‘It was a shock': Toronto business owner says customer used point of sale terminal to issue himself $2,000 refund

CTV News

03-07-2025

A family-run businesses in The Beaches says a customer used their point of sale machine to issue themselves a $2,000 refund.
Thousands of dollars have been taken from businesses on Queen Street East in Toronto over the past few weeks as thieves use the very machine the businesses use to accept money from customers to rob them.
At one business, the family-owned Souvlaki Hut in The Beaches, a security camera was rolling as a customer innocently picked up the point of sale terminal and issued himself a refund of $2,000.
'It was shocking,' said Artie Jorgaqi, the son of the Souvlaki Hut owner. 'Honestly, my mom works very hard here, so to hear that she just got that taken from her – it was a shock."
'He had picked up the machine so we wouldn't see anything, and he processed a manual refund. It's very easy. This is something that a lot of small business owners are vulnerable to,' he said.
Toronto Beaches POS theft
Artie Jorgaqi said a customer used the point of sale machine at his family's business to issue himself a $2,000 refund. (supplied)
At another business, Pippins Tea Company, owner Barbara Deangelis told CTV News a few weeks ago a young man came in saying he wanted to buy a teapot for his grandmother – and instead refunded himself $4,900.
'It was just sick,' Deangelis recalled. 'That's a lot of money for a small, freestanding, independent retail store.'
Both are pointing to vulnerabilities in their point of sale terminals they had never expected – vulnerabilities one security expert says are 'severe'.
'Most of the time, these POS terminals are misconfigured from day one,' said Claudiu Popa, who said the flaws come through either default passcodes that can be exploited by thieves, or through lax default settings that are never updated by the users.
'This is a scam that's essentially akin to leaving your locked iPhone and then finding out somebody was able not to just access your iPhone but to get into mobile payments and help themselves to a bunch of paid apps,' he said.
Police say they haven't linked the two cases, but they appear to be part of a wave of thefts in another part of the city that concerned Toronto Deputy Mayor Mike Colle so much he hosted a summit on the problem last year.
'Almost every business on Bathurst Street, Dufferin, Eglinton, Avenue Road, Lawrence, St. Clair, they all got hit, and they never talked to each other about it,' he said.
Colle said he went door to door explaining the situation to businesspeople and also put up stickers in the windows to tell potential thieves the point of sale terminals had been locked down.
'Essentially, lock the point of sale terminal up at night. And when you're not in there, don't leave it on the front counter. Put it underneath the counter. And then when the customer comes, you put it on the counter. Change the pin code every week,' Colle said.
The Beach BIA has also warned its members about the POS terminal vulnerabilities in an email.
The Beach BIA Manager Lori Van Soelen said she's not aware of a theft like this – a sign that the thieves are moving and trying new tactics on new areas.
'I think we're hitting a new level,' she said. 'Be very aware of your machines and what people can and cannot do.'
In the case of Pippins, their POS vendor, Moneris, did refund the money and Deangelis said she felt well taken care of.
Moneris told CTV News its machines do not have a default 'unauthorized refund' code.
'When merchants set-up their devices, they're prompted to set administrative passwords on the devices and it is recommended that they also set-up user profiles and permissions for things such as refunds. We also always recommend that businesses treat their payment terminals as they would cash - locked away and secure when not in use,' spokesperson Darren Leroux said in an email.
In the case of the Souvlaki hut, the POS vendor is Clover. Clover hadn't returned messages by deadline Wednesday.
Jorgaqi said $2,000 was a huge hit and had they known they had to put a limit on their machine, they would. But he said it should also be up to the POS terminal vendors to not sell the devices initially in such a vulnerable state.
'I think they should put in some better steps to help protect anyone that uses their services. Maybe limit the amount that someone can get in a refund, or put in two-step authorization to prevent this from happening again,' he said.