A banking chain in Colorado told Krebs on Security that it discovered a skimming operation while investigating several fraud cases against its clients. It discovered a common link in all the cards that were drained at local ATM machines: they had all been used at the same Safeway stores. It wasn’t just the stores, however, as the investigators were even able to pin the operation down to a few specific lanes inside the stores.
The Safeway representative who spoke to Krebs said that the problem is pretty common and that regular pin pad inspections are done to look for skimming and other tampering. He insisted that it is not unique to Safeway but that other stores may not be as up front about it.
[W]e inspect our store’s pin pads regularly and from time to time find a skimmer, but findings have been limited and small in scale. This is not unique to our company, and we understand some other retailers may have been more significantly impacted.
According to Krebs’ bank sources, Safeway locations in Denver, Arvada, Englewood, Conifer, and Lakewood, Colorado stores were affected by this particular attack. Information on a similar attack in Menlo Park and the Castro Valley in California was not as abundant, but the Krebs’ report said that bank sources there “strongly suspect” Safeway stores to be the root of a rash of fraud cases.
The report also says that the attacks cannot be conducted without some degree of special access to the pin pads. At present, it would not be profitable or feasible to install something while checking out, but a janitor or other employee with special access could install devices to read information from cards. Extra vulnerable are those with smart chips meant to remove the process of actually swiping.
But more interesting about these devices is that they gather data separately when regular cards are used with PINs. A device is placed which records the PIN entries and then another captures the rest of the user data. This is what enables the crooks to use ATMs after they have the information, in that they can simply reprint it onto other cards, maybe even realistic ones with the advent of 3D printers, and then also be able to use the PIN number which works for the card.
Nevertheless, a card is nothing but a magnetic strip storing data in plain text, for the most part, which means that the person able to get hold of that data is also able to make use of it, and anything linked to it is likewise vulnerable. In this case, the victims’ only mistake was going to that particular lane of that particular Safeway during that particular period. Safeway stores were surely targeted for maximum coverage: there’s guaranteed to be a lot of traffic at each terminal, no matter how quickly the device is captured. The only more brilliant place than a supermarket might be a gasoline dispenser.
Featured image from Shutterstock.