back to article Sneaky skimmer scam stings several Safeway supermarkets

US grocery chain Safeway has confirmed that registers at several stores in California and Colorado had somehow been fitted with "skimmer" hardware to collect payment card information. According to a report from Krebs on Security citing investigators involved with the case, registers at two stores in northern California and …

  1. Ian Michael Gumby
    Boffin

    Safeway is now on the hook.

    Since Oct, the stores were supposed to have the chip reader installed. Many / Most stores have yet to make the change, so that until they do, if there is any theft or fraud, the stores are liable.

    Its amazing that they haven't taken the move seriously and customers should look towards switching grocers.

    1. Mike Manes

      Re: Safeway is now on the hook.

      Not all card providers in the US have adopted chip cards yet. I know that mine hasn't. So retailers must still scan the mag strip if they wish to make sales. The stores that I frequent have installed chip readers integrated with the mag strip POS readers.

      1. Ian Michael Gumby
        Boffin

        @Mike Re: Safeway is now on the hook.

        The card companies (VISA, MC and AMEX) have all put chips in their cards and had mandated that by Oct 1, stores would have to have chip readers installed. The US companies balked at Chip and Pin and only agreed to Chip and Sign.

        What I posted is a fact, yet down voted.

        The card issuers (banks) delayed the inevitable and yes, while not complete, its the stores that have not yet turned on or implemented chip readers in their stores. That's the real issue.

        Even in Europe today, the POS stations and hand held units all have both mag readers and chip readers.

        After the Target breach... its a no brainer that we should have chip cards in the US.

  2. a_yank_lurker Silver badge

    How was it installed?

    How did anyone install a skimmer in grocery store? It sounds like the staff was asleep or it is an inside job. To install a skimmer requires physical access to the POS.

    1. Mike Manes

      Re: How was it installed?

      Any self-checkout, e.g. petrol stations, and even many regular stores provide POS card readers where the customer is expected to swipe the mag strip card.

    2. Michael Thibault

      Re: How was it installed?

      Here's a primer. Check the August 2014 article.

      It looks like the major impediment to successful skimming is the reluctance of the criminals to lay out the necessary capital up front for a design that is compact, authentic in appearance, and easily manufactured. I expect that just over the horizon lies an armada of such things--indistinguishable from the real deal, easy to install, and difficult to detect... When that sails into view, things will get very interesting.

    3. Anonymous Coward
      Anonymous Coward

      Re: How was it installed?

      To install a skimmer requires physical access to the POS.

      No big deal - done well it won't take more than a few moments. Even when there's staff around, if somebody looks authentic and purposeful the chances of being questioned are slim. Could be a bribed employee. A crim in a stolen store uniform. Or looking and acting like an EPOS service technician. In fact, easiest would be one of the crims taking a temporary job at the store as an employee, or as part of the often subcontracted cleaning. Particularly if you're part of the cleaning team then there's a good chance of largely unsupervised access outside of normal working hours. Then again, could be an employee for an EPOS company...

      And those suggestions have taken a whole ten seconds of thought to come up with.

    4. TimeMaster T

      Re: How was it installed?

      Most places would have a third party contractor handling the maintenance of their POS systems. Probably the skimmers were installed by someone from outside Safeway.

  3. Anonymous Coward
    Anonymous Coward

    "We immediately followed the proper protocol..."

    "We immediately followed the proper protocol of contacting law enforcement and the banks that service the few cards that were used on those pin pads."

    But for months we failed to check our own equipment...

    1. TimeMaster T
      Megaphone

      Re: "We immediately followed the proper protocol..."

      They probably found the skimmers when one of the POS card readers that had one installed failed and the tech from the outside contractor that actually does the install/maintenance of the POS system spotted it.

      I've worked for a company providing POS systems for restaurants/grocery stores and 99% of the people using them wouldn't know a mag reader from a keypad.

  4. KLane
    FAIL

    Likely quite easy to infect them...

    At some of the grocery store checkouts I've used, the backs of the PC used for the POS terminal is quite often accessible/visible, and it would be very easy to plug a cheap USB flash in the back. If the autoplay is still enabled (assuming windows), quite likely it's game over!

  5. John Geek

    more and more POS systems I'm seeing locally are tablet based, android or ipads, the formerly ubiquitous PC is becoming history.

    I really wonder about the security of them, most are using wifi which isn't very secure in the first place.

  6. Anonymous Coward
    Anonymous Coward

    Massive outbreak of skimmers in U.S.

    Authorities have noticed a massive outbreak of credit card skimmers in the U.S. in the past 6 months. This is probably due to the hardware being available online for ~$100. Crims are opening up gas station fuel pumps at night and inserting the skimmers which can record and or transmit the stolen C/C data. The skimmers can be removed after a few days and no one is the wiser. It's also happening at convenience store ATMs. This is a huge problem for consumers and authorities and it's only going to get worse.

    1. Gray
      Facepalm

      Re: Massive outbreak of skimmers in U.S.

      Which is why the Missus & I have gone Luddite and no longer use credit/debit cards for ordinary shopping. Cash remains acceptable (until DHS - NSA - CIA - IRS deem cash purchases to be subversive in that they cannot be tracked). Our only problem is resentment from POS clerks who must call a supervisor to check the bills for counterfeit, and ask for a crash course in making change.

      1. FredBloggs61

        Re: Massive outbreak of skimmers in U.S.

        "and ask for a crash course in doing basic frickin sums"

        FTFY

        I get so annoyed when a cashier is unable to do basic maths.

        Item costs = £6.87

        Give over a £10

        Realise I have a pocket of change and offer extra £1.87 to get a £5 note back

        Cashier now unable to work out what change to give, as the machine says £3.13

        Aaaaagggghhhhhhhhh

        1. Richard 12 Silver badge

          Re: Massive outbreak of skimmers in U.S.

          The "oh, I have some extra coins" thing is also a common scam.

          By bouncing a few coins around it's relatively easy to get a tired cashier to give too much change - or even the original large note back.

          So they are always told "ring it all into the till, give exactly what it says".

        2. MachDiamond Silver badge

          Re: Massive outbreak of skimmers in U.S.

          I wouldn't call it maths, I call it arithmetic.

    2. Anonymous Coward
      Anonymous Coward

      Re: Massive outbreak of skimmers in U.S.

      Crims are opening up gas station fuel pumps at night and inserting the skimmers

      I would also suspect, like in the UK, some low paid POS service people are also helping access the equipment

  7. Clive Galway

    Trash your magstrip

    If you are in a region that is in the process of moving from mag-strip to Chip+PIN, then once you are able to conduct your daily life without the magstrip, then trash the magstrip on your card!!

    All the skimmers (AFAIK) clone magstrips. Even if you insert your card into a device that uses C+P, if it has a magstrip skimmer installed, then they have magstrip + PIN, which is enough to withdraw.

    1. TeeCee Gold badge

      Re: Trash your magstrip

      I'm afraid that the Banks are the source of the problem here. If they'd just get off their fat backsides and upgrade their ATMs to C+P.....

      Card plugs in "chip end", no skimming possible at ATMs. Skimmed mag strips are unusable in ATMs. Problem solved.

  8. Nate Amsden

    don't use debit cards?

    I haven't used my ATM/debit card as a "debit" card probably since the 90s.

    I'm perfectly happy with swipe & sign. Chip processing takes too long still. I was at a checkout line at a CVS drug store two weeks ago and their system took a good 10-15 seconds before the person was even able to sign, slowed the line down a lot(both customers in front of me were complaining on the delay time), caused me to pay in cash instead. The cashier said the previous week it was even slower. Maybe it will get fast eventually but if they have had this shit in europe for years I would think the tech is already pretty mature.

    I've had pretty minimal pain from credit card fraud over the past 15 years. I've had a few cards compromised, and I've had a few transactions incorrectly declined due to aggressive anti fraud systems.

    But as a consumer(and a very happy customer of Safeway though I am not in the cities listed) am perfectly happy with the system as-is. Though it's probably been two years now since I last had to have a card replaced(due to fraud).

    A few fraud attempts against my BofA shopsafe cards but after talking with customer service they see that it is impossible to commit fraud against those cards so they turn the alert off and don't force me to get a new card. Maybe their fraud system since has been adapted to auto detect this state, last time I had an issue they said the fraud system could not tell the difference between a shop safe card and a real card.

    It's not as if chip and pin solves everything anyway, there's been many stories about how the systems have been compromised over the years. I don't intend to ever use my phone for payments either.

    But whatever.

  9. TimeMaster T
    Alert

    California Locations

    buried in an article linked to in the comments on the article linked to in the Reg's article

    "Safeway spokesman Brian Dowling said in a statement that two skimmers were discovered three months ago at their 7499 Dublin Blvd. location in Dublin and the 710 Bancroft Road location in Walnut Creek.?

    Nothing about the Colorado stores.

    Given that the affected locations was the FIRST thing I wanted to know about it is very disappointing that I had to dig that far to find anything about the affected locations. Come on people!! Where is your sense of journalistic responsibility to inform the public?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022