Grocer Confirms Card Fraud

Save Mart Issues Warning After Reports of Account Compromises

By , December 7, 2011.
Grocer Confirms Card Fraud


See Also: Understanding the Opportunities and Threats in Mobile Banking

odesto, Calif.-based grocer Save Mart Supermarkets confirms that at least 80 employees and customers have reported account compromises linked to a data breach discovered Nov. 23. [See Fraud Scheme Hits Grocer.]

According to a Dec. 5 statement issued by Save Mart, reports of compromised bank account data or attempts to access bank account data escalated over the weekend. Tampered-with card readers are suspected of affecting self-service checkout terminals in 23 Save Mart and Lucky Supermarkets, which also are owned and operated by Save Mart. Save Mart owns and operates more than 233 stores in Northern California.

"We strongly recommend our customers who used a self check-out lane in the affected stores contact their financial institution to close existing accounts and seek further advice," Save Mart states. "We continue to work with local, state, and federal law enforcement to find those responsible."

Save Mart reportedly discovered the tampered card readers during routine maintenance. When the tampering occurred and the types of devices or methods used to compromise the terminal readers have not been explained. But in a separate Dec. 5 statement posted on Save Mart's website, chief financial officer Stephen Ackerman says the company this week expects to determine the timeline of the card-reader tampering.

"We strongly recommend that anyone who used our self-checkout terminals in the affected stores during the months of October and November consider closing their bank account and opening a new one," Ackerman says. "Authorities have told us that attempts to steal account information are most likely to occur over the weekend, when most financial institutions are closed or have limited hours."

Updates about the breach are expected to be posted on the Lucky Supermarkets website under the Consumer Alert tab.

Save Mart says it has replaced readers on all of the affected terminals and has added additional security to other point-of-sale card readers in all of its stores.

Did Lax Security Contribute to Fraud?

Though details surrounding the Save Mart debit and credit card breach remain sketchy, industry experts speculate possible insider collusion and/or gaps in compliance with the Payment Card Industry Data Security Standard contributed to the fraud.

Martin McKeay, a former PCI-quality security assessor who now works on the security intelligence team at web-security provider Akamai, says the number of stores compromised raises concern. "My money is on someone who has extended physical access to the systems, rather than someone who is coming in off the street and popping the [personal identification number] pads," he says. "At this point in time, I hope law enforcement is investigating every vendor Save Mart uses, from the vendors who installed the PIN pads to begin with, to the cleaning crew that comes in at night."

That employees reported compromises and that bank accounts were specifically mentioned in the Save Way release suggest debit cards and PINs were targeted. "Credit cards are compromised by reading the card [magnetic] stripe data and cloning the card, whereas a debit card requires also capturing the user's PIN," McKeay says. "The three ways to capture the PIN are a keyboard overlay, a pinhole camera on the PIN pad or a hardware compromise of the PIN pad itself."

Such sophistication hints at an organized crime ring being behind the attacks, similar to the attacks that in May hit Michaels crafts stores in more than 20 states. Michaels discovered card-readers and PIN-pads located on cashier POS systems in 90 of its stores had been manipulated to copy and transmit magnetic card details and PINs. The fraud was discovered when Michaels customers began reporting fraudulent ATM and retail transactions hitting their accounts. Card issuers tracked the common point of compromise back to Michaels.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Who's Hijacking Internet Routes?

Russian and European malware and spam purveyors have been hijacking Internet routes. Pending a...

Latest Tweets and Mentions

ARTICLE Who's Hijacking Internet Routes?

Russian and European malware and spam purveyors have been hijacking Internet routes. Pending a...

The ISMG Network