Fake Credit Card Reader Found At California Grocery Store Linked To Thefts

<!––>A small California grocery store chain and its customers have fallen prey to some tech savvy ID thieves, says KPIX in San Francisco. A card reader was secretly replaced with a unit that skimmed card numbers at the Los Gatos Lunardi’s — an increasing common scam that targets stores and gas stations where customers can swipe their own credit cards. The theft was discovered when the grocery store called to report that one of their readers had been switched.Now reports of drained bank accounts and fraudulent charges are pouring in to local police departments.

“It was a switched card reader at one of the aisles,” McCarty said.
Recent shoppers of the Los Gatos Lunardi’s should check the status of their bank or credit card accounts for charges they did not make, according to police.

“Specifically look for charges in the Southern California area, Pasadena, Huntington; that’s where most of them seem to be,” McCarty said.

If you suspect that these scammers got a hold of your info, you can report the incident to the Los Gatos/Monte Sereno Police Department at (408) 354-8600.

Los Gatos Supermarket Target Of Identity Theft[CBS5] (Thanks, Paul!)

Comments

Edit Your Comment

  1. EyeHeartPie says:

    I guess I’ll be handing my card over to the cashier to swipe while paying for my groceries from now on.

  2. Umisaurus says:

    This is scary business. Man, carrying only cash is sounding more and more attractive every day.

  3. Hanke says:

    @EyeHeartPie: In a lot of places, they’ll swipe it in the same reader.

  4. Buran says:

    Seems to me like something like this would have to be an inside job considering the nature of the skimmer…

  5. EyeHeartPie says:

    @Hanke:
    But don’t you know? They have the magic swiping powers that block identity thieves from stealing your info. Or maybe the cashiers ARE the identity thieves…

    I can never get it straight.

  6. I wish we had a better picture of the card machine. =

  7. RookOmega says:

    Ouch – now you have to worry about the whole reader?

    It was simple enough to look for the “add on” swiper, but how do you verify the whole reader?

  8. B says:

    How did the thieves manage to replace the reader in the first place? You’d think somebody would have noticed it. Maybe they broke in at night, but wouldn’t the store be alarmed?

  9. whatdoyoucare says:

    Is that a picture of the actual skimmer? If it is it would be incredibly hard to spot unlike the one reported here a few weeks ago that got placed alongside a McD’s Redbox. Mean people suck.

  10. EyeHeartPie says:

    @B:
    Not all lanes are open all the time. It would be easy to pretend you were looking at some magazines and, sheltered from prying eyes by the aisle walls, replace the reader.

  11. Traveshamockery says:

    This problem is only going to get more common.

  12. laserjobs says:

    It costs all of $10 to make a credit card copying device. Now with RFID it could be even easier.

  13. esd2020 says:

    So how does the thief retrieve the skimmed numbers? There a USB drive in that thing?

  14. BigBoat says:

    What I’m confused on is, if the whole machine is a fake, how the store gets the customer’s money? They actually set up the fake machine to connect with the store’s servers?

  15. azntg says:

    @esd2020: Since I don’t deal with credit card readers, I don’t know the specifics. But I do know that if data goes from Point A to Point B, it can be intercepted midway.

    My speculation is that on a card reader like that, it has some kind of internal memory (doesn’t have to be a USB drive) that stores the card number and a validation/security code that is present only on the magnetic stripe (the CVV is the analogous number if you order online/etc.)

  16. mozillauser says:

    This problem will not be fixed until we stop treating a card number + pin as both account number and unencrypted password. In theory, we should use a system where the consumer provides the hardware (through a smartcard or similar) that creates a one-way hash of the authorization details of the transaction. Otherwise, we will always be dependent on merchants securing their devices and thus be susceptible to this sort of attack.

    One can only imagine the difficulty of switching implementations though…

  17. QrazyQat says:

    You just take your card reader down to the store, probably with an accomplice to distract people, yank out the store’s reader and put in yours. We had this happen recently here, and here’s the CBC story on it. Excerpts:

    Price said a group of thieves usually enter a store and while some distract the clerk, others switch the store’s PIN pad with one they have modified.

    Saanich police Const. Brad Brajcich says scam artists usually switch the PIN pad in a store and wait for customers to start using the counterfeit one.


    “The consumer still does the true interaction with the PIN pad, however, there is a remote chip that allows someone off-site to gather the personal information of the consumer,” said Const. Brad Brajcich of the Saanich police.

    The thieves then used their computers to download the magnetic code and PIN number of every customer who has used that Interac machine, transfer them to bogus debit cards and steal the money, Prince said.

  18. johnva says:

    @azntg:

    It can’t be intercepted midway if it uses encryption, which it’s supposed to nowadays, unless they key is also compromised. The greater threat, as this shows, is a compromised card reader or a compromised database that stores the numbers in the clear.

    Some of these card readers use the Internet and SSL to transmit transactions to the processing company, and can run custom software. Very similar to using a “secure” website. If the card terminal is compromised, they could simply have software on it that sends the numbers to a third-party computer in addition to actually performing the transaction normally. So if it’s that type of reader I can easily see how this might work. No internal storage necessary.

  19. FattyMatty says:

    I was actually going to send this story in…my mother shops at that store, and just this last weekend was called by Bank Of America telling her that $700 dollars had been withdrawn in the Los Angeles area, where my mother has not been in sometime. Luckily B of A noticed, however they are only “temporarily” returning the money pending an investigation…and we all know how B of A likes that…

  20. FLEB says:

    @azntg: IIRC, there’s nothing on the stripe that’s not present on the face of the card. It’s just the card number, expiration, and the cardholder’s name. The CVV isn’t on the stripe, either– it’s only used in transactions when the physical card isn’t available. The CVV replaces physical inspection and signature for things like online or catalog orders as proof of ownership.

    That said, if you copy everything on the card, you have… well… a cloned card. You can’t use it for online or catalog orders without the CVV, but you can use it in plenty of “swipe” situations– most importantly, in self-serve swiping like Pay at the Pump where no signature is needed and no ID verification is done.

  21. mk says:

    @FLEB: don’t most pay at the pump require zip code? they do in Chicago.

  22. Buran says:

    @melking1972: I’ve only seen that once or twice in the St. Louis area.

  23. AstroPig7 says:

    @melking1972: That’s normally easy to guess. Guessing either the ZIP code in which the cards were stolen or one of the surrounding ZIP codes will probably net a 90% success rate.

  24. midwestkel says:

    What I want to know is:

    1) How did they swap the reader
    2) Did people not think it was strange when they swiped their card and it did not take
    3) How did the theives get retreive the card numbers?

    Thats a pretty elaborate crime. Especially if its not an inside job.

  25. johnva says:

    @melking1972: I’ve NEVER used a pay at the pump machine that required me to enter a zip code. Even if they did, that’s not much of a security measure.

  26. BlackestRose says:

    I live in LG and heard the following through the grapevine so take the info with the appropriate grain of salt.

    The thieves arrived late Friday afternoon and claimed to be from an IT company called for an emergency fix on the reader. They replaced the scanner and the thefts began Saturday.

    So far 25 people have reported money taken.

  27. This is why I tell my family to dump their debit cards and use credit. That way it’s not you money thats gone.

  28. tripnman says:

    @BlackestRose:

    Goes to reinforce the theory that as long as you look like you know what you are doing, you can get away with anything. I often walk right past the security desks at office buildings and am never stopped – why? Because I look like someone that doesn’t need to be stopped.

    Someday I’ll put on a coverall jumpsuit with a name on the breast pocket, grab a clipboard, walk into an office and walk out with a filing cabinet – as long as I ask them to sign for it, no one will ask questions. Fun times!

  29. mennomateo says:

    This is nothing new to us Canadians who have had debt cards for years, the problem is that the hacked debit machines store your Card Number and your PIN on a memory chip placed inside of a hacked machine, they look exactly the same. The due diligence falls on the vendor who needs to watch for PIN pad swapping, This can be prevented with bolting PIN pads to the cashier desk. Please don’t be fooled into thinking if you swipe your card your information is safe. The problem is they is no identity fraud protection with debt transactions.

  30. Coles_Law says:

    One has to wonder at the store’s liability here. This isn’t some unit outside their store-somebody actually swapped one of their scanners in store. Either it’s an inside job or somebody was asleep at the switch.

  31. hamsangwich says:

    Wow, thanks consumerist! This is the first story that affected my family personally! My parent’s live in Los Gatos and shop there. I’ve notified them. They are a little exhausted as they just replaced all their bank cards/credit cards after someone stole my Mom’s purse. They are just thrilled with this news….

  32. HalOfBorg says:

    I’d have to imagine:

    They could have broke it themselves so the service call was expected. Drop of superglue on their card to coat the reader head.

    The crooks had to get the info they needed to let their machine complete the transaction. So…maybe a plug-in device, let them read the data, program the ‘new’ machine, which would all look very legit I bet, then install it.

    Later on, you just walk by and the RFID they have in new machine dumps it’s data to them.

    Now a trip to the local ATM, which conveniently had it’s camera covered recently by some kid for $20.

  33. Wait a sec. When the customer swipes his card through a fake reader, isn’t he or the retailer going to smell something fishy when the total amount due fails to flash on the screen? What about the receipt?

  34. Cliff_Donner says:

    @FattyMatty

    Particularly if BoA has only “temporarily” returned your mom’s money, maybe she should be withdrawing the full balance immediately and attempting to close her account?

  35. BlackFlag55 says:

    Reminds me of the retail store (major retailer) who had a serious in-store theft problem going on and couldn’t figure it out … until one day the chain’s architect happened to shop that store, unaware of the theft problem, and stopped after his purchase and stared at the check out line up for many minutes … many minutes … until it hit him what his mind was balking at subliminally … the store floor plan called for twelve check out lanes and there were thirteen. Took him awhile to reconcile the cognitive dissonance between what he was seeing and what his brain was reporting but there it was, thirteen checkout lanes.

    The store manager had installed his own check out counter. And that was the lane all the pilfered merchandise was leaving the store through.

    Ingenius and once again proving that the majority of retail crime happens from inside, or, Quis custodiet ipsos custodes? Who guards the guardians?

  36. ShadowFalls says:

    I think it is pretty clear here. Someone who works there clearly did the job. The obvious factor is to review security footage. These aisles should be all monitored, you can see the person then.

    If this was done when closed, it really reduces the number of people who could have done it.

  37. redkamel says:

    the only skimmers I have seen on the internet are ad ons to regular readers (and look really obvious, at least to me). If they are swapping the WHOLE SCANNER it has to be an inside job! how would someone not notice it? twice including pick up!

  38. johnva says:

    @corporateamericabites: Like I said, it’s probably a real reader with functional custom software. Many of the “terminal”-style credit card readers can run custom software, so that they can more easily be integrated into an existing store computer system. It’s possible that the terminal was still performing the transactions normally, but just recording/stealing the credit card numbers at the same time.

  39. QrazyQat says:

    1) How did they swap the reader
    2) Did people not think it was strange when they swiped their card and it did not take
    3) How did the theives get retreive the card numbers?

    The CBC story I posted a link to tells how they did this. First, you have someone distract others while another person swaps the card swiper; for skilled pickpocket-type thieves this isn’t difficult. I’ll bet any decent professional magician could do it even by him or herself even with a cashier there; a long coat, ask them to get you a pack of cigs (typically requiring them to turn around and get them in Canada) or even just draping a section of the coat over the reader while the cashier is ringing things up.

    The reader is plugged into the store’s system so it works normally, with the exception of recording the card numbers and pins.

    Later the thieves get the numbers via wireless connection built in to the fake reader.

    I think it is pretty clear here. Someone who works there clearly did the job.

    No. It could be, but it wasn’t in the case here.

  40. jhuang says:

    Whoa.. the Lunardi’s in my city closed a couple months ago, due to lack of sales, I think. I wonder if any of this was going on…

  41. Bhp9mm says:

    @esd2020: You can retrieve the numbers in various ways. If the terminal is hooked up to the internet for processing, then it can just as easily be sending them to another location ftp site, email address, etc. If it is hooked up to a phone line it can dial out to another location. Some legitimate terminals have cellular links. If these were advanced hackers that put this together lets not overlook an onboard wi-fi connection or a bluetooth connection.

    @BigBoat: The store probably didn’t get the money. The stores servers don’t do the credit card processing, that is done by the processor, then the stores accounts get credited the amounts. A grocery store is doing thousands of credit/debit transactions in a day, if they weren’t being credited for one checkout lane worth of transactions they may not have noticed right away.

    @azntg: Credit card terminals have a good amount of memory onboard. They store the credit card number, expiration, transaction number, amount, approval codes, date, and customer information for all the transactions that go through them in a shift.

    @FLEB: The customer’s billing address is also on the magnetic stripe, and that is precisely why pay-at-the-pump machines ask for a zipcode. It’s one more form of verification.

    @corporateamericabites: Not all stores have point of sale systems that are interconnected the clerk could assume that the transaction went through and give the customer a receipt or the terminal could have spit out an declined message, or it could have hada printer attached. It’s been my experience that grocery store clerks don’t spend too much time thinking about these things.

    My hats off to this crew, at least you have to admire their quality of work. Not that slap dash crap we become used to hearing about on the news.