The Green Sheet Online Edition
December 26, 2011 • Issue 11:12:02
California Lucky's unfortunate breach
Self-checkout POS terminals in 23 Northern California Lucky Supermarkets stores were tampered with to allow thieves to collect card and PIN number data and steal thousands of dollars from Lucky customers. Save Mart Supermarkets, which owns and operates the Lucky supermarket chain, said that as of Dec. 7, 2011, more than 500 customers had reported fraudulent activity in their accounts as a result of the skimming operation.
Breach time line
According to published reports, a criminally altered terminal was discovered in a Lucky store in Mountain View, Calif., on Nov. 3, 2011. It was reportedly Nov. 11, 2011, before the company started looking for evidence of tampering in other stores.
On Nov. 14, 2011, POS terminal manufacturer VeriFone Inc. was notified and asked to examine a Lucky terminal for signs of tampering. Three days later VeriFone confirmed a problem with the terminal. Lucky then sent technicians to all its 233 Northern California stores to look for other tampered terminals.
By Nov. 22, the chain had found one tampered self-serve checkout terminal in each of 20 stores. The next day, Lucky issued a consumer breach notice to each of the 20 stores affected, stating it had found tampered terminals in those stores.
By Dec. 5, the supermarket chain had disclosed to consumers the number of compromised stores had risen to 23. Local news sources said the devices may have been installed in the Lucky stores as early as Oct. 1.
One store included in the Dec. 5 consumer alert was a Lucky store in Petaluma, Calif. Petaluma police said they received at least 140 reports of ATM thefts related to the Lucky breach. Petaluma Police Lt. Tim Lyons told The Green Sheet the POS terminals where the thefts occurred apparently contained unauthorized circuit boards inserted to collect card and PIN information.
Lyons also heard that a Bluetooth device may have been used to transmit the card and PIN information to a criminal collecting the information nearby. He said that as a result, some bank accounts were hit from ATMs many miles away before customers even left the Lucky parking lot.
Lyons indicated the lowest amount reportedly stolen in the Petaluma breach was $200. The highest amount was $3,000 - six unauthorized withdrawals of $500 in a single day. In some cases, the thieves were able to use the information collected to drain savings in addition to checking accounts, Lyons said.
Expressing concern over delays in notifying the public, one Petaluma customer told The Green Sheet that even though he wasn't robbed, he was upset with Lucky Supermarkets because he used the self-checkout four times between Nov. 17 and Dec. 5, 2011 - something he would not have done had the chain alerted him earlier about problems with the self-serve checkout terminals.
Investigation in progress
The investigation is being conducted by the San Francisco Secret Service Electronic Crimes Task Force. Secret Service Agent Andy Adelmann said the Secret Service has been working with Save Mart since at least the beginning of December but, as of Dec. 12, had not completed its forensic examination of the terminals, so he was unable to confirm how information was stolen or transmitted.
He did confirm there have been cases locally of organized criminals running operations similar to the one discovered by Lucky.
Save Mart Supermarkets Chief Financial Officer Stephen Ackerman told customers, "At this time, we strongly recommend that anyone who used our self-checkout terminals in the affected stores during the months of October and November consider closing their bank account and opening a new one."
VeriFone does not comment publicly on security-related situations under investigation, but VeriFone Media Relations spokesman Pete Bartolik said, "Public reports of breaches have not involved more recent generations of VeriFone products.
"The PCI Council proactively urges all merchants and acquirers to continually monitor installed payment devices and to replace older payment systems that no longer meet their published security standards."
Andrew Brandt, Director of Threat Research for Solera Networks Research Labs, said, "For Lucky to recommend that people close their bank account is outrageously excessive. What people who used a bank debit card (not a credit card) to pay at a Lucky store need to do is call their bank, warn the bank that their ATM card may have been skimmed and ask the bank to issue them a new ATM card with different numbers.
"It also would be good to ask that the maximum daily ATM withdrawal limit be reduced to the lowest possible amount - $100 or less - to reduce the losses." Brandt said "gangs of card skimmers" have been "pulling these kinds of scams" around the United States for at least the past two to three years. In Europe, where chip and PIN technology makes this kind of scam more difficult, the devices are typically altered at the factory to collect and transmit personal information - "a far more difficult-to-detect problem," Brandt said.
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.