Sources at multiple financial institutions say they are tracking a pattern of fraud indicating that thieves have somehow compromised the credit card terminals at checkout lanes within multiple Safeway stores in California and Colorado. Safeway confirmed it is investigating skimming incidents at several stores.
Banking sources say they’ve been trying to figure out why so many customers in the Denver and Englewood areas of Colorado were seeing their debit cards drained of cash at ATMs after shopping at Safeways there. The sources compared notes and found that all of the affected customers had purchased goods from one of several specific lanes in different compromised stores (the transaction data includes a “terminal ID” which can be useful in determining which checkout lanes were compromised.
Safeway spokesperson Brian Dowling said the fraud was limited to a handful of stores, and that the company has processes and procedures in place to protect customers from fraudulent activity.
“We have an excellent track record in this area,” Dowling said. “In fact, we inspect our store’s pin pads regularly and from time to time find a skimmer, but findings have been limited and small in scale. We immediately contact law enforcement and take steps to minimize customer impact.”
Dowling said the problem of checkout skimmers is hardly limited to Safeway, and he hinted that perhaps other retailers have been hit by this same group.
“This is not unique to our company, and we understand some other retailers may have been more significantly impacted,” Dowling said, declining to elaborate.
Safeway would not name the affected locations, but bank industry sources say the fraud was traced back to Colorado locations in Arvada, Conifer, Denver, Englewood and Lakewood. In California, banks there strongly suspect Safeway locations in Castro Valley and Menlo Park may also have been hit. Those sources say ATM fraud has been linked to customers using their debit cards at those locations since early September 2015.
In order to steal card data and personal identification numbers (PINs) from Safeway customers, the thieves would have had to open up the card processing terminals at each checkout lane. Once inside, the thieves can install a device that sits between the keypad and the electronics underneath to capture and store PINs, as well as a separate apparatus that siphons account data when customers swipe their cards at the register.
Either that, or the skimmer crooks would have to secretly swap out existing card terminals at checkout lanes with pre-compromised terminals of the exact same design. In any case, skimming incidents involving checkout lanes in retail locations generally involve someone on the inside at the affected retailer.
In late 2012, bookseller Barnes & Noble disclosed that it had found modified point-of-sale devices at 60 locations nationwide. The year prior, Michaels Stores said it had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced card machines to include technology capable of siphoning customer payment card data and PINs.
Sadly, I don’t have any skimmer photos to share from this story, but I have written about the growing sophistication of these point-of-sale skimming devices. Here’s a look at one compromised card reader, and the handiwork that went into the thieves’ craft. Descriptions and images from other skimming devices can be found in my series All About Skimmers.
The mass-issuance of chip-based credit and debit cards by U.S. banks to consumers should eventually help minimize these types of scams, but probably not for some time yet. Most cards will continue to have all of the cardholder data stored in plain text on the magnetic strip of these chip-based cards for several years to come. As long as merchants continue to let customers swipe instead of “dip,” we’ll continue to see skimmers just about everywhere swiping is still allowed.
Remember that you are not liable for fraudulent card charges, but that it’s still your responsibility to alert their card issuer quickly to any unauthorized charges. So keep a close eye on your bank statements. Also, this attack is another reminder of why it makes more sense to shop with a credit vs. a debit card: Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).
Update: According to reporting from the Denver Post, the Safeway incident affected three stores in Colorado. All of the affected lanes were self-checkout lanes, the publication reported.
I suppose that by using a temporary CC number, an app such as AndroidPay would be immune to these schemes.
And reading Fnarf’s comment, these same apps could be pretty effective with ATMs as well. When can we get there???
Android Pay, like Apple Wallet, uses the EMV standard that provides only a temporary cc needed to complete the transaction using the NFC which the customer has the option to use credit or debit(PIN). So, it would be immune to any attempt of skimming. I make every attempt to use AP as the switch over to chip has started on the credit card and it will transition to debit card (only new accounts will have chip) while the older ones will get the switch over in 2016.
Sad part about the switch over they still have the magnetic strip to swipe when it should be dip and PIN but in the interim they are using signature as a end around to PIN which is not secure as cashier do not check it.
Hi,
My credit card was recently compromised at the Safeway store in Dublin CA due to these skimming devices. Safeway has said that no data was breached but that is “Incorrect”. This was the only place my card could have been compromised and I have to go through so much hassle with my bank to get everything back on track.
Thanks,
Kriti
It just happened to me, my mom, and my nephew! We all shopped at the Washougal Safeway on Christmas Eve and all three of us had our atm card info stollen! I spoke with Jason Griffin from Safeway he stated it was most likely somebody stole the info from the bank. I clarified to him that we all have different banks and all shopped that same day at Safeway for Christmas Eve dinner! I told him I saw that it was going on at some other safe ways on the Internet he stated those are lies! He said he would look into to it….,yeah whatever! Great customer service there!!!