Wednesday, October 6, 2010
The grocery store chain stated that the tampered POS devices were placed in ALDI stores some time between June and August 2010. ALDI added that the terminals were found in stores in Hartford, Conn.; Atlanta; Chicago; Indianapolis; Rochester, N.Y.; Charlotte and Raleigh, N.C.; Pittsburgh and Philadelphia, Pa.; and Washington, D.C.; among other locations.
ALDI indicated it reported the crime to federal law enforcement, conducted an investigation into the security breach, reviewed its stores nationwide and removed the tampered terminals. Furthermore, the grocer said it notified the "relevant" card brands of the breach and implemented additional security measures in its stores.
ALDI spokeswoman Michele Williams told The Green Sheet that no ALDI employees are under suspicion as perpetrators of the breach. Williams declined to provide details on the crime or on the ongoing investigation.
The Chicago Tribune, however, did offer details, reporting that over 200 debit cardholders who shopped at an ALDI store in Wheeling, a suburb of Chicago, said they experienced unauthorized withdrawals of between $100 and $900 from their accounts. Furthermore, Pittsburgh news station WPXI reported that a local ALDI shopper said $600 was removed from her account via two unauthorized ATM withdrawals.
The Daily Herald, a suburban Chicago newspaper, reported that St. Charles, Ill., police said thieves used stolen debit card account numbers of ALDI shoppers to withdraw money at ATMs in California. Both the U.S. Secret Service and the FBI are reportedly investigating the breach, but no arrests have been made.
The breach only affected PIN debit cardholders because ALDI stores do not accept credit cards. The grocer said debit purchases make checkout lines move faster because, unlike credit, debit transactions do not require extra time for customers to sign receipts. (ALDI also doesn't accept checks.) Additionally, the chain store claims it passes on savings to customers because it pays lower interchange rates on debit than it would on credit.
Gary Palgon, Vice President of Product Management at data security solution vendor nuBridges Inc., noted that credit cards are seen as a bigger security risk than debit. But the trouble with debit is that when fraudsters get card numbers and corresponding PINs, they achieve access to cardholders' bank accounts, he said.
Given the lack of available details, Palgon could not speculate on how the ALDI breach was perpetrated. But because it appears that it was not an "inside job" committed by ALDI employees, one possible scenario Palgon offered is that of a skimming scam involving fraudsters entering store locations and posing as POS service providers.
The would-be vendors tell store associates they are there to upgrade the terminals, Palgon said. Not knowing any better, the employees allow the fraudsters to swap the POS devices with the same POS models but embedded with chips, he said.
When transactions are conducted at the POS, the data is still processed in the normal fashion, but the embedded chips secretly reroute the captured card information to fraudsters' remote computers before it is encrypted, he said.
The above scenario points to two main security flaws, according to Palgon. The first is a POS device issue because card data is not encrypted at the point of swipe. The other problem is one of training and education, Palgon said.
"It's not only a technology problem," he said. "It's a people problem, an education problem. Because people in the stores that work there need to question, what are your credentials to swap out my swipe, my payment terminal?"
Palgon noted that employee training is required by the Payment Card Industry Data Security Standard, but it's a "very small part." Further, he questioned the wisdom of training that entails merely checking a series of boxes. He believes merchants can't afford to cut corners in this manner because one lapse in security can result in "a lot of consequences for the brand."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
