Scammers exploit credit card terminals at Calgary sex show

A security feature built-in to Moneris credit card machines isn't mandatory to activate, even though it could prevent fraud that hit multiple vendors at a recent Calgary trade show.

Some fraudulent transactions could be prevented by a feature that isn't mandatory

Vendors with terminals like this one from Moneris say the credit card processor should do more to help them secure the machines from fraud. (Anis Heydari/CBC)

Vendors at a recent Calgary trade show say their credit card payment processor didn't do enough to help them use and activate a security feature on their terminals that could have prevented fraudulent transactions from going through.

The scam involves purported customers presenting what looks like a legitimate, regular credit card to pay for goods. The card is actually a fake "administrative card," which gives them complete access to the terminal, and allows them to manually enter in an alternative, usually stolen credit card number.

Corey Mehaney's company Subcana was the victim of credit card fraud at Calgary's Taboo trade show. (Anis Heydari/CBC)

"Everything checked out on our end, and we got approved with the transaction," said Corey Mehaney, owner of Subcana.

He lost out on more than $700 worth of merchandise when he was hit by an alleged fraudster at the Taboo Naughty but Nice Sex Show in Calgary. 

When the fake transaction goes through, it's charged to the manually-entered number and isn't linked to the actual credit card presented.

But within several weeks, the purchase is discovered as fraudulent and the vendor has to pay back the fraudulently charged funds, along with being on the hook for a "chargeback" fee from the credit card processor. That's when the vendor realizes their merchandise was actually stolen.

Password feature prevents scam

A password feature, built into Moneris's terminals since mid-2017, can prevent this scam from working. It would require merchants to enter in a unique password each time a credit card is manually keyed in. 

But multiple merchants at the Taboo show told CBC News they had never heard of this feature from their credit card partner.

"The only way we find out about it is after a chargeback, which actually costs us money," explained Mehaney.

Subcana called Moneris to report the experience with credit card fraud during the Taboo show after security officials at the venue advised they were potential victims.

"After I was able to contact our payment provider [Moneris], they did talk about a password protection for the machines," said Mehaney.

Laurel Hurlburt's business E-Sensuals was able to dodge being scammed in Calgary — because it had happened to her before, not because her credit card terminal had security enabled. (Anis Heydari/CBC)

Laurel Hurlburt, owner of E-Sensuals, a booth only metres away from Subcana, found out about the password feature from Mehaney.  

Her business had been previously hit by the same scam in another city, so she knew what to watch for and was able to stop another fraudster from pulling the same trick at the Calgary Taboo show.

Hurlburt said she's concerned she never heard about this scam — or how to protect her credit card terminal and business — directly from Moneris.

"I had got more details from a Facebook group," said Hurlburt, who believes Moneris should issue a direct warning about this type of scam. Hurlburt also said that when she called to report her previous experience with a credit card scam, she was not informed about the password protection.

"I'm going to call them [Moneris] and ask to help protect myself," said Hurlburt, after hearing about the password feature's existence from her trade show peers.

Moneris does provide tutorials

Moneris's website and set up material do provide information on the password protection feature, including a YouTube link where setting up the security feature is described more than three-quarters of the way into the video.

A YouTube video from Moneris details how to set up password protection — more than four minuites into a five-minute video. (Moneris/YouTube)

The company declined multiple interview requests with CBC News, but in an emailed statement said they "proactively communicate with our merchants to advise them about this and other security features."

According to Moneris, all new terminals have the password system ready to use, and that merchants are asked to set a unique password for manually-keyed credit card transactions as part of initial activation.

While the feature has been available since April 2017, Mehaney told CBC News his business has had a Moneris machine for only the past several months and that he was not made aware of the password system when he activated it.

The feature is not mandatory despite being able to prevent the type of credit card fraud that hit the Taboo trade show in Calgary.

"It is ultimately up to ... the merchants, in this case, to determine if and how to use the available protections," said Darren Leroux, senior manager of communications with Moneris in an email to CBC News.

About the Author

Anis Heydari

Video Journalist

Anis Robert Heydari has worked in jobs ranging from cleaning up oil spills to fixing phone lines, but all those roads eventually led to being a jack-of-all-trades and CBC News reporter. Reach him at anis@cbc.ca.