É«É«À²

Upon the man’s return, he drew Maruo’s attention to a different part of the store while another manÌýtook the POS terminal sitting near the cash register, and swappedÌýit out with a similar one.

“When I think about it now, he was trying to get my attention so the other guy could do whatever he wanted to do,” he told the star in a phone interview.

NaNa Florist is just one of several GTA businesses that have been recently targeted in similar POS device thefts. Police say they are aware of the incidents but that such thefts aren’t a new occurrence. Statistics on POS thefts aren’t readily available, and they’re either classified as thefts or break and enters depending on the circumstances, they said.

The two men who came into Maruo’s shop left without buying anything.

“I didn’t notice because the machine was still there,” Maruo said of the swap. A short while later, alarm bells started going off when he received an email from Clover, his POS system provider, notifying him the manager’s passcode associated with hisÌýPOS device, required to authorize refunds, had been changed.Ìý

Maruo looked at the POS terminal and realized it wasn’t his. He checked the security footage from the store’s cameras and could clearly see the swap of the devices.

After contacting Clover and deactivating theÌýterminal, Maruo was told two refunds totalling $2,000 had been processed. On Thursday, he subsequently learned another payment of $2,000 was processed after the first two, this time apparently in cash, but said he doesn’t understand how that could be since he did not give the two men any cash. He’s been unable to get clarification from Clover on what the third charge means.

When he asked about getting the money back, Maruo said Clover told him the chances were slim, especially because the refunds were debit transactions, so the money would have gone directly into the card holder’s account where it was then likely moved.

Maruo said Clover seemed to have “no idea” how his passcode was changed, and that he feels the POS devices are “very unprotected” under the default settings they come with.

Days after the incident, Maruo learned his POS terminal was used in another theft at a business in Pickering called Total Tire, after that store called him. Total Tire did not respond to the Star’s interview requests in time for publication.

A similar story played out the following week at Souvlaki Hut on Queen Street East.

Co-owner Artie Jorgaqi told the Star a man came into the restaurant on June 30 wanting to make a purchase when his card was declined twice.

The man told JorgaqiÌýhe would go to the bank and come back, but when he returned and the Clover POS terminal was placed in front of him,ÌýJorgaqi said the man issued himself a $2,000 refundÌýinstead of paying for his purchase.Ìý

“We’ve done small refunds before for like, under $10, but we never had any idea that a transaction like that could go through,” said Jorgaqi. “He just tapped his card. It was gone within 30 seconds.”Ìý

Jorgaqi was also told by Clover it would be difficult to retrieve the stolen funds.

Next door, Pippins Tea Company had $4,900 stolen through a refund to a Mastercard. In this case, the store’sÌýPOS system provider, Moneris, reimbursed owner Barbara DeAngelis.

Though she’s happy things worked out, DeAngelis said she feels POS system providers were “wholly responsible” for these kinds of thefts. “The level of security that these pieces of equipment are shipped out with is atrocious, and I learned that through my experience,” said DeAngelis.

É«É«À² policeÌýconfirmed they are aware of the theft at NaNa Florist and that an investigation is ongoing. “It’s important to note that the theft of point of sale (POS) terminals by thieves is the cause of this scam occurring,” police said in an email to the Star.

The Durham Regional Police Service also confirmed it’s investigating the June 23 theft of a POS terminal from Total Tire in Pickering.

In an email to the Star, DRPS said the suspects swapped out the store’s POS terminal and were then able to use the stolen terminal to “commit fraudulent transactions.” Investigators are aware of a possible connection to a TPS investigation.

TPS did not say whether there were active investigations into the other incidents, but suggested business owners take a “proactive” approach to protect themselves, including keeping POS terminals out of reach and sight from customers, locking them up when closed and changing the passcodes they come with — advice Souvlaki Hut’s Jorgaqi is adhering to.

The terminal “only comes out when a customer is ready to make a payment,” saidÌýJorgaqi.Ìý

For Clover’s part,Ìýthe company said in an email that their POS system is “built with industry-leading security features, including encryption, tamper resistance, and user authentication to prevent unauthorized access.” And business owners “have full control over refund permissions — allowing organizations to disable refunds, set limits, and assign employee-level entitlements to staff.”Ìý

Asked about the cash refund processed by NaNa Florist’s POS terminal, Clover told the Star it’s taking the matter seriously and is actively working to resolve it. “As emphasized, we continually advise our clients to protect their Clover devices by setting a suitable pass code and properly storing it in a protected location.”

All three business owners the Star spoke with have since worked with their POS system providers to reconfigure their settings by lowering the maximum refund amount, setting up two-factor authorization for refunds or removing the option to process refunds that aren’t related to a completed transaction.