Victims of the card-skimming scam had their personal details stolen from under their nose as they used eftpos devices altered by thieves.
More than $150,000 has been taken via ATM machines in Canada from the accounts of about 700 New Zealanders in a scam involving "corrupted" eftpos keypads, police have found.
The Herald has learned the pads were taken from shops around Auckland. They were then altered and placed in other stores, where they recorded the magnetic strips on eftpos cards and the personal identification numbers (PINs) used to access accounts to which they were linked.
Those details were then transmitted overseas where banking sources say they were used to make cloned cards for withdrawals in Montreal.
Last night, Burger Fuel said it was just one of a number of national chains targeted in the scam, which ran for weeks.
And banking sources expressed fear the scam may have harvested banking information of which police and banks are unaware.
Police were unwilling last night to comment on their investigation, which has so far resulted in the arrest in Auckland of four Canadian-based men.
Chea Sina, from Cambodia, William Alexande Rivera-Rivas and Mario Rivera from El Salvador and Kevin Roberto Flores Roldan, from Canada, are in custody on charges of participating in an organised criminal group and dishonestly obtaining 10 keypads in March and April.
As police moved here, the card details from New Zealand began to be used in Canada.
The entertainment centre of Auckland's upper Queen Street was a focus for the gang, who used sleight-of-hand and gall to plant their pads in a cluster of stores.
The Herald has learned details of the operation, which police have known of since mid-March. It is the second time such a scam has been detected in NZ; three Canadians were caught in 2010 and jailed for two years.
The scam relies on sophisticated technical know-how and sleight-of-hand, according to banking sources.
One said it was unknown how many other stores might have been targeted by the group.
Bank statements of victims show the Canadian accomplices struck over Easter weekend. They withdrew the first tranche of cash in a flurry of withdrawals - then again once each day until Tuesday of this week.
Burger Fuel marketing manager Alexis Lam said the chain first became aware it was being targeted on March 24. It told eftpos provider Payment Express, which was already working with police and banks.
"It is important to note that any eftpos terminal is a potential target for this sort of tampering," Mr Lam said.
Burger Fuel had wrestled with warning customers, who have told the Herald of being caught by the scammers as late as March 30.
"We knew that catching them was the most important thing." Alerting customers raised the prospect of the skimmers getting away. He said banks had assured Burger Fuel its customers would be covered financially.
Mr Lam said the chain had worked closely with the police and believed it had played a significant part in helping to catch those accused of the skimming.
Staff at the Queen St store were quick to remove the "corrupted" keypads when they were found.
He said the skimmers had repeatedly targeted Burger Fuel and other national chains in the area.
"We are not the only ones who have been targeted in this case and these are all places in very close proximity to each other."
Last night, staff at rival store Burger King said police had asked if it had experienced problems with its eftpos machines. It had told them there had not been any problems.
A spokesman for Nandos, which also has a store in the area, said it had not been affected.
Banks have said they will cover customers' estimated $150,000 losses. ASB customers have been hit the most - more than 250 have had money taken from their accounts.
Kiwibank and Westpac said about 70 customers had been affected, while ANZ and National estimated 150 between them. The BNZ has about 100 affected customers.
The number does not include customers whose cards were cancelled as a precaution after banks received lists of all clients who had spent money at the targeted stores.
The Herald has spoken to a number of customers who bought food at the Queen St Burger Fuel store after the chain became aware it was a target.
Julie Anne Genter, a Green Party MP, dined on a Bambina burger costing $7.70 on March 30 after riding the bus from the airport.
Chris Leggett said he bought a V-Twin Vege burger with kumara fries on March 26. He said others who had visited the store with him had not had money taken from their accounts but their cards had been cancelled as a precaution.
Mr Leggett, who is moving to the United States in a few days, has yet to receive a replacement card. "It is pretty annoying," he said.
AUT student Fahad Alshammari said he had lost about $3000 and was yet to receive an assurance his losses would be covered. Mr Alshammari, who bought a CN Cheese, said: "The banks need to find a way to keep their customers' money secured."
In 2010, police arrested three men who had been operating a similar scam for a month. It followed a one-year operation in Australia in which 154 eftpos-style machines were altered. Banks suffered losses of $25 million.
Police prosecution details from the 2010 case stated 200 eftpos-style machines were stolen every month in Canada as part of the scam. The industry losses there were estimated to be about $100 million.
In the 2010 case, 11 keypads were stolen from retail stores across Auckland. They were switched with others in stores targeted by the three men. When later examined, they were found to have been altered with a microchip added to the inner electronics.
The men were convicted of being members of an organised criminal gang and sent to prison for two years.
Have you been skimmed?
Email newsdesk@nzherald. co.nz