Toronto Businesses Face Significant Financial Losses from POS Theft Scandal

In recent weeks, several businesses along Queen Street East in Toronto have reported significant financial losses due to a spate of thefts involving point of sale (POS) terminals. Thieves have exploited vulnerabilities in these systems, using them to issue unauthorized refunds, resulting in losses amounting to thousands of dollars.

The incident has raised serious concerns among local business owners. Artie Jorgaqi, whose family operates the Souvlaki Hut in The Beaches, recounted a shocking experience where a customer utilized the POS machine to process a $2,000 refund to themselves. "It was shocking," Jorgaqi stated. "Honestly, my mom works very hard here, so to hear that she just got that taken from her – it was a shock."

Similarly, Barbara Deangelis, owner of Pippins Tea Company, shared that a young man, who initially claimed to want to purchase a teapot, instead refunded himself $4,900. "It was just sick," she expressed, highlighting the substantial impact such thefts can have on small businesses.

Experts in cybersecurity have pointed out that many POS terminals are often misconfigured from the outset. Claudiu Popa, a security consultant, explained, "Most of the time, these POS terminals are misconfigured from day one. The flaws come through either default passcodes that can be exploited by thieves or through lax default settings that are never updated by the users."

While police have not confirmed a direct link between these incidents, they appear to be part of a broader trend of thefts affecting businesses in various parts of Toronto. Deputy Mayor Mike Colle, who previously held a summit addressing similar thefts, noted, "Almost every business on Bathurst Street, Dufferin, Eglinton, Avenue Road, Lawrence, St. Clair, they all got hit, and they never talked to each other about it."

To counteract such vulnerabilities, Colle has advised business owners to secure their POS terminals. He recommended measures such as locking the terminals away at night and changing PIN codes regularly. The Beach Business Improvement Area (BIA) has also sent warnings to its members about these vulnerabilities, indicating a shift in tactics by thieves.

In response to the thefts, Moneris, one of the major POS vendors, stated that their machines do not come with a default unauthorized refund code. Their spokesperson, Darren Leroux, emphasized, "When merchants set up their devices, they’re prompted to set administrative passwords and it is recommended that they also set up user profiles and permissions for refunds."

Conversely, Clover, the POS vendor for Souvlaki Hut, has not yet responded to inquiries regarding the incident. Jorgaqi expressed concerns about the responsibility of POS vendors, suggesting that measures such as refund limits or two-step authorization should be implemented to enhance security. "They should put in some better steps to help protect anyone that uses their services," he asserted.

As this alarming trend continues, the implications for local businesses are profound, raising questions about the security measures in place for POS systems and the responsibilities of vendors in safeguarding against such vulnerabilities. Business owners are urged to remain vigilant and proactive in securing their payment systems to prevent potential losses in the future.

In conclusion, the recent thefts underscore a significant vulnerability in the POS systems utilized by many small businesses, highlighting an urgent need for improved security measures and vendor accountability to protect against such fraudulent activities.