GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Outside forces impinge on payments in 2011

News

Industry Update

California Lucky's unfortunate breach

Experts discuss the future of mobile payments

NRF sues Fed over Durbin regs

Features

SMBs: Security must become serious

Bill Farmer
Mako Networks

An interview with Marc Abbey

Ken Musante
Eureka Payments LLC

ISOMetrics:
Status report: U.S. economy Q3 2011

Selling Prepaid

Prepaid in brief

Will prepaid pivot with Green Dot's purchase?

'Smart' gifting gears up

Views

Thinking outside the bank

Patti Murphy
ProScribes Inc.

Education

Street SmartsSM:
EMV's time is nigh

Bill Pirtle
C3ET Credit Card Consortia for Education & Training Inc.

QR codes - the new call to action

Stephen Enfield
POS Supply Solutions

Fraud trends 2012: Like 2011, only more so

Nicholas Cucci
Network Merchants Inc.

Crisis management as opportunity

Dale S. Laszig
Castles Technology Co. Ltd.

ISOs welcome in the POS waters

Jerry Cibley
United Bank Card Inc.

Parlay tradeshow costs into social media bonanza

Alan Kleinman
Meritus Payment Solutions

Company Profile

PayLeap

New Products

All-in-one payment platform

fasttransact
FrontStream Payments Inc.

Inspiration

Use your human gifts

Departments

10 Years ago in
The Green Sheet

Forum

Resource Guide

Datebook

Miscellaneous

2012 Calendar of events

A Bigger Thing

The Green Sheet Online Edition

December 26, 2011  •  Issue 11:12:02

previous next

California Lucky's unfortunate breach

Self-checkout POS terminals in 23 Northern California Lucky Supermarkets stores were tampered with to allow thieves to collect card and PIN number data and steal thousands of dollars from Lucky customers. Save Mart Supermarkets, which owns and operates the Lucky supermarket chain, said that as of Dec. 7, 2011, more than 500 customers had reported fraudulent activity in their accounts as a result of the skimming operation.

Breach time line

According to published reports, a criminally altered terminal was discovered in a Lucky store in Mountain View, Calif., on Nov. 3, 2011. It was reportedly Nov. 11, 2011, before the company started looking for evidence of tampering in other stores.

On Nov. 14, 2011, POS terminal manufacturer VeriFone Inc. was notified and asked to examine a Lucky terminal for signs of tampering. Three days later VeriFone confirmed a problem with the terminal. Lucky then sent technicians to all its 233 Northern California stores to look for other tampered terminals.

By Nov. 22, the chain had found one tampered self-serve checkout terminal in each of 20 stores. The next day, Lucky issued a consumer breach notice to each of the 20 stores affected, stating it had found tampered terminals in those stores.

By Dec. 5, the supermarket chain had disclosed to consumers the number of compromised stores had risen to 23. Local news sources said the devices may have been installed in the Lucky stores as early as Oct. 1.

Petaluma problems

One store included in the Dec. 5 consumer alert was a Lucky store in Petaluma, Calif. Petaluma police said they received at least 140 reports of ATM thefts related to the Lucky breach. Petaluma Police Lt. Tim Lyons told The Green Sheet the POS terminals where the thefts occurred apparently contained unauthorized circuit boards inserted to collect card and PIN information.

Lyons also heard that a Bluetooth device may have been used to transmit the card and PIN information to a criminal collecting the information nearby. He said that as a result, some bank accounts were hit from ATMs many miles away before customers even left the Lucky parking lot.

Lyons indicated the lowest amount reportedly stolen in the Petaluma breach was $200. The highest amount was $3,000 - six unauthorized withdrawals of $500 in a single day. In some cases, the thieves were able to use the information collected to drain savings in addition to checking accounts, Lyons said.

Expressing concern over delays in notifying the public, one Petaluma customer told The Green Sheet that even though he wasn't robbed, he was upset with Lucky Supermarkets because he used the self-checkout four times between Nov. 17 and Dec. 5, 2011 - something he would not have done had the chain alerted him earlier about problems with the self-serve checkout terminals.

Investigation in progress

The investigation is being conducted by the San Francisco Secret Service Electronic Crimes Task Force. Secret Service Agent Andy Adelmann said the Secret Service has been working with Save Mart since at least the beginning of December but, as of Dec. 12, had not completed its forensic examination of the terminals, so he was unable to confirm how information was stolen or transmitted.

He did confirm there have been cases locally of organized criminals running operations similar to the one discovered by Lucky.

Save Mart Supermarkets Chief Financial Officer Stephen Ackerman told customers, "At this time, we strongly recommend that anyone who used our self-checkout terminals in the affected stores during the months of October and November consider closing their bank account and opening a new one."

VeriFone does not comment publicly on security-related situations under investigation, but VeriFone Media Relations spokesman Pete Bartolik said, "Public reports of breaches have not involved more recent generations of VeriFone products.

"The PCI Council proactively urges all merchants and acquirers to continually monitor installed payment devices and to replace older payment systems that no longer meet their published security standards."

Security-side viewpoint

Andrew Brandt, Director of Threat Research for Solera Networks Research Labs, said, "For Lucky to recommend that people close their bank account is outrageously excessive. What people who used a bank debit card (not a credit card) to pay at a Lucky store need to do is call their bank, warn the bank that their ATM card may have been skimmed and ask the bank to issue them a new ATM card with different numbers.

"It also would be good to ask that the maximum daily ATM withdrawal limit be reduced to the lowest possible amount - $100 or less - to reduce the losses." Brandt said "gangs of card skimmers" have been "pulling these kinds of scams" around the United States for at least the past two to three years. In Europe, where chip and PIN technology makes this kind of scam more difficult, the devices are typically altered at the factory to collect and transmit personal information - "a far more difficult-to-detect problem," Brandt said.

For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems