered banks: as they encourage customers to move from cash to electronic forms of payment, criminals are adapting, stepping up their research and development, and staying right alongside.

"The fraudsters don't have to wait for budget approval", says Philip Levi, a chartered accountant specializing in electronic fraud at the Montreal firm Bessner Gallay Schapira Kreisman. "They have access to more money and better equipment faster than the police."

It doesn't pay to hold up a bank these days. There's less cash inside and courts punish armed robbery with stiff sentences. Stealing electronic money is easier, quicker, less dangerous, worth less jail time. Besides, there's a lot more of it around.

Banks in Canada wrote off $83 million last year due to credit card fraud, about $33 million of it from counterfeit cards. Visa Canada counts $60 million in credit card fraud in 1997. About 77,000 cards "went fraud" in Canada last year.

"Fraud has been good to me", says Levi. "It's the growth industry of the 1990s." Companies do seek out people like him to reduce risks, but mostly after the fraud has happened, he says. He contends that banks are stuck in the past, spending vastly more money on physical security -- guards, motion sensors, video cameras, safes -- while the crooks have moved on to electronic crime.

Paul Facciol, director of security for the Canadian Bankers Association, disputes that, saying, "We are recognizing new trends [in theft] faster than we have in the past." Still, interviews with credit card management at several banks reveal bankers who are worried about the new trend, not too sure what to do about it, and very tight-lipped.

"These are certainly not unexciting times", John Crosgrey, senior manager of bank card security at Bank of Nova Scotia, says tersely. "I'm sure you'll appreciate I can't say much more than that."

The fraud ring busted by the Mounties last month works like this: a restaurant customer gives his card to a waiter who has been recruited by the gang. While swiping the card for verification, the waiter swipes it again in a second reader -- it can be smaller than a cigarette package -- which stores the contents of the magnetic stripe, including the card's verification value algorithm.

The waiter sells the code for $20 to $50 per card to his contact in the gang. The gang encodes one or more false cards with the unsuspecting patron's information and resells them for up to $500 per card. Or the culprits go shopping themselves.

Meanwhile, the customer finds out only when he gets the statement, loaded with charges for such items as watches, computer equipment, and clothing that he did not buy.

Jamieson, whose investigators tapped 12 to 14 telephones and bought stacks of fake cash, says the Toronto-based ring victimized "thousands" and stole "millions".

In September, a rash of such code theft hit the small town of Waterdown, Ont., just north of Hamilton. Fifty to 75 cardholders received bills filled with strange charges, including "more than a few" satellite dishes bought for $3,000 each in the United Arab Emirates. One woman got a bill for $6,000 worth of shoes in Saudi Arabia.

All of those stung in the Waterdown scam had used their cards at a common location, says Hamilton RCMP Cpl. Terry Perreault. He would not name it. Once the police checked out the location, the "skimming" stopped, but police have made no arrests. Their investigation continues.

"The problem was stopped in one place but then it popped up in another part of Hamilton", Perreault says. "It's the same as drug trafficking. You shut down one and they open up elsewhere."

As in the Toronto case, a hidden card reader had skimmed the contents off their cards' magnetic stripe to produce fakes. The counterfeits fooled the approval computers at the Canadian Imperial Bank of Commerce, Toronto Dominion Bank, and Royal Bank of Canada. According to Perreault, losses to the banks topped $250,000.

To a certain extent, banks are victims of their own technological advances.

Remember the books cashiers used to consult beside the register, to see if a credit card was valid?

Remember when the cashier checked the signature on the slip against the one on the card, or other ID?

Those days are gone. In this age of electronic approval, once the bank's computers okay the transaction, the retailer is guaranteed his proceeds. If there is fraud, the bank is on the hook, so retailers have no incentive to care whether their customer is the legitimate cardholder.

Also easing electronic heists is the speed and efficiency of global card approval networks; in just a few seconds, a bank's computer in Canada can approve a purchase in the Far East.

The Big Circle Boys have transmitted credit card codes by phone line to Japan, Jamieson says, where accomplices went on a shopping spree -- in effect, holding up Canada's banks anonymously from halfway around the world.

"They're organized and efficient", says Facciol. "They see there's money to be made, and we have to stay ahead of these people if we can, and that's not easy. I don't think we will ever get ahead of them."

Interac cards are safer than credit because they only work with a Personal Identification Number stored in the customer's head. Banks are now considering PINs for credit cards.

Clearly, though, the crooks are never far behind. At first, a credit card simply featured an embossed name and number. Quickly, forgers copied it. Then the companies added a magnetic strip, encoded with the card number. When forgers copied that, the firms tried holograms. Forgers quickly devised knockoffs. Then the companies added the algorithm. Now, a swipe can steal that.

"Fraud agents these days are good at producing cards that look good", says Derek Fry, president of Visa Canada, which processes $60 billion of transactions a year. "Counterfeit cards are difficult and dangerous for us."

The industry's solution: more safety features, such as a microchip in each card. "The next phase of moving the goalposts will be chips", says Fry, "and then we'll move to biometrics". Among the tools studied: fingerprint readers, retina scanners, or voiceprint identification systems. But banks have to weigh security against customer acceptance.

"If we wanted to push it we could have no fraud", says Scott Saunders, risk policy manager for TD Visa, "but we would have no customers because it would be too extreme".

Facciol concurs. "You talk about fingerprints, everybody backs up and goes, 'Woah, woah woah!' " Still, notes Fry, "If you were going to Birks to buy $50,000 worth of jewelry, maybe you wouldn't mind my scanning your retina."

Banks' other main security measure is their "neural networks" -- pattern detection software which stores a spending profile of each cardholder. The system notices transactions such as $1 of gas or a payphone call -- a typical trick by thieves to see if a knockoff or stolen card is working.

"Or let's say a person bought a hamburger on their card at 10 a.m. in Montreal and at 10:01 bought a car in Regina", says Walter Macnee, senior vice-president of TD Visa. In that instance, TD's fraud detection centre would instantly call the Regina dealership and ask to speak to the customer. "The crook often swears, [saying] 'The damn card's not working,' then they just walk away from the situation."

In the offices at TD Visa, with the headquarters of Canada's big banks spread out before them beyond the plate-glass window, Saunders is sounding confident.

"The ultimate is going to be a chip", he says. "It's going to be impossible to copy."

Macnee pipes up: "Put 'impossible' in quotes."

"Yeah, okay", says Saunders. "Famous last words."


Copyright © 1998 by The Financial Post. All Rights Reserved. Reprinted with permission.