The Green Sheet Online Edition
October 25, 2010 • Issue 10:10:02
ALDI breach may highlight fraudster M.O.
ALDI Inc., which operates 1,100 U.S. grocery stores across the Midwest and East Coast, affirmed on Oct. 1, 2010, that tampered POS terminals had been placed in ALDI stores in 11 states, leading to the unauthorized capture of payment card information of ALDI customers. In a statement ALDI said a "limited number of stores" had tampered terminals and a "limited number of our customers" had been affected.
The grocery store chain stated that the tampered POS devices were placed in ALDI stores between June and August 2010. The compromised terminals were found in Hartford, Conn.; Atlanta; Chicago; Indianapolis; Rochester, N.Y.; Charlotte and Raleigh, N.C.; Pittsburgh; Philadelphia; and Washington; among other store locations.
ALDI indicated it reported the crime to federal law enforcement, conducted an investigation into the security breach, reviewed its stores nationwide and removed the tampered terminals. Furthermore, the grocer said it notified the "relevant" card brands of the breach and implemented additional security measures in its stores.
ALDI spokeswoman Michele Williams told The Green Sheet that no ALDI employees are under suspicion as perpetrators of the breach. Williams declined to provide details on the crime or on the ongoing investigation.
The Chicago Tribune reporting that over 200 debit cardholders who shopped at an ALDI store in Wheeling, a suburb of Chicago, said they experienced unauthorized withdrawals of between $100 and $900 from their accounts. Furthermore, Pittsburgh news station WPXI reported that a local ALDI shopper said $600 was removed from her account via two unauthorized ATM withdrawals.
The Daily Herald, a suburban Chicago newspaper, reported that St. Charles, Ill., police said thieves used stolen debit card account numbers of ALDI shoppers to withdraw money at ATMs in California. Both the U.S. Secret Service and the FBI are reportedly investigating the breach, but no arrests have been made.
The breach only affected PIN debit cardholders; ALDI stores do not accept credit cards or checks.
The grocer said debit purchases make checkout lines move faster because, unlike credit, debit transactions do not require extra time for customers to sign receipts. Additionally, ALDI claims it passes on savings to customers because it pays lower interchange rates on debit than it would on credit.
Gary Palgon, Vice President of Product Management at data security solution vendor nuBridges Inc., noted that credit cards are seen as a bigger security risk than debit. But the trouble with debit is that when fraudsters get card numbers and corresponding PINs, they achieve access to cardholders' bank accounts, he said.
Given the lack of available details, Palgon could not speculate on how the ALDI breach was perpetrated. But because it appears it was not committed by ALDI employees, one scenario Palgon offered is that of a skimming scam involving fraudsters entering store locations and posing as POS service providers.
The would-be vendors tell store associates they are there to upgrade the terminals, Palgon said. Not knowing any better, the employees allow the fraudsters to swap the POS devices with the same POS models but embedded with chips, he said.
When transactions are conducted at the POS, the data is processed in the normal fashion, but the embedded chips secretly reroute the captured card information to fraudsters' remote computers before it is encrypted, he said.
Flaws in the armor
The above scenario points to two main security flaws, according to Palgon. The first is a POS device issue because card data is not encrypted at the point of swipe. The other problem is one of training and education.
"It's not only a technology problem," he said. "It's a people problem, an education problem. Because people in the stores that work there need to question, what are your credentials to swap out my swipe, my payment terminal?"
Palgon noted that employee training is required by the Payment Card Industry Data Security Standard, but it's a "very small part." Further, he questioned the wisdom of training that entails merely checking a series of boxes.
He believes merchants can't afford to cut corners in this manner because one lapse in security can result in "a lot of consequences for the brand."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.