Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
12/15/2011
09:31 AM
Dark Reading
Dark Reading
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

Criminals Make Sure You're Never Really Alone, Even In Self-Checkout Lanes

Vigilance against card fraud is a 24/7 process, even at the grocery store

Multiple media outlets, such as Wired, have reported that criminals have tampered with the credit- and debit-card readers at self checkouts in more than 20 supermarkets operated by California-based Lucky Supermarkets.

The thieves used credit-card skimmers attached to the terminals to collect the account numbers and PINs of everyone who used them to pay for their groceries.

In announcing the breach, Lucky responsibly advised consumers:

“There have been approximately 80 employee and customer reports of either compromised account data or attempts to access account data, with the majority coming over this past weekend ... We strongly recommend our customers who used a self check-out lane in the affected stores contact their financial institution to close existing accounts and seek further advice. We continue to work with local, state, and federal law enforcement to find those responsible.”

As usual, the theft was discovered only after the damage was done. It turns out an employee performing routine maintenance on a self-checkout machine “uncovered an extra computer board that had been placed inside the checkout machine, recording customers’ financial information.” That was on Nov. 11.

Once the supermarket chain warned customers about the compromise on Nov. 23 -- 12 days later, if you’re keeping score -- the supermarket fielded more than 1,000 calls from customers contending they had been victims of fraud.

The advice by Joseph Steinberg, a security expert whose opinion was solicited for the story states the obvious. “Everyone should always check any device in which they insert/swipe a credit/debit/ATM card, or to which they touch their card, to see if it looks like it may have been modified/covered.”

While it’s impractical that everyone checking themselves out at the local grocer will pay any attention at all to determine whether a credit/debit card machine has been tampered with, most people don't even know what to look for.

In this case it would have been nearly impossible to know these terminals had been altered because the changes were all on the inside, unlike many ATM skimmers that are attached externally.

These are decisions that each of us must make about what kinds of risks we are each willing to tolerate for convenience. You could carry large quantities of cash, but I wouldn't recommend it. For me, I will stick to using my credit card (which offers protection) and leave the debit card and armored truck at home.

Of course, before I insert that credit card I do take a look carefully to see if there is any obvious sign of tampering. I also frequent the same shops and ATMs, which gives me familiarity with what “should” be.

Last, you are not being paranoid if you do these things. They really are out to get us, so remain vigilant.

Chester Wisniewski is a senior security adviser at Sophos Canada

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant