Some shoppers at a supermarket in Los Gatos, Calif., got more than they bargained for in the past week: Over 100 have become victims of identity theft after the debit- and credit-card reader at the checkout was rigged to siphon off their debit- and credit-card information.
"What we have here is more than one person -- they've been able to get in there (Lunardi's) and switch out the ATM card reader," said Los Gatos-Monte Sereno police Sgt. Tam McCarty in an article in the San Jose Mercury News. "Once they've done that, they can read the card and PIN numbers and either make a temporary card or sell the numbers over the phone."
It’s unclear so far whether the scam was perpetrated by an outside criminal or was an inside job. The Lunardi’s supermarket has since replaced its old ATM card readers with new ones that lock to prevent tampering.
Scanner tampering has long been a subject of concern for security researchers, who have demonstrated the ease of ATM machine hacks, as well as of smart card scanners for physical security.
The stolen card account incident at Lunardi’s follows a similar one in Los Altos in March at an Arco gas station’s payment machine.
Rob Enderle, president of Enderle Consulting, says this is yet another type of card-scanning scam. “It speaks strongly for the need for strong multifactor authentication over anything dealing with confidential data, particularly financial data“Attacks like this are likely to spread ,and it is relatively easy to search on the Web and find the parts you need to build one of these things," Enderle says. "I’ll bet there are sites in Eastern Europe where you can order the entire solution custom designed for the attack a criminal wants to make."