Bank card skimming concern for cybersecurity in Trinidad and Tobago

The content originally appeared on: Trinidad and Tobago Newsday

Confiscated items used to committ card skimming on display during a police briefing on December 18, 2019. –

In movies bank heists are depicted as action-packed situations where robbers armed with automatic weapons overpower security, grabbing as much cash as they can before escaping in dramatic fashion.

In reality, however, criminals move much more discretely, can strike at any time and if you’re not vigilant you may not even realise they made off with your money.

Last year the police received over 500 reports of bank card skimming in TT.

As of October 19, 2021, the Fraud Squad received over 200 reports of card skimming.

Card skimming is a practice where the personal data from a person’s bank card is recorded when used at an ABM or point of sale machine and subsequently replicated onto a blank card.

This blank card can be used to access funds from the person’s account to buy items at the person’s expense.

Given the restrictions imposed by the pandemic and the need to reduce person-to-person contact in stores, it was believed that incidents of skimming would increase during the lockdown period thought online fraud.

In a June 2021 article from the Jamaica Gleaner, Jamaica’s director of the Regional Security System (RSS), captain Errington Shurland said cybercrime and cybercriminal activity have taken off since the pandemic and described the prevalence of online scams as “the modus operandi of future criminal activity.”

But local police from the Fraud Squad says there has been a slight decrease in cases since the public health restrictions came into effect last year.

Despite this decline, police and banks stress that bank card skimming and other types of fraud are still a major concern and called on banks and the government to focus on the issue of cyber-security as TT pushes towards digitisation.

A Fraud Squad officer, who asked not to be named, told Sunday Newsday that while digital threats were still in their infancy in TT, some criminals specialising in online fraud like data phishing and skimmers have established a foothold in the country with networks in operation.

He said based on intelligence, most of the skimming networks comprised of foreigners, usually Venezuelans, who have access to specialised equipment.

The skimming equipment usually has three components– the skimming device which records the information from a bank card, the re-printer, which copies the information onto a blank card for later use and the blank cards themselves.

He said once skimmers have successfully recorded and produced a “dummy” or replica of a victim’s card, they usually take cash within the first 24 hours before the person can realise what has happened.

“Most accounts have a limit of $5,000 at a point of sale machine in a store and a $3,000 limit on cash withdrawal at an ATM, so they may go to a liquor mart and spend $5,000 on alcohol, then they go to the ATM and withdraw $3,000.

“As soon as the clock strikes midnight, the bank account resets and they go and withdraw another $3,000 in cash and then later that day when a liquor mart opens they take out another $5,000 in alcohol. That’s a total of $10,000 in alcohol that can be re-sold for $5,000 and they also obtained $6,000 so that’s $11,000 they would have made within 24 hours.”

In this December 18, 2019 file photo, a display of items used to commit ATM bank card fraud during a police briefing in Port of Spain. – Photos by Jeff Mayers

He says from intelligence gathered, skimming is one part of elaborate networks as groceries and liquor stores are suspected of being complacent in the activities as well as anything bought from these businesses stays within the network.

The officer said perpetrators using the copied card will not risk using the ABM themselves and would usually pay someone $500 to withdraw the cash for them.

He says while there is legislation that empowers the police to take action against anyone found with card-skimming equipment, but admits there has been some challenges in proving a link between suspected complicit businesses and the skimmers.

Recalling the arrest of two suspected skimmers in the parking lot of Trincity Mall in 2019, the officer said while arrests and seizures of card skimming equipment were made, there are challenges in keeping pace with new, more advanced technology used by the criminals.

“In the cycle of things, the frequency of ABM skimming spikes and it drops and that is because there are people who are the main players, they become active, they do what they do and then they either go back to their country to do something or are in jail or they make enough money to just sit back for a while.”

He also suspects that the reason why skimming may have seen a small drop during the pandemic is because of how difficult the situation has been for many citizens.

“People who don’t have a lot of cash are more likely to notice when something is missing from their account no matter how small it is and because of that they’re more likely to report it quicker to their banks who will in turn shut down the card.”

Responding to questions via e-mail on Saturday, officials from the Bankers Association of TT also reported that there has been a reduction in skimming but credited this to an aggressive anti-skimming campaign and technology.

This partnership between the police and the banks form an important link in the response to skimmers as the officer stresses the importance of quick response between both parties to clamp down on such attacks.

Banks themselves have also taken measures to protect themselves against cyber criminals.

In 2020, all Scotiabank TT debit cards were upgraded to include EMV Chip technology. The chip technology better protects against card fraud. Using the chip on an EMV Chip card reduces the chance of your data being stolen or copied.

Via e-mail on Friday, officials from Scotiabank TT say they have introduced several security measures to guard against skimming including more security at ABMs and a more robust online security systems for banking.

“Scotiabank Alerts provide customers with the ability to receive real-time notifications about activity on their accounts via push notifications on their mobile devices or their e-mail so they can report any suspicious transactions and unauthorised logins quicker.

“Since the introduction of this free feature, we have expanded the range of alerts available, from transactional alerts to now 21 different types of alerts, inclusive of security alerts and credit card controls.”

While card skimming seems to be the most prevalent form of digital attacks, there are other threats to cyber security.

Phishing, a practice where criminals create e-mails, texts, social media messages and pop-up windows that look legitimate with the intention of tricking people into sharing PIN numbers, passwords or account information.

Scotiabank’s management has attempted to tackle this phenomenon with a robust public information campaign warning customers against giving out their information suggesting they call 62-SCOTIA when receiving strange requests online.

“Scotiabank will never present customers with unexpected webpages or send them unsolicited emails asking for their password, Personal Identification Number (PIN), credit card, account numbers and so on.

“We will never ask customers to confirm or restore account access through unsolicited email.”

As the world pushes towards minimising physical contact, there has been the introduction of “contact-less” means of payment with newer types of debit and credit cards being introduced to make payment.

Finance blog, Sapling reports that in the US where contact-less transfers are common, fraudsters can scan and “read” your card’s data through your wallet or even your purse.

The Fraud Squad officer says that while such features are not yet available in TT, he anticipates there will be similar trends when it does come to Trinidad.

He adds that in in cyberspace, criminals not only target cash but information as well.

Last October a Russian ransomware organisation targeted the operations of one of this country’s largest conglomerates – Ansa McAl.

The attack began in Barbados and spread to the company’s operations in TT, leading to a temporary shutdown of the insurance subsidiaries Tatil and Tatil Life.

The officer says while data mining attacks are relatively rare in TT, there have been incidents where information has been hacked, recalling one incident last year where the e-mail address of a government worker was compromised.

“It was a minor person in the organisation whose account was breached and certain confidential documents were accessed but it was never used.

“I feel as though it could have been when the cyber crime unit did the analysis it was just some hacker testing the water to see how far they could get but with no true nefarious reason behind it.”

In their response Scotiabank said that while data mining and cyber attacks were a worldwide issue they were committed to developing their security capacities by “attracting world class talent to mitigate risks associated with this typology.”

Responding to questions via WhatsApp on Friday, Minister of Public Administration and Digital Transformation Hassel Bacchus says the importance of strengthening security in the country’s digitisation push has not been lost on him.

He notes that the government’s cyber security plan involves a three-pronged approach to building capacities at different levels to protect the data behind key institutions.

“What the government and the Ministry of Digital Transformation is trying to do is build resilience into our ICT architecture. Resilience is not just about preventing cyberattacks, but it is also about what happens when an attack occurs and assessing if that attack was successful in what it set out to do.

“In this vein, we have two tracks of action where cybersecurity is concerned. We are seeking to review existing processes and systems to strengthen and enhance and we are also building resilience by design in any new solution.

“The reality is, the more we add ICT platforms/systems into our ICT landscape, the more we increase the potential for an attack. We as a Ministry need to ensure that we deploy and employ appropriate design concepts to protect against and/or to reset if an attack were to happen.

“That is why we are adopting a holistic approach to cyber-security that addresses the three main components of digital transformation: people, process, and systems.”

As the government makes its first steps towards a digital transformation, issues of cyber security in this new frontier are a serious concern for ministries and businesses.