In terms of terrorist funding outfits, there have been many masking-of-payment-transaction scams occurring in the UK in the form of ATM scams and the installation of machines whose only purpose is to steal information.
For example, when major petroleum companies started franchising their petrol stations, some Sri Lankan nationals became very interested, taking over a vast majority of these stations and using them to mask terrorist funding activities.
Their reach is far and wide, covering many major cities and even gas stations in local villages. It was an unclear mix of legal and illegal immigrants, all of the same ethnic origin, who operated as a network of teams moving swiftly across the UK—working one day in Leeds, moving to Manchester the next day, and ending up at one of the many gas stations around Greater London.
These groups, who by the time they were discovered had become legal employees, deployed a huge payment terminal scam. In most cases, the station owner was involved in the scam or was forced to join in.
This criminal organization is comprised of different teams working together. The first group consists of technicians altering the point-of-sale terminals, a second group takes care of the installation within the gas stations, and a third group focuses on using the obtained data.
Some of the engineers are highly skilled and are brought to the UK for the sole purpose of hacking in order to capture account information by using Wi-Fi scanners and using cracking programs to download transaction data when the systems aren’t protected by high-level encryption software.
On a large scale, terminals are opened, bypassing security measures installed by vendors, and equipped with extra hardware. Once that’s done, they’re being re-installed on the premises with additional recording devices hidden in ceilings that capture both magnetic stripe as well as personal identification number (PIN) data.
Due to numerous transactions at rigged allocations, significant amounts of data become available. Analyzing unauthorized use of this stolen data shows a unique spending pattern.
Instead of going for a quick win and hitting different countries with massive ATM attacks, the use was spread out with more transactions at a lower value.
This way, criminals were able to stay out of banks’ monitoring radar and could continue making undetected illegal transactions for longer lengths of time.
Eventually, however, the authorities caught on to these spending approaches and began arresting these small groups all over Europe. To some extent, a more in-depth investigation was carried out to identify the money flow. Disturbingly, it became clear that the end users were Tamil freedom fighters in Sri Lanka.
This criminal confidence scheme emphasizes and identifies interesting vulnerabilities within the payment and retail chain, and shows how organized crime groups with less exposure can cause substantial damage.
This scam makes it crystal clear for the UK payment card, retail, and banking industries that procedures, compliance, and back-up plans need to be closely redefined and fine-tuned. And it certainly shows these industries must be prepared for the unexpected.
Enormous amounts of untraceable funds are passing overhead on a daily basis. Criminal entities don’t like to be closely examined, and in most cases have a dubious background or spider web setup, hopping different countries and involving “mules” as front persons.
That way it doesn’t appear strange to find individuals appearing in different cities, using ATMs for lengthy periods retrieving money and flying around the region emptying ATMs with anonymous, reloadable cards.
With the increasing mobile commerce possibilities related to telecom issues, there will be bigger challenges to safeguard payment transactions, especially because there will also be an increase in the high-tech solutions available that could be used to defraud systems.
It will take some time to fully understand the different modus operandi criminals use. But end-to-end encryption of data, as well as secure payment platforms, will be a must if we don’t want to see it escalate.
PAUL BUELENS is head of project management, fraud and compliance, for EastNets, a global provider of compliance and payment solutions.