14 DAY TRIAL // At the end of November we saw how 20 supermarkets belonging to the Modesto-based Save Mart chain were discovered to host modified credit card readers that were actually set up to function as skimming devices.
As it turns out, at least 80 of their customers and employees reported compromised account data or attempts to access account data. In addition, three more devices that were not identified in the first verification were found to act as skimmers.
“The missed stores were Lucky- Sunnyvale, Lucky-Novato, and Lucky on 939 Lakeville Hwy. in Petaluma. Again, these were not newly tampered card readers but part of the original discovery,” reads a store statement.
Lucky supermarkets from Pinole, Milpitas, Mountain View, Redwood City, El Cerrito, Daily City, Foster City, San Carlos and few other locations were affected by the security incident.
Since the number of skimmers is fairly high, other victims might report fraudulent transactions in the near future.
Bank Info Security asked the opinion of a former PCI-quality security assessor who states that the large number of affected locations raises some concerns.
“My money is on someone who has extended physical access to the systems, rather than someone who is coming in off the street and popping the [personal identification number] pads,” said Martin McKeay from web-security provider Akamai.
“At this point in time, I hope law enforcement is investigating every vendor Save Mart uses, from the vendors who installed the PIN pads to begin with, to the cleaning crew that comes in at night.”
He believes that debit cards were targeted by the crooks, which means that there needs to be an extra mechanism hidden somewhere to record the PINs.
“The three ways to capture the PIN are a keyboard overlay, a pinhole camera on the PIN pad or a hardware compromise of the PIN pad itself,” McKeay added.