default image for post

Clone Wars

May 1, 2012 | by  |  Features

SQUINTING THROUGH PURPLISH HAZE, I’m deep in the filth of the criminal underworld: open-concept kitchen, polished concrete floors, exposed brick and contemporary art, designer mutt dozing beside me. A mountain of weed sits on the kitchen counter, nestled between a stack of foreign currency and the keys to a European sportscar.

“So, everything I’m seeing here, this is all..?” and I trail off, soaking it in.

“I’ve never paid for anything, man,” Percy boasts. “Everything is free. I don’t pay for shit,” and he takes a thick pull from his free blunt. Sensing my disbelief, he adds: “…just blows people’s minds, the type of money involved.”

In 2011, Interac reported Canadian debit skimming losses of $70 million. “Percy”, the young man sitting opposite me, claims his fair share – a senior figure in a crew engaged in the audacious high-tech crime of debit card cloning.

Here’s how it works:

To access your bank account, criminals require data stored on your debit card’s magnetic stripe, plus your PIN code. Until recently, they acquired it through hidden cameras coupled with readily-available card readers known as “skimmers”, installed covertly on ATMs, or put in the hands of collusive staff. Next came the tedious and error-prone task of matching your card data to your video keystrokes. Today there’s a far more elegant solution.

“Back in the day you’d use the skimmers – you’d give it to servers, you’d give it to the [gas] jockeys, whatever – now it’s all about the debit PIN pads,” Percy explains.

By doctoring the terminal handed to you when you make a debit card purchase, Percy and his crew are able to record your card data and PIN right from the machine itself. There’s only one catch:

“You need their machine overnight,” Percy reveals.

“So say you go to a little coffee shop and they’ve got a machine there and it’s not bolted down and you know you can get that thing and you can put it back there, what you have to do is, you gotta be the last customer before that shop shuts down. You go in there, you grab the machine without them noticing and put a dummy machine in.”

Coffee shops come up frequently in our conversation, their high transaction volumes making them a ripe source of card data, and the barista’s head-down work making them prime targets for PIN tampering – a task, Percy insists, far easier than it sounds:

“Order a triple fucking vanilla pump latte, extra froth, two pumps of chocolate, half a pump of caramel, you gotta weigh my sprinkles and count on 16 blueberries. Just order a bunch of shit. They’ll turn around, and honestly, it’s a matter of seconds,” he declares, laughing in a puff of smoke.

“It’s like a phone jack – you just unplug the phone jack, pick it up, put another one in. Then you got the machine all night.”

The card-writing software used by Percy's crew

Fully caffeinated, stolen debit terminal in hand, The Switcher turns the machine over to The Tech – a friend who’s been trained to snip a few wires and solder in a bluetooth-enabled snooping device purchased from a remote criminal engineer. The Tech’s work done, The Switcher returns the next morning to replace the merchant’s machine.

“Say someone else comes in there and they try to use the debit machine and it doesn’t work: out of order. They [the barista] grab it and put it behind the counter. You go there and you can’t do your switch. That’s why you gotta be the last guy there at night and the first customer there in the morning.”

Modified machine in place, the riskiest phase of the fraud is complete, and the store’s debit terminal now transmits customers’ card data and PIN via wireless signal to a laptop outside.

Fast forward a couple weeks. Data downloaded, sorted and scrubbed, it’s written onto blank white debit cards using a USB card writer, the PIN number printed on the front with a label maker. Synchronizing watches, a team of low-level criminals, drug addicts and friends of the fraudsters then fan out across the city, hitting specific financial institutions at preordained times. Pockets bursting, The Hitters retreat into the night to meet with the crew and divvy the spoils.

If it all leaves you feeling rather helpless, keep reading.

“It’s coined as a ‘blitz attack’,” explains Justin Hwang, Associate Vice President of Fraud Management at TD Canada Trust. “The fraudster hires ten runners and then gives them instructions saying here’s your ten counterfeit bank cards, go to this machine and at 9 a.m. start. So yeah, we’re pretty familiar with that.”

TD and other Canadian financial institutions employ sophisticated pattern analysis software for detecting this type of fraud.

“Blitz attacks are pretty quick,” explains Hwang. “They’ve got a window of opportunity probably in the seconds.

“That obviously alerts us. Why all of a sudden, in the span of nanoseconds, are we getting all these withdrawals coming from this set of bank machines within this geographic area? That’s a blitz attack; let’s work to shut it down,” he says.

Hwang, and the entire financial industry, is fiercely protective of the specifics of these systems, speaking only in general terms. His opaque speech is a nod to the ongoing battle of probes and countermeasures taking place between the fraudsters and the banks.

Back in his apartment, Percy elaborates: “We used to smash ‘em,” he says – meaning they would attempt each card in rapid succession – “and we were like, ‘Something’s not working here.’ We talked to these other guys who did it back East – another crew – and they’re like, ‘No man, you give me 100 TDs and I’ll give you 30k every time’. And we’re like, ‘No way, they’re shutting down quick’.

“You gotta do the trick – you gotta do one every five to ten minutes. You swipe one that’s declined, you wait. Five minutes. Go to another machine. It’s tedious. There are certain people running around doing it, and they’ll come back with 37 grand.”

But perhaps more significant in this escalating battle is the quiet roll-out of Chip and PIN technology in Canada. Capturing mag stripe data from swiped cards is trivial, but Percy’s crew, as yet, have no answer for chip-enabled cards, if inserted rather than swiped. After five years of the figures tilting in the fraudsters’ favour, financial institutions appear to be gaining the upper hand: peaking at $142 million in 2009, Canadian debit losses have declined by more than 50 per cent over the last two years.

“We can’t fuck with the chip yet,” Percy confirms. “I know guys who have put in $150, $200k – more – trying to break this fucking thing. It’s all through the magstripe. They insert the chip – we can’t do it. So we gotta go to places that don’t have the chip shit yet.”

Percy’s revelation comes as no surprise to Interac, Canada’s largest network for point of sale debit. Following the European lead, the company will require chip-enabled cards for all debit PIN pad transactions by the end of 2015. The deadline for bank machines on their network looms at the end of this year.

From the Interac perspective, the results from Europe are promising: in the UK, cloned card fraud has fallen a stunning 79 per cent over the last three years, thanks largely to the implementation of Chip and PIN.

But as Justin Hwang over at TD points out, the magnetic stripe on Canadian debit cards is a long way from being completely phased out: “Our neighbours to the south, they haven’t migrated to the chip yet. If TD got rid of the mag stripe, we couldn’t do any business down in the States. That’s preventing customers from using their money where they want it, how they want it, when they want it.”

So while transactions moving across the Interac network may become more secure, the continued presence of the magnetic stripe on Canadian cards leaves them vulnerable to skimming coupled with foreign cash withdrawals or online transactions. And while the European lesson may prove fruitful for card cloning, it also demonstrates the resolve of the fraudsters, who have begun moving their illicit transactions from bank machines to online venues.

“We’re never going to fully get rid of the problem,” conludes Hwang, “but I think we’re at a good spot, where we’ve got a good handle on it and we’ve sorta corralled the problem a little bit.”

With the battle set to rage well into the future, some sage advice for anything you hold dear: careful where you stick it.

Matt Chambers is the editor and publisher of The Dependent Magazine. He's in way over his head.

Read more by


4 Comments


  1. Chip & Pin (EMV), while more difficult, is not a panacea. Researchers presented new information that illustrates that skimming can be done effectively with certain EMV configurations. See the slides from presentation at the link below for more information.

    http://conference.hitb.org/hitbsecconf2011ams/materials/D2T1%20-%20Daniele%20Bianco%20and%20Adam%20Laurie%20-%20Credit%20Card%20Skimming%20and%20PIN%20Harvesting%20in%20an%20EMV%20World.pdf

  2. I worked with a guy who made a ton of money doing this. He got caught and got only 3 months in jail….

    our judicial system is a joke

  3. Not surprising this is the same guy who wrote the article on the skytrain. Right now, Matt is the only reason I visit this blog — please find more editors like him!

  4. Wouldn’t the solution then be to put an alarm system on the debit machines? Perhaps a wifi or bluetooth system with an authenticator on the merchants end, or even just a low tech cable lock like you see on laptops if the cable is cut then the merchants card system immediately transmits a lockout code to the interac system.

    Has to be a way to cut down on this from the source.. Great article though.

Leave a Reply

Comment moderation is enabled, no need to resubmit any comments posted.

About Us

The Dependent Magazine is a Vancouver-based publication of daring and creative works of journalism and entertainment.

 

Want to get involved?

 

Send text, pictures, videos, and crude drawings to editors@thedependent.ca.

The Facebook

Copyright © 2014 · The Dependent Magazine | Vancouver | Powered by WordPress