Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:55 AM
Connect Directly

Supermarket ATM/Card Reader Rigged With Illicit Scanner

Shoppers' credit card, debit card information stolen and used in identity theft scheme in California

Some shoppers at a supermarket in Los Gatos, Calif., got more than they bargained for in the past week: Over 100 have become victims of identity theft after the debit- and credit-card reader at the checkout was rigged to siphon off their debit- and credit-card information.

The perpetrators used the card information and PIN numbers to churn out cloned cards, which then were used to withdraw cash from the victims’ accounts and to incur fraudulent charges on their credit cards. The customers of the Lunardi’s grocery store in Los Gatos have been reporting cases of identity theft to authorities since last Sunday evening, and reportedly have been losing an average of $1,000 from their bank accounts, according to a published report .

"What we have here is more than one person -- they've been able to get in there (Lunardi's) and switch out the ATM card reader," said Los Gatos-Monte Sereno police Sgt. Tam McCarty in an article in the San Jose Mercury News. "Once they've done that, they can read the card and PIN numbers and either make a temporary card or sell the numbers over the phone."

It’s unclear so far whether the scam was perpetrated by an outside criminal or was an inside job. The Lunardi’s supermarket has since replaced its old ATM card readers with new ones that lock to prevent tampering.

Scanner tampering has long been a subject of concern for security researchers, who have demonstrated the ease of ATM machine hacks, as well as of smart card scanners for physical security.

The stolen card account incident at Lunardi’s follows a similar one in Los Altos in March at an Arco gas station’s payment machine.

Rob Enderle, president of Enderle Consulting, says this is yet another type of card-scanning scam. “It speaks strongly for the need for strong multifactor authentication over anything dealing with confidential data, particularly financial data."

“Attacks like this are likely to spread ,and it is relatively easy to search on the Web and find the parts you need to build one of these things," Enderle says. "I’ll bet there are sites in Eastern Europe where you can order the entire solution custom designed for the attack a criminal wants to make.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-07
FasterXML jackson-databind 2.x before mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
PUBLISHED: 2020-04-07
FasterXML jackson-databind 2.x before mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
PUBLISHED: 2020-04-07
An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows remote attackers to upload page templates containing arbitrary JavaScript via the c37_wpl_import_template admin-post action (which will execute in an administrator's browser if the template is used to create a page).
PUBLISHED: 2020-04-07
An improper neutralization of input vulnerability in the dashboard of FortiADC may allow an authenticated attacker to perform a cross site scripting attack (XSS) via the name parameter.
PUBLISHED: 2020-04-07
An improper authorization vulnerability in FortiADC may allow a remote authenticated user with low privileges to perform certain actions such as rebooting the system.