Fraud Scheme Hits Grocer

Card Reader Compromised at Self-Service Checkout

By , November 29, 2011.
Fraud Scheme Hits Grocer

M

See Also: Identity, Security and Risk Requirements for a New IAM Architecture

odesto, Calif.-based grocery chain Save Mart Supermarkets has issued a consumer advisory about card-reader breaches at 20 of its stores.

According to a statement posted on Save Mart's website, tampered card-readers at self-service checkout lanes in 19 Lucky Supermarkets locations and one Save Mart store were discovered during routine maintenance. The statement did not say when the tampering might have occurred or what method of tampering was used, and attempts to reach Save Mart for clarification have been unsuccessful.

It's not clear if skimmers were installed, or if the card readers were replaced with readers manipulated to collect details. Save Mart does say, however, that it replaced readers on all of the affected terminals and added additional security to point-of-sale card readers in all of its 234 locations soon after the tampering was discovered.

"We are not aware nor have we been notified of any reports that customer accounts were compromised," the company statement says. "The appropriate authorities have been notified of this situation and consumer notices have been posted at credit/debit terminals in the affected stores as well as placed on our websites. As a precaution, we are recommending anyone who has used the self check-out lane in the affected stores to verify/monitor all credit/debit accounts with their financial institution to ensure everything is in order."

The statement also suggests consumers concerned about possible card exposure contact the California Office of Privacy Protection or the Federal Trade Commission for more information about identity theft.

Retailers: An Easy Target

The incident rings strikingly familiar to the Michaels POS breach. In May, Michaels discovered that card readers and PIN pads located on cashier POS systems in 90 of its stores had been manipulated to copy and transmit magnetic card details and PINs. The fraud was discovered when Michaels customers began reporting fraudulent ATM and retail transactions hitting their accounts. Card issuers tracked the common point of compromise back to Michaels.

McAfee consultant Robert Siciliano says retailers are fraudsters' new targets. Hitting electronic-funds-transfer POS devices has proved relatively easy.

"Criminals realize that retailers are understaffed to the point that swapping out a POS will go unnoticed," as it did in the Michaels breach, Siciliano says. "Once they determine the make and model of an easily swappable device, they target a chain they can easily comprise. It's also possible they may be employed (or were employed) by the companies that install and service the systems, in the form of an inside job."

It's not just a North American problem. Retailers and fast-food chains throughout the world have reported upticks in POS-related scams. In October 2009, a POS swapping scheme, like the one reported by Michaels, hit several McDonald's restaurants across Perth, Australia. The estimated financial loss totaled $4.5 million and affected some 3,500 consumers.

PCI Provides Protection

POS device-swapping aside, card-reader manipulations such as the one reported by Save Mart can be avoided, if retailers are diligent about compliance with the Payment Card Industry Data Security Standard.

Andrew Jamieson, technical manager with Witham Laboratories, an independent provider of information security evaluations and consulting to organizations throughout Asia-Pacific, says PCI-DSS compliance protects readers from compromise. "We do a lot of work with law enforcement in Australia, some of which is around POS-device tampering," he says. "If the data is being transmitted in the clear out of the device, compromise can occur."

This is why card readers must comply with version 3.1 of the PCI-PTS aid card security. If the readers contain a secure-reading-and-exchange of data module, then card data is encrypted even after it leaves the POS.

But Jeff Lenard, vice president of communications for the National Association of Convenience Stores, says self-service POS devices pose unique challenges for retailers.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Big Data Analytics: Lessons Learned

Most organizations have yet to realize the cybersecurity benefits of big data analytics, says...

Latest Tweets and Mentions

ARTICLE Big Data Analytics: Lessons Learned

Most organizations have yet to realize the cybersecurity benefits of big data analytics, says...

The ISMG Network