Grocer Confirms POS Skimming Attack

Customers, Card Issuers Watch for Fraudulent Activity

By , January 4, 2012.
Grocer Confirms POS Skimming Attack

S

See Also: Digital Identity Verification for Fraud Mitigation

ave Mart, the Modesto, Calif.-based grocery chain, confirms that skimming devices are to blame for the data breach believed to have exposed hundreds of consumer accounts to debit and credit card fraud. [See Fraud Scheme Hits Grocer.]

According to the latest statement issued by Save Mart, the skimming attack targeted self-service checkout terminals at 24 Save Mart and Lucky Supermarkets in the San Francisco Bay area. Save Mart owns and operates more than 233 stores in Northern California.

This is the first confirmation that Save Mart's breach was the result of a skimming attack. Previous statements have offered scant details about the incident.

In late November, Save Mart issued a consumer advisory, warning customers about card-reader breaches at 20 of its stores. In December, Save Mart confirmed that at least 80 employees and customers had reported account compromises.

Save Mart's chief financial officer Stephen Ackerman, in a Dec. 5 statement, said the company believed cards used during the months of October and November were likely exposed. But few other details were released.

Now, after working with the Secret Service as part of an ongoing investigation, Save Mart says it has uncovered what it calls a high-tech credit- and debit-card skimming scheme. So far, compromised card data has been traced to use at single checkout lanes at each of the 24 affected stores. As a precautionary measure, however, the company has replaced or inspected all of its 2,557 POS card readers, which includes self-checkout and staffed checkout lanes, in all of its stores in Northern California and Northern Nevada. "This not only includes Lucky Supermarket stores, but inspections at Save Mart, S-Mart Foods, Maxx Value Foods and FoodMaxx stores that are also owned by Lucky Supermarkets' parent company, Save Mart Supermarkets," the company says.

Routine Inspections Identified Breach

A similar breach, which in May was discovered at POS systems in 20 Michaels crafts stores, highlights the vulnerabilities of retail checkout systems. But, unlike the Michaels compromise, which was discovered after card issuers' fraud-detection systems linked compromised cards back to Michaels, the Save Mart breach was uncovered during a routine maintenance check.

Julie McNelley, research director at Aite Group who focuses on financial fraud, says both incidents reinforce the need for physically inspecting card readers and payments devices. "We have seen many banks deploy this practice for their ATMs as well," she says.

But there is no silver bullet.

John Buzzard of FICO's Card Alert Service says retailers and banks, as card issuers, have to rely on detection systems as well as physical inspections. In the Save Mart breach, FICO identified 12 of the initially compromised locations, once fraudulent ATM withdrawals started hitting cardholder accounts on Dec. 2.

"FICO Card Alert Service sent out compromised card reports to all affected issuers during the first week of December, so that card issuers had an opportunity to identify and manage the risk directly associated with this type of counterfeit card fraud," Buzzard says. "The card issuer's aggressive blocking and reissuance of cards related to this case truly made a huge dent in the amount of losses experienced."

Buzzard says banking institutions that took proactive action to identify high-risk cards linked to those Save Mart and Lucky locations substantially limited their losses. In the Michaels breach, FICO also identified at-risk cards linked to 70 Michaels locations in 18 states.

"It really takes the combined efforts of FIs [financial institutions], merchants and consumers to proactively detect and mitigate the impact of these attacks," McNelley says. "Many FIs have sophisticated analytics deployed to look for these types of breaches, but it takes a number of losses that are detected by consumers in order to have enough of a pattern to identify a common point of compromise. Lucky was fortunate that they didn't have to wait for these types of analytic routines to create a trail that led back to its stores, or the impact of the breach could have been great."

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Authentication in a Heartbeat

MasterCard is testing a biometric wristband that authenticates a user's identity for payment card...

Latest Tweets and Mentions

ARTICLE Authentication in a Heartbeat

MasterCard is testing a biometric wristband that authenticates a user's identity for payment card...

The ISMG Network