A customer buys some expensive, top-of-the-range equipment in your store and – as in more than 80 per cent of cases – pays with a credit card. There’s no problem with the PIN check and the satisfied customer departs with the goods.
It’s only after the real owner of the card finds the amount on their bill that the trouble starts... and you just hope that your shop’s insurance covers the loss.
It’s a situation that, sadly, is likely to become ever more familiar. UK identity fraud, now the highest in Europe, is expected to cost retailers a staggering £2 billion this year, compared with £500 million just three years ago and, despite massive new electronic precautions, looks set to continue rising.
But the most spectacular hike in identity theft affecting small retailers is on the internet. Criminals trawl the web for their victims’ personal information, which is used to apply for credit cards and run up huge bills.
Pinning the blame
Where existing credit cards are concerned, PINs (personal identification numbers) are supposed to make the million-plus cards stolen in the UK each year useless to crooks when they try to use them. But it hasn’t worked out like that.
For bank-security experts now admit that fraudsters have little difficulty in obtaining four-digit PINs and making dozens of copies of credit cards.
According to financial-security expert John Leyden, rogue mathematicians working for criminal gangs can now work out a PIN in less than 15 guesses.
The system’s designers originally reckoned it couldn’t be done in less than two million attempts!
Boffins say that the weak link in the PIN system is that numbers aren’t chosen at random but are based on a complex mathematical formula linked to the customer’s account number.
Decimalisation tables are used when hardware security modules check the validity of the number a customer punches into the machine on your counter.
“A skilled operator using a relatively simple computer programme can manipulate these tables to find clues as to which digits are present in the PIN,” John explains.
“The methodology is very complex but the result is that success usually comes within 15 guesses. The crook then has a PIN and can happily go off shopping!”
Over your shoulder
While banks are naturally worried about this sophisticated fraud, they are even more concerned about the most popular method of credit-card identity theft – simply discovering a PIN by looking over someone’s shoulder, usually in a crowded shop.
Retail outlets were the scenes of more than 100,000 identity thefts last year.
One of the simplest and most effective dodges is ‘shoulder-surfing.’ The sharp-eyed crook stands near your counter while a customer keys in a PIN. From this the rest of the card’s details can be learnt by hacking into the bank’s computer system.
Then there’s what’s known in the trade as the Lebanese loop – a card attached to a piece of magnetic ribbon is inserted into an ATM, which means that the next card put into the machine will be swallowed.
The crook then appears, pretends to be helpful and says that the problem can be solved if the cardholder types in their PIN. It doesn’t work and the cardholder gives up and leaves.
The fraudster, who has memorised the PIN, fishes out the card using the loop device and them helps himself to cash before assuming the identity of the cardholder and going off on a shopping spree... maybe to your store!
Skimming the data
Another fast-growing type of card identity theft is skimming – this is copying data from the black magnetic strip on a genuine card onto a blank card without the owner’s knowledge.
An unscrupulous shop assistant processing a credit-card transaction can quickly record data on a gizmo the size of a 50-pence piece. The resulting card can be used without the cardholder’s knowledge – until some hefty and mysterious debts appear on the monthly statement.
This happened to Sheffield teacher Jane Harrison, whose card was copied in one of the city’s shopping malls. “When I got my monthly statement it was nearly £1,000 more than I expected,” she said.
“I was certain it was a ghastly mistake but the purchases, mostly clothes, a wristwatch and a skateboard, had all been made using a card with my number. The thieves had avoided suspicion by not going over my credit limit.”
Surprisingly, identity theft is not yet a crime in the UK and offenders are charged with deception or theft. Only when it becomes identity fraud does the law crack down.
Says Birmingham solicitor James Gregory: “For the victims it can be very serious indeed, often affecting their credit rating, so their ability to obtain finance and even a mortgage may be temporarily compromised.”
And the cost can be devastating. Credit reference agency Experian has found that it can take up to 500 hours to sort out the mess when someone’s identity is stolen.
The good news is that a bank or credit-card company will usually refund all losses – unless the cardholder has been negligent by keeping their PIN with the card.
Police didn’t have to look far for the culprit in Jane Harrison’s case – a temporary shop worker admitted to more than a dozen other offences and was jailed for 12 months.
Beating the bad guys
So what can retailers do to protect both customers and themselves from identity theft? A new development is a fingerprint-scanning process, which checks a customer’s identity while they pay for goods.
It’s a ‘pay and touch’ system similar to the payment option already in use in the US where more than five million customers now rely on the process.
This is how it works: each customer’s account database contains a fingerprint profile that is linked to their bank-account details, so customers no longer need to carry cash or cards – or to remember their PINs.
The main objection to the new system is its cost, but Scottish businessman Jamie Jamieson has spent years campaigning for a much more simple and cheap fingerprint system. He claims that all it needs is a basic inkpad!
Under this system, customers would be asked to submit a fingerprint to authorise each transaction. The fingerprint would be kept in the shop in paper form for six months and, if a fraud was attempted, police would have access to the offender’s fingerprint, which could be matched with the national database.
“What could be more simple?” Jamieson asks. “People with nothing to hide would surely not resent giving a fingerprint if it meant reducing the risk of credit-card fraud.”
If you have a customer who’s been a victim of identity theft, experts urge you to pass on this advice:
* Report the incident to the police without delay and insist on getting a crime reference number to record the incident.
* Immediately report all stolen cards to the issuers and ask for new ones. Get new cards, account numbers and PINS. Don’t be tempted to use the compromised PIN just because you have learnt to remember it!
* Destroy all cheques and cards immediately you have closed a card or bank account. Don’t have new cards sent to your address but arrange to pick them up.
* Notify the Post Office if you suspect that mail redirection has been set up fraudulently regarding your address. Its investigations unit will help.
* Shred or burn any documents relating to your financial affairs.
* When buying over the internet, make sure that a locked padlock or unbroken key symbol appears on screen before you send your card details. The beginning of the retailer’s address will change from http to https when a purchase is made using a secure connection.
So how can retailers protect themselves? According to specialist insurance companies like Safeonline and CFC Underwriting, it’s wise to obtain cover for hi-tech and internet risks, including credit-card charge-backs caused by fraud.
What does insurance cost? Basic third-party cover for a small business can be as little as £50 a month if you have a good security system. In these days of ever-increasing cyber crime, it sounds like a pretty good bargain.