Card skimming at Lunardi's Supermarket

Tue, 06 May 2008 08:25:33 +0000

Technorati Tag: Security Breach

Date Reported:
4/29/08

Organization:
Lunardi's

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"bank card numbers and personal identification codes"*

*bank cards include credit cards and debit cards

Breach Description:
"About 150 people who used their bank debit cards at a Lunardi's Supermarket in Los Gatos have become victims of an identity theft scam. And that number is expected to grow, Los Gatos police Capt. Dave Gravel said."

Reference URL:
KPIX TV Channel 5
The Mercury News
The Mercury News (update)

Report Credit:
KPIX TV Channel 5

Response:
From the online sources cited above:

An ATM and credit card reader in a checkout aisle at the Los Gatos Lunardi's supermarket was recently switched, resulting in more than two dozen reported cases of identity theft, a Los Gatos/Monte Sereno Police Department spokesman said today.
[Evan] The number "two dozen" was used in the original report on April 29th.

About 150 people who used their bank debit cards at a Lunardi's Supermarket in Los Gatos have become victims of an identity theft scam.
[Evan] By the time of the May 2nd story, the number of reported cases grew to about 150.

And that number is expected to grow, Los Gatos police Capt. Dave Gravel said.

Police received the first reports from victims who said their credit or debit cards had been used fraudulently on Sunday night and additional victim reports continued on Monday and today, according to police spokesman Tam McCarty.

Police believe the victims all had their card numbers stolen at the Los Gatos Lunardi's, 720 Blossom Hill Road, after officials from Lunardi's contacted them about a problem with one of their card readers.

"It was a switched card reader at one of the aisles,'' McCarty said.

"What we have here is more than one person - they've been able to get in there (Lunardi's) and switch out the ATM card reader," said Los Gatos-Monte Sereno police Sgt. Tam McCarty. "Once they've done that they can read the card and PIN numbers and either make a temporary card or sell the numbers over the phone."
[Evan] Completely switch out the card reader? I have never been to the store so I don't know the layout, but how does a person switch out a card reader during business hours without anyone noticing? It seems very risky to make the switch during business hours. I suppose that a thief could pose as a repair or other support person that wouldn't look suspect. Was the switch done while the store was closed? If so, this seems to imply an insider. Just thoughts, I am sure that the investigators have already thought through these questions.

The thieves then transferred that bank information onto cloned cards - any card with a magnetic stripe can be used - and made cash withdrawals from ATMs in Southern California.
[Evan] Search Google for "Credit Card Encoder" and take your pick of various credit/debit card magnetic stripe readers/writers. Extreme Media has information on "Credit Card Hacking, ATM Hacking, Debit Card Hacking and more. From Identity Fraud to Off Shore Banking we have you covered." I have never used or read any of their wares, so I don't know how reliable it is. The point I am trying to make is that committing fraud with compromised credit/debit card information is easy and there are plenty of people willing to help the bad guys.

police are still trying to determine how much money was stolen.

Recent shoppers of the Los Gatos Lunardi's should check the status of their bank or credit card accounts for charges they did not make, according to police.
[Evan] If I were a customer of Lunardi's, I would contact my bank and close my credit/debit card account and open a new one (with new numbers).

Through an attorney, the Lunardi family, which owns the upscale grocery chain, also declined to discuss specifics about the technology used.

In a statement, the owners said the chain "in no way wants to compromise the ongoing investigation by law enforcement authorities or to reveal details of our security measures which could counteract their effectiveness."

George Silvestri, an attorney for Lunardi's, said the chain has replaced the payment devices at all seven of its Bay Area locations with machines that are locked onto the checkout stands.

Lunardi's employees with access to these devices have been trained in security procedures recommended by law enforcement and banking authorities.

Anyone who finds fraudulent charges on an account should contact the local police department or the Los Gatos/Monte Sereno Police Department at (408) 354-8600.

The thefts at Lunardi's in Los Gatos comes about three weeks after police uncovered a similar scam at an Arco AM/PM in Los Altos.
[Evan] I missed this specific breach, but I did report an ARCO "skimming" related breach in December, 2007. The December breach occurred at the El Monte station.

Commentary:
Card skimming is nothing new, but the methods have been refined and the technology has gotten better. The devices used by the criminals used to be pretty easy to identify, but now some of the devices are so small and well made that it can be difficult to notice, even to a trained eye.

A video or two might be helpful to readers (good information, but nothing earth shattering)

An NBC 10 News report:

From the UK, "The Real Hustle - ATM Scam"

Past Breaches:
Unknown

ARCO gas pumps targeted by fraudsters

Thu, 27 Dec 2007 10:58:30 +0000

Technorati Tag: Security Breach

Date Reported:
12/12/07

Organization:
ARCO

Contractor/Consultant/Branch:
Station located at 4378 N. Santa Anita Avenue, El Monte, California*

*There are 135 ARCO gas stations within a 10 mile radius

Victims:
ARCO Customers

Number Affected:
As many as 100

Types of Data:
Debit card magnetic stripe data and PINs (Personal Identification Numbers).

Breach Description:
It appears as though a group of thieves has installed an unknown electronic data capture device on one or more gas pumps at one or more ARCO gas stations for the purpose of stealing customers' money. Monetary losses have already surpassed $30,000, with unauthorized withdrawls taking place all across the U.S.

Reference URL:
KNBC-TV News Story
KCAL 9 News Story
Whittier Daily News Story

Report Credit:
KNBC-TV

Response:
From the online sources cited above:

Law enforcement authorities are searching for whoever skimmed debit card information from at least 45 customers at an Arco station in El Monte

The suspects made off with thousands of dollars from unsuspecting customers. A computerized device apparently was used to lift key information, including debit card identification numbers, concealed in the card's magnetic strip
[Evan] It never ceases to amaze me how clever thieves are. I would love to see the device that was used, how they installed it, how they concealed it, and how they stored the information that they captured. This isn't just some "run-of-the-mill" street thug.

Fraudulent withdrawals, ranging from $400 to $1,500 per customer, were made in Las Vegas, Palms Springs and New York, police said. Investigator Victor Hernandez told the San Gabriel Valley Tribune there could be as many as 100 victims.

The reported monetary losses had also jumped from $10,000 to $30,000 - and Glick said that number could reach $100,000 once all of the cases are investigated.

No illegal devices have been found at the gas station, but authorities say the fact that all the victims have used their cards there is more than a "coincidence."

investigators believe an advanced computer device was used to capture information from cards' electronic strips and personal identification numbers (PIN).

a group of people are likely behind this debit-card scam because withdrawals are being made simultaneously in locations hundreds, sometimes thousands, of miles away from one another.
[Evan] Maybe. I wouldn't base this assumption solely on where the information was used, per se. There is a thriving market in fresh stolen credit/debit card data. The compromised information could have been stolen months ago, then recently sold on one of many "carders" forums.

"There seems to be more ARCO gas stations than other gas stations targeted," Glick said. "It's possible a specific group or groups are working these pumps."
[Evan] Incidents like this breach could/should force gas stations and other unattended payment merchants to rethink how they secure their terminals. The convenience is great, but security of the information is more important.

ARCO officials said the company only accepts debit cards because banks impose higher fees for credit transactions.

"ARCO considers the safety and security of every customer a top priority," said Todd Spitler, a spokesman for the company. "But there are other businesses throughout California, not only us, that only accept debit cards."

The company often updates its technology to thwart criminal activity, and any time their pumps are compromised, ARCO officials work with law enforcement agencies, Spitler said. But identity theft is a global issue, he said.
[Evan] This isn't identity theft, this is credit card fraud.

Victim Response:
From El Monte resident Douglas Trujillo, a victim of $1,100:
"I do online banking and I looked at my account and I noticed my checking account at zero dollars," he said. "That set alarms off for me."

"I'm actually going to change my whole process," Trujillo said. "Now that I've seen how easy (thieves) can do this, I'm just going to stick to using cash and secure ATMs."

Commentary:
This is a very unfortunate, but at the same time interesting breach. I would love to know more about how the ARCO gas pumps are secured and how they transmit data. I would also love to know more about how the data was actually compromised. I have to admit, this breach makes me think more about paying at the pump. I expect to read about similar breaches in the future. Sad but true.

Past Breaches:
Unknown

[SecurityRatty] tag: arco

Card skimming at Lunardi's Supermarket

ARCO gas pumps targeted by fraudsters