Fraud Scheme Hits GrocerCard Reader Compromised at Self-Service Checkout
According to a statement posted on Save Mart's website, tampered card-readers at self-service checkout lanes in 19 Lucky Supermarkets locations and one Save Mart store were discovered during routine maintenance. The statement did not say when the tampering might have occurred or what method of tampering was used, and attempts to reach Save Mart for clarification have been unsuccessful.
It's not clear if skimmers were installed, or if the card readers were replaced with readers manipulated to collect details. Save Mart does say, however, that it replaced readers on all of the affected terminals and added additional security to point-of-sale card readers in all of its 234 locations soon after the tampering was discovered.
"We are not aware nor have we been notified of any reports that customer accounts were compromised," the company statement says. "The appropriate authorities have been notified of this situation and consumer notices have been posted at credit/debit terminals in the affected stores as well as placed on our websites. As a precaution, we are recommending anyone who has used the self check-out lane in the affected stores to verify/monitor all credit/debit accounts with their financial institution to ensure everything is in order."
The statement also suggests consumers concerned about possible card exposure contact the California Office of Privacy Protection or the Federal Trade Commission for more information about identity theft.
Retailers: An Easy Target
The incident rings strikingly familiar to the Michaels POS breach. In May, Michaels discovered that card readers and PIN pads located on cashier POS systems in 90 of its stores had been manipulated to copy and transmit magnetic card details and PINs. The fraud was discovered when Michaels customers began reporting fraudulent ATM and retail transactions hitting their accounts. Card issuers tracked the common point of compromise back to Michaels.
See Also: Threat Briefing: Ransomware
McAfee consultant Robert Siciliano says retailers are fraudsters' new targets. Hitting electronic-funds-transfer POS devices has proved relatively easy.
"Criminals realize that retailers are understaffed to the point that swapping out a POS will go unnoticed," as it did in the Michaels breach, Siciliano says. "Once they determine the make and model of an easily swappable device, they target a chain they can easily comprise. It's also possible they may be employed (or were employed) by the companies that install and service the systems, in the form of an inside job."
It's not just a North American problem. Retailers and fast-food chains throughout the world have reported upticks in POS-related scams. In October 2009, a POS swapping scheme, like the one reported by Michaels, hit several McDonald's restaurants across Perth, Australia. The estimated financial loss totaled $4.5 million and affected some 3,500 consumers.
PCI Provides Protection
POS device-swapping aside, card-reader manipulations such as the one reported by Save Mart can be avoided, if retailers are diligent about compliance with the Payment Card Industry Data Security Standard.
Andrew Jamieson, technical manager with Witham Laboratories, an independent provider of information security evaluations and consulting to organizations throughout Asia-Pacific, says PCI-DSS compliance protects readers from compromise. "We do a lot of work with law enforcement in Australia, some of which is around POS-device tampering," he says. "If the data is being transmitted in the clear out of the device, compromise can occur."
This is why card readers must comply with version 3.1 of the PCI-PTS aid card security. If the readers contain a secure-reading-and-exchange of data module, then card data is encrypted even after it leaves the POS.
But Jeff Lenard, vice president of communications for the National Association of Convenience Stores, says self-service POS devices pose unique challenges for retailers.
"Thieves are, and will continue to, target self-service devices that do not have regular personnel supervising the system," he says. "Self-serve POS is right there with pay-at-the-pump, kiosks and ATMs."