In a fraud aimed at taking advantage of an authentication hole with debit card processing—a variation of which hit quite a few Apple stores recently—a group of thieves start their attack by stealing PayPal MasterCard Prepaid Debit cards from major retailers, especially CVS, according to Capt. Wil Manlapaz, in charge of special investigations for the Washington D.C. Metropolitan Police Department.
Many chains provide minimal security around the carousels that displays such cards as the cards are viewed as worthless until they are activated at the POS. Who would want unactivated debit cards? These thieves, apparently.
They sought out small merchants—mom and pop stores—who appeared to have older POS systems. The thieves would then present the card as a debit card and try and make a purchase. When the card generates an error code, the thief suggests that the associate enter their PIN. It’s a bogus PIN, of course, but when a transaction is forced, the older units will accept any numbers, Manlapaz said. The transaction goes through, the theif leaves with his merchandise and the merchant soon receives the chargeback.
“Rather than calling to verify, they do an offline transaction, which bypasses network verification,” Manlapaz said.
Merchants need to be reminded that when an error code is returned, that’s a good moment for increased vigilance, not increased customer service.
