Tuesday, July 04, 2006

Victim impact statement on debit card fraud

A colleague in Alberta recently sent me a link to a recent case from Alberta, R. v. Singh, 2006 ABPC 156. It is a decision of the Alberta Provincial Court determining the appropriate sentencing for an individual who pleaded guilty to debit card fraud under section 342.1 of the Criminal Code of Canada. The decision is interesting in that it describes the crime in some detail, but the most interesting part is the victim impact statement submitted by the Interac Association:

“I, Fred Harris have been employed by INTERAC ASSOCIATION as Senior Vice President of Strategy and Business Development for over 15 years. In my capacity as Senior Vice President, I have knowledge of the fraud prevention mechanisms implemented by Interac Association’s member institutions to ensure the security of transactions on the Shared Cash Dispensing and Interac Direct Payment services (the “Interac Services” or the “Services”), and also of the specific matters addressed below.


The Interac Services account for millions of automated banking machine and payment transactions (known as “debit at the point of sale” or “POS” transactions) on a daily basis. These services enjoy a high degree of consumer confidence given the ease of use and the widespread acceptance of debit cards at locations ranging from retail outlets to federal and provincial government offices.

In 2004, there were 19.8 million users of Interac Direct Payment each month resulting in a total of 2.8 billion point of sale transactions. Those 2.8 billion transactions represent $124.4 billion dollars at 546, 000 point of sale terminals. In 2004, cardholders withdrew cash from an automated banking machine that did not belong to their own financial institution over 294 million time utilizing one of the 46,178 ABMs available in the Canadian marketplace. In addition to the transactions processed through the Interac Services there are close to one billion proprietary transactions, such as bill payments and cash withdrawals, processed on Members; own proprietary banking machines every year. These services are among the most secure in the world. Interac Association and its Members take extreme care in identifying threats and vulnerabilities to ABM or Point of Sales locations. Establishing stringent device level security standards, and by employing security features that can include surveillance cameras, and automated fraud detection systems.

Banking machine and point of sale transactions require a two factor authentication system consisting of the electronic reading of valid magnetic strips information from the back of a debit card plus the inputting of an associated Personal Identification Number (PIN). In recent years, criminals have developed diverse and increasingly ingenious means of obtaining the information on the magnetic stripe and PIN information from cardholders. This activity, often called “skimming” uses methods that range form low-tech ploys consisting of double swiping a cardholder’s card and then looking over the individual’s shoulder as the PIN is entered, to higher-tech methods that include hidden pinhole cameras and additional card readers installed on top of banking machine card readers or point of sale devices.

Once a skimming incident is identified, Interac Association and its Members take action to eliminate the source of skimming and manage the resulting exposure to cardholders and financial institutions. In order to protect cardholders, most exposed cards are proactively cancelled by the financial institution and the cardholder is notified that a replacement card is being required. Until the cardholder receives the replacement card they are unable to access their money using a banking machine or point of sale terminal. In other instances, thousands of cards are proactively blocked to stem losses, thereby increasing substantially the number of cardholders affected by a single skimming incident. Canadian financial institutions have been at the forefront of fraud prevention and detection and continue to develop improved procedures and use new technology as it becomes available.


The initial group affected by debit card fraud is [sic] cardholders. Money is taken directly from their chequing or savings accounts. In some cases cardholders are burdened in the short term by being unable to meet basis living requirements, for example they may be unable to make rent or mortgage payments. They may suffer immediate “on the spot” inconvenience and embarrassment, particularly given the widespread use and acceptance of debit cards, when their card cannot be used to pay for goods or other services. Cardholders must then take steps to lodge an inquiry with their financial institution, which leads to an investigation regarding the missing funds. Their financial institution will reimburse them if they are the victims of a proven fraud, but in the meantime they are inconvenienced.

In 2003 our Members collectively reimbursed $44 Million to approximately 28,000 cardholders who were victims of debit card fraud resulting from skimming. In 2004 this figure increased to $60 Million reimbursed to over 48,000 cardholders. The related costs are also significant. The time and effort to investigate each instance of fraud is a significant burden on the time and resources of law enforcement agencies, Interac Association, and the involved financial institutions, terminal deployers and merchants. Each incident typically requires a team of individuals from several different financial institutions and terminal deployers to retrieve and scrutinize various records and to liaise with the appropriate law enforcement agencies. This investigation often takes several weeks. In addition, financial institution often proactively block and re-issue other debit cards used at this location during the skimming period in order to prevent further losses. This represents a further cost to the financial institution as well as an inconvenience to cardholders.

Interac Association and its Members, and the entire industry, also suffer. At a minimum, debit card fraud shakes customer confidence in the use of modern banking technology. This risk and potential harm increase exponentially when one considers that criminals often share the success of their schemes on readily accessible internet bulletin boards.”

No comments: