Unattended Payments: 3 Fraud Risks for Your Retailers

Unattended retail is a great way for your retailers to cut labor costs and build efficiency. From  grocery self checkout to payment kiosks, unattended retail is growing in popularity every year. But it’s important to realize that unattended retail comes with some unique fraud risks. Be aware of these risks so that you can help your merchants develop wise loss prevention strategies.

Unattended retail fraud risks come from three distinct angles:

  1. Thieves using the technology to steal products directly
  2. Thieves using the technology to steal data
  3. Thieves using stolen data to buy products

First let’s look at the risks of direct product theft:

1. The Five-Finger Discount

If you think self checkout is a tempting opportunity for thieves, you’d be right. Retail self checkout is a major source of shrink. Some of the theft schemes are so common, they even have names. There’s the banana trick, where an expensive item like steak is weighed with a cheap produce code like bananas. With the pass-around, customers pretend to scan an item before dropping it into the bag. And finally, there’s the switcheroo - just as it sounds, replacing an expensive item’s barcode with a cheap one.

While these names might make you smile, they’re a real problem for merchants. Some studies 1, 2 have shown that up to 20% of shoppers admit stealing items at self checkout.

To reduce shrink, your retailers need more than a staff member monitoring the self checkout corral. Consider adding a layer of technology. Developers are producing AI that can visually recognize products and verify whether scanned prices are accurate.  

Some providers offer video-based solutions ready to be implemented today. Take a look at Stoplift, which boasts ease of POS integration as well as PCI compliance. And what’s more, they provide several entertaining (and alarming!) real-life videos of self checkout thieves in action.

2. Skimming for profit

Now let’s consider how unattended retail can be mined for data theft. Skimmers are an ongoing problem for fuel pumps and ATMs. Recently, this risk has expanded to other unattended retail providers such as car wash payment kiosks, vending machines and even grocery checkout units.

Bluetooth skimmers can be inserted deep into a card reader slot, undetectable to the eye. In the past, thieves would have to physically pull a skimmer from a card reader to access data, but these days technology makes it awfully convenient. Called blue skimming, thieves can simply park nearby and download data in real time via bluetooth.

So how can your merchants prevent skimming? To start, you should instruct merchants to check their equipment regularly for signs of tampering. Measures such as security tape on fuel pumps can keep thieves from disassembling equipment and installing skimmers.

But with skimmers inserted into the card reader, merchants need to fight fire with fire. For Android and iOS, your merchants can easily download apps such as Skimmer Scanner or Card Skimmer Locator (on the iOS app store) to check their machines for common bluetooth skimmers.

However, keep in mind that these solutions are just a patch on the problem. The underlying problem remains the use of mag stripe transactions. For the ultimate fix, urge your merchants to upgrade to chip technology, even if they are in a vertical currently exempt from EMV penalties.

3. NFC: Bypassing EMV security

While EMV upgrades will prevent mag stripe skimming, clever thieves have still found a way to bypass EMV security using NFC (tap and pay.) Since the EMV shift, most retailers have upgraded their POS hardware with NFC technology. It’s ironic that this move meant to increase security has left a back door wide open.

As it turns out, it can be easy to add stolen credentials to Apple Pay, Samsung Pay and Google Pay. While large issuers like Citi require two step verification before allowing a card to be added to a payment service, thieves have learned that many smaller issuers don’t bother. Thieves simply snap a photo of a counterfeit card, or even enter the data manually. And within minutes, they’re in business.

By using unattended retail, thieves don’t have to worry about showing a matching photo ID to a cashier. Depending on the issuing bank’s alertness, thousands of dollars can be siphoned away before the fraud is noticed. Are your merchants liable for these fraudulent transactions? They shouldn’t be, but it may be a hassle to convince the issuing bank otherwise.

Final Thoughts

Without doubt, unattended retail is the way of the future. And while this sector cuts labor costs, it still requires a level of retail supervision. From minimizing shrinkage to staying on top of equipment upgrades, unattended retail is not necessarily effortless retail. Help your retailers take the right steps to manage this payment environment, and you’ll make it as frictionless and profitable as it can be.

in Security