Supermarket ATM/Card Reader Rigged With Illicit ScannerSupermarket ATM/Card Reader Rigged With Illicit Scanner
Shoppers' credit card, debit card information stolen and used in identity theft scheme in California
Some shoppers at a supermarket in Los Gatos, Calif., got more than they bargained for in the past week: Over 100 have become victims of identity theft after the debit- and credit-card reader at the checkout was rigged to siphon off their debit- and credit-card information.
The perpetrators used the card information and PIN numbers to churn out cloned cards, which then were used to withdraw cash from the victims’ accounts and to incur fraudulent charges on their credit cards. The customers of the Lunardi’s grocery store in Los Gatos have been reporting cases of identity theft to authorities since last Sunday evening, and reportedly have been losing an average of $1,000 from their bank accounts, according to a published report .
"What we have here is more than one person -- they've been able to get in there (Lunardi's) and switch out the ATM card reader," said Los Gatos-Monte Sereno police Sgt. Tam McCarty in an article in the San Jose Mercury News. "Once they've done that, they can read the card and PIN numbers and either make a temporary card or sell the numbers over the phone."
It’s unclear so far whether the scam was perpetrated by an outside criminal or was an inside job. The Lunardi’s supermarket has since replaced its old ATM card readers with new ones that lock to prevent tampering.
Scanner tampering has long been a subject of concern for security researchers, who have demonstrated the ease of ATM machine hacks, as well as of smart card scanners for physical security.
The stolen card account incident at Lunardi’s follows a similar one in Los Altos in March at an Arco gas station’s payment machine.
Rob Enderle, president of Enderle Consulting, says this is yet another type of card-scanning scam. “It speaks strongly for the need for strong multifactor authentication over anything dealing with confidential data, particularly financial data."
“Attacks like this are likely to spread ,and it is relatively easy to search on the Web and find the parts you need to build one of these things," Enderle says. "I’ll bet there are sites in Eastern Europe where you can order the entire solution custom designed for the attack a criminal wants to make.”
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks