According to a Dec. 5 statement issued by Save Mart, reports of compromised bank account data or attempts to access bank account data escalated over the weekend. Tampered-with card readers are suspected of affecting self-service checkout terminals in 23 Save Mart and Lucky Supermarkets, which also are owned and operated by Save Mart. Save Mart owns and operates more than 233 stores in Northern California.
"We strongly recommend our customers who used a self check-out lane in the affected stores contact their financial institution to close existing accounts and seek further advice," Save Mart states. "We continue to work with local, state, and federal law enforcement to find those responsible."
Save Mart reportedly discovered the tampered card readers during routine maintenance. When the tampering occurred and the types of devices or methods used to compromise the terminal readers have not been explained. But in a separate Dec. 5 statement posted on Save Mart's website, chief financial officer Stephen Ackerman says the company this week expects to determine the timeline of the card-reader tampering.
"We strongly recommend that anyone who used our self-checkout terminals in the affected stores during the months of October and November consider closing their bank account and opening a new one," Ackerman says. "Authorities have told us that attempts to steal account information are most likely to occur over the weekend, when most financial institutions are closed or have limited hours."
Updates about the breach are expected to be posted on the Lucky Supermarkets website under the Consumer Alert tab.
Save Mart says it has replaced readers on all of the affected terminals and has added additional security to other point-of-sale card readers in all of its stores.
Did Lax Security Contribute to Fraud?
Though details surrounding the Save Mart debit and credit card breach remain sketchy, industry experts speculate possible insider collusion and/or gaps in compliance with the Payment Card Industry Data Security Standard contributed to the fraud.
Martin McKeay, a former PCI-quality security assessor who now works on the security intelligence team at web-security provider Akamai, says the number of stores compromised raises concern. "My money is on someone who has extended physical access to the systems, rather than someone who is coming in off the street and popping the [personal identification number] pads," he says. "At this point in time, I hope law enforcement is investigating every vendor Save Mart uses, from the vendors who installed the PIN pads to begin with, to the cleaning crew that comes in at night."
That employees reported compromises and that bank accounts were specifically mentioned in the Save Way release suggest debit cards and PINs were targeted. "Credit cards are compromised by reading the card [magnetic] stripe data and cloning the card, whereas a debit card requires also capturing the user's PIN," McKeay says. "The three ways to capture the PIN are a keyboard overlay, a pinhole camera on the PIN pad or a hardware compromise of the PIN pad itself."
Such sophistication hints at an organized crime ring being behind the attacks, similar to the attacks that in May hit Michaels crafts stores in more than 20 states. Michaels discovered card-readers and PIN-pads located on cashier POS systems in 90 of its stores had been manipulated to copy and transmit magnetic card details and PINs. The fraud was discovered when Michaels customers began reporting fraudulent ATM and retail transactions hitting their accounts. Card issuers tracked the common point of compromise back to Michaels.
Whether Save Mart and Lucky stores were targeted by an organized ring remains to be determined. But Andrew Jamieson, technical manager with Witham Laboratories, an independent provider of information security evaluations and consulting to organizations throughout Asia-Pacific, says compliance with version 3.1 of the PCI PIN Transaction Security requirements, passed in May 2010 by the PCI Security Standards Council, likely would have prevented the Save Mart compromise. That is, unless the PIN pads were physically swapped. [See Is PCI Effectively Preventing Fraud?.]
"PCI PTS is first and foremost the security standard that tests both the physical and logical security of card acceptance devices, and therefore it is, in fact, the primary goal of PCI PTS - to protect against direct compromise of devices," he says. "In addition to this standard, PCI has released a document, 'Skimming Prevention: Best Practices for Merchants,', which aims specifically to assist merchants in understanding how to recognize devices which may have been compromised by criminals."