December 16, 2015

Sources at multiple financial institutions say they are tracking a pattern of fraud indicating that thieves have somehow compromised the credit card terminals at checkout lanes within multiple Safeway stores in California and Colorado. Safeway confirmed it is investigating skimming incidents at several stores.

safeway

Banking sources say they’ve been trying to figure out why so many customers in the Denver and Englewood areas of Colorado were seeing their debit cards drained of cash at ATMs after shopping at Safeways there. The sources compared notes and found that all of the affected customers had purchased goods from one of several specific lanes in different compromised stores (the transaction data includes a “terminal ID” which can be useful in determining which checkout lanes were compromised.

Safeway spokesperson Brian Dowling said the fraud was limited to a handful of stores, and that the company has processes and procedures in place to protect customers from fraudulent activity.

“We have an excellent track record in this area,” Dowling said. “In fact, we inspect our store’s pin pads regularly and from time to time find a skimmer, but findings have been limited and small in scale. We immediately contact law enforcement and take steps to minimize customer impact.”

Dowling said the problem of checkout skimmers is hardly limited to Safeway, and he hinted that perhaps other retailers have been hit by this same group.

“This is not unique to our company, and we understand some other retailers may have been more significantly impacted,” Dowling said, declining to elaborate.

Safeway would not name the affected locations, but bank industry sources say the fraud was traced back to Colorado locations in Arvada, Conifer, Denver, Englewood and Lakewood. In California, banks there strongly suspect Safeway locations in Castro Valley and Menlo Park may also have been hit. Those sources say ATM fraud has been linked to customers using their debit cards at those locations since early September 2015.

In order to steal card data and personal identification numbers (PINs) from Safeway customers, the thieves would have had to open up the card processing terminals at each checkout lane. Once inside, the thieves can install a device that sits between the keypad and the electronics underneath to capture and store PINs, as well as a separate apparatus that siphons account data when customers swipe their cards at the register.

Either that, or the skimmer crooks would have to secretly swap out existing card terminals at checkout lanes with pre-compromised terminals of the exact same design. In any case, skimming incidents involving checkout lanes in retail locations generally involve someone on the inside at the affected retailer.

In late 2012, bookseller Barnes & Noble disclosed that it had found modified point-of-sale devices at 60 locations nationwide. The year prior, Michaels Stores said it had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced card machines to include technology capable of siphoning customer payment card data and PINs.

Sadly, I don’t have any skimmer photos to share from this story, but I have written about the growing sophistication of these point-of-sale skimming devices. Here’s a look at one compromised card reader, and the handiwork that went into the thieves’ craft. Descriptions and images from other skimming devices can be found in my series All About Skimmers.

The mass-issuance of chip-based credit and debit cards by U.S. banks to consumers should eventually help minimize these types of scams, but probably not for some time yet. Most cards will continue to have all of the cardholder data stored in plain text on the magnetic strip of these chip-based cards for several years to come. As long as merchants continue to let customers swipe instead of “dip,” we’ll continue to see skimmers just about everywhere swiping is still allowed.

Remember that you are not liable for fraudulent card charges, but that it’s still your responsibility to alert their card issuer quickly to any unauthorized charges. So keep a close eye on your bank statements. Also, this attack is another reminder of why it makes more sense to shop with a credit vs. a debit card: Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

Update: According to reporting from the Denver Post, the Safeway incident affected three stores in Colorado. All of the affected lanes were self-checkout lanes, the publication reported.


79 thoughts on “Skimmers Found at Some Calif., Colo. Safeways

    1. Rob

      I’m sure they will. Most other retailers (like Micheals, Schnucks, B&N, e.g.) have done that once they’re satisfied they’ve found and removed all the devices. They’ve got no motivation to aid the thieves by failing to give out this info so customers of the affected stores and go over their statements extra carefully.

    2. m

      My card was used at Castro Valley Safeway (even though it was in my wallet). So does that mean they have a skimmer there, or that it was skimmed elsewhere? I usually shop in SF or in Pleasant Hill.

  1. Matthew Johnson

    How are the thieves getting physical access to install the skimming devices? Don’t employees pay any attention?

    1. Jonathan Jaffe

      If it is a physical insert (vs a remote hack) the device needs to be installed. That could happen BEFORE the device makes it to Safeway at all, or before it is placed in service.

      Jonathan @NC3mobi

      1. W Sanders

        The Safeway where I shop is open 24 hr but in the middle of the night it’s a hive of activity everywhere but the checkout lanes, with vendors restocking shelves and a lot of the time no one at the front of the store. The doors are unlocked only at one end of the store to mitigate teenagers running out with stolen vodka, so one end of the checkout lanes is a ghost town.

        Also, Safeway’s chip readers aren’t yet activated in my area. But that’s going to work real soon.

    2. Roboticus

      RE: ” Don’t employees pay any attention?”
      Having been a manager for a large corporate retailer, employees never know what corporate is doing. It would be a very easy social engineering attack to pretend to be sent by the corporate office to do an “upgrade”. There is often not a well known point of contact for certain areas like IT at the store level, and anything that “wastes time” reflects negatively on the employee/management.

      1. Peter

        +1 to this.
        Having worked retail myself, employees all too often do not find out about changes until after they had happened.
        Very easy social engineering attack.

      2. Joe

        I use to do contact field tech work and would visit many Targets. Like most big box places all you need is your tool bag and something that looks like a work order. They will gladly open the server room doors or let you bring a man-lift in. The only place that I ever had the manager call the home office was at a party supply chain. Managers don’t know, don’t care and don’t have time to worry about it. Target, Home Depot, Lowe’s, Rite-Aid, Walmart, etc. All the same. I’ve even been to banks and replace routers without question. Security starts at layer zero.

      3. rob

        Agreed. I’ve run my fair share of onsite installs where I walked in and had the run of the place, no questions asked.

    3. Erika Martin

      Matthew Johnson, just go into some of these locations past midnight while they’re stocking and observe three things: (1) NO EMPLOYEES visible near or monitoring the checkout lanes, (2) Employees in the aisles stocking shelves wearing headphones – almost always, (3) Employees visibility of customers obscured by palates, boxes and debris primarily in aisles away from the front or because they’re in the back of the store. At the very least, this is a liability to the safety of their own employees, let alone their customers’. My gut tells me that this was an inside job anyway, but because of the lack of control that the stores have during certain hours that I’ve seen , it didn’t necessarily have to be.

    4. ThreatTech Inc.

      There are 2 ways to gain access. Insider or Impostor contractors. Insiders are hard to stop but most companies have no fast, easy way to verify that a visiting maintenance contractor is who they claim to be. Contractor employees turnover is usually high so there is a vulnerability. An Imposter can easily walk in to a store with a fake company ID, uniform and toolbox and replace the devices.

  2. Chris Nielsen

    Perhaps things have changed, but my understanding is that unlike credit cards for which the credit card company takes that loss, debit card losses come from your bank account and are not subject to reimbursement. That’s why I have always avoided debit cards.

    1. Amarth

      That is a huge misconception. It regulation E vs regulation Z for debit vs credit card unauthorized use. On both instruments the card holder is not responsible for the charges.

      1. pboss

        You will, however, find that banks are much slower to give you back your money if it gets taken from your checking/savings account and make you go through more hoops. Can be an issue if you don’t have a fallback bank for bills.

        1. Ham

          Per Reg E a Financial institution has 10 days to either resolve the EFT error or the must give provisional credit. In instances where there are actual mag stripe unauthorized purchases MC rules dictate no charge back rights. That being said that financial institutions are basically stuck and must give credit and take the loss. To investigate a transaction it can cost about $13 each without considering labor for client interaction and to process the dispute just to meet Reg E requirements. It’s not worth the banks time or money to investigate these transactions and the only recourse is to get the police involved. For a $400 dispute?
          The short of it is if a Bank (not CU) is requiring ANYTHING of a consumer prior to giving credit they are in violation of Reg E.
          As a consumer you are 100% covered in the event of a transaction you had nothing to do with.

      2. JCitizen

        My credit union gives you 48 hours to discover the fraud, or you are just out of luck. Whether that is covered by a new “Z” regulation or not, that is what they do here.

      3. Jonathan Jaffe

        Re Reg Z: short words see http://www.investopedia.com/terms/r/regulation_z.asp

        From one horses mouth: http://www.federalreserve.gov/bankinforeg/regzcg.htm where the word “debit” does not appear to appear. A debit card is not a debt instrument.

        Another horse: FDIC: https://www.fdic.gov/regulations/laws/rules/6500-3200.html
        refers to Truth-in-Lending requirements. “Debit cards” are mentioned (see below) only in the context that they generate fees for overdrafts, lines of credit and similar.

        Yes, you may get your stolen funds back, but they are gone for now and for many people that can be a financial catastrophe. Credit cards have better protections, not the least of which is your credit may be improperly used, but your CASH is still in your pocket.

        Jonathan @NC3mobi

        Section 2026.2 (A)(15)(ii)(B) refers to
        An overdraft line of credit that is accessed by a debit card or an account number.

        § 1026.60 (a) Credit and charge card applications and solicitations.
        (5) Exceptions. This section does not apply to:
        (ii) Overdraft lines of credit tied to asset accounts accessed by check-guarantee cards or by debit cards;
        (iii) Lines of credit accessed by check-guarantee cards or by debit cards that can be used only at automated teller machines;

        1. Dave

          I’ve had the unpleasant experience of having a credit union debit card stolen a few years back. It took about a week before the credit union replenished my checking account. I discovered the theft within a few hours, and immediately contacted the credit union and they canceled the card, then logged into the credit union website to find several large purchases at department stores, electronics stores, etc…. Over the next couple days I visited most of the stores and collected a great deal of information about what was purchased. Best Buy was able to provide me a name and address of the owner of a membership card they used along with my debit card (probably also stolen). But when I went to Target, a security manager brought me back to their surveillance office and showed me footage of the young woman who was using my card. I took all this information back to the credit union, and was basically told “Yeah, thanks, but it’s still gonna take a few more days before we can give you your money back.”

    2. swattz101

      I believe it used to be the consumer is responsible for the first $50 when it comes to debit cards. I could be wrong, or this could have changed.

      One of my cards was compromised a couple of months ago. I informed the bank within a couple of hours and they issued a full temporary credit for the amount within a couple of hours and sent me a new card overnight. About a week ago, they informed me the investigation was complete and the credit was permanent.

  3. Robert.Walter

    I googled Safeway and Apple Pay and saw the following comment, posted 93 d ago, on Reddit:

    “Most Albertsons in CA, NV, ND, WA, ID, UT, OR, WY are already enabled. And that is the majority. A few in CO, TX, NM, FL are still not there yet. Waiting patiently for CO but would take Safeway in CO. Safeway’s terminals in CO are ancient.”

    1. Robert Barron

      That’s not correct, at least as far as Colorado goes; I have yet to go into a Safeway or King Soopers (Tom Thumb) that has enabled EMV or NFC payments.

      Whole Foods has enabled NFC, not sure about EMV as I pay with my phone every chance I get.

      1. James Edwards

        Whole Food does have NFC & EMV enabled. The other day I went in to buy something, I paid by phone however the POS shows you can use either card or phone to pay. I know for a fact that Sears has not enable the EMV chip card yet.

  4. sigh

    Do you think anyone will ever booby-trap their devices so that if someone tampers with it, it fails or alerts? sure it costs the issuer, or vendor money, but not as much as if it gets compromised.

    1. Luigi Porco

      Hi Sigh
      Disclaimer first: I work for a european company that designs and manfucatures POS terminals.
      Afaik PCI nowadays requires all devices/pinpads to be tamper evident, meaning that the device should already be ‘booby-trapped’ as you call it. Opening the enclosure for instance automatically deletes all keys on our devices, rendering it unusable.

      Maybe if they still have very old POS-Terminals in place (pre-PCI) or if they found flaws in the design of the hardware the baddies might have exploited that. Physical attacks (manipulating the pinpad from the inside) are a lot harder to pull of though than installing an external card skimmer or grabbing the data while they it is sent through the shops network.

      Luigi

    2. Jessica

      If you implement point to point encryption starting at the pinpad, then tampering would break the payment processing

  5. Robert

    I know Safeway’s security infrastructure pretty well and they actually do a pretty good job over there. This is very surprising. I wonder what FireEye has to say about this, Safeway has a lot of NX’s on their network. Could this have possibly come in from Albertson’s network once they merged?

    1. Robert

      On second thought, if this was purely a physical attack on the pin pads then obviously network security would not matter, especially if they bluetoothed or wirelessly exfilled the data.

  6. Michael Pasieka

    I was pleasantly surprised last night when shopping at my local CVS: The card reader refused to allow me to swipe my card and required that I use the chip reader!

    A huge step forward and one I would love to see in my grocery store and gas station.

    1. Mc

      Michael, you’re unlikely to see chip cards in use at gas stations for quite a long time. VISA is hot and heavy on mandating EMV use at retailers, but they’ve given the gas stations a pass until late 2017, even though it’s at these unattended payment terminals where the majority of skimming activity occurs.

      1. Wharrgarble

        I also had to use the chip this morning at Rite Aid, and previously at Home Depot.

      2. MfClimber

        EMV won’t help the gas pump skimming problem because with EMV the card data crosses from chip to terminal unencrypted. This is particularly problematic with Visa because they’ve opted for chip-n-signature rather than chip-n-PIN (which is slightly better protected against card theft). Mr Krebs has documented plenty of skimmer devices that capture the PIN as well, however.

  7. Mark Withers

    I use a Safeway commercial card that requires the driver pin and mileage. I noted all the station that I have visited in the Lehigh Valley, PA (Allentown/Bethlehem/Easton) have security stickers where you turn the lock and are opening the reader access compartment and it tears the sticker.

  8. Shawna

    Out of curiosity I clicked on the link that shows photos of what a compromised machine looks like …. wow, why do websites do that? How about if you just add step by step instructions of exactly what to do to make one?! I’m shocked that this type of info is easily available to would-be thieves and con artists. It’s like giving candy to a baby!

    1. BrianKrebs Post author

      Shawna: If only the criminals know what the skimmers look like, then law abiding citizens can’t spot a skimmer when they see one. In the case of skimmers, there is every reason to publish pictures because the people getting money out or interacting with the compromised machines are the most likely to spot something amiss.

      1. craig

        lol… the ol’ “all reporters and whistleblowers should be imprisoned forever for helping terrorists” argument… why not just make it illegal to dial 911 already? always shoot all the messengers… lol…

      2. JCitizen

        What gripes me is your article about the skimmers themselves pointed out that they appeared to be mass manufactured, and that the only possible use would be for skimming. If this is true, it really makes me wonder what Interpol and the FBI are doing to find out who these big time bad actors are? It would seem that part of the crime is big business, that is harder to hide!

    2. Jonathan Jaffe

      Security through obscurity was well skewered as far back as 1853.

      Is discussion of security weaknesses harmful or helpful? This is not a new topic having been discussed by Alfred Charles Hobbs, an American locksmith in his book Locks and Safes: The Construction of Locks (Charles Tomlinson, editor. Published by Virtue & Co., London, in 1853). What he wrote about physical locks is just as applicable to the electronic locks about which some manufacturers prefer to practice security by obscurity.

      A commercial, and in some respects a social doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.

      Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock, let it have been made in whatever country, or by whatever maker, is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.

      It cannot be too earnestly urged that an acquaintance with real facts will, in the end, be better for all parties. Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear, milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased. [ highlighting ours -ed ]

      citations at
      http://nc3.mobi/references/2015-summary/#201509091853

      1. JCitizen

        I seem to remember running across that historic tidbit during my research for my police science thesis! Thanks for the trip down memory lane!

        1. Jonathan Jaffe

          JCitizen: One is pleased to be of service.

          As for memories: Remember what Santayana wrote about remembering the lessons of history or being condemned to make the same [deleted] mistakes again, and again, and a……

          Jonathan @NC3mobi

  9. jeff

    A swap out seems unlikely to me but I do not know their infrastructure or how their terminals were setup. A swap out should imply someone would have to get to the terminal as well to validate the new reader for the terminal. While that should be normal, you would think it would take a lot more time.

    My follow up questions to Safeway would be how long do they save their video surveillance, what quality is the video, do they have them pointed at the checkout lanes, and do they have records of someone performing maintenance on the terminals or swipe pads? Not saying this will nab the party but it would be my starting point.

  10. Jasper

    jeff: Yes most stores do have surveillance over their registers for shrink/theft/robbery, but they are required to maintain 90 days online for any streams that cover a Point of Sale according to PCI DSS 3.0/3.1 subsection 9.1.1 . Whether or not they have this implemented correctly? Whether they have the storage to do this? Whether the skimmers were installed in this timeframe? We’ll probably never know.

  11. Nic

    My local Safeway has upgraded their terminals to new ones which will accept chip cards.

    I was pleased by this and attempted to use it, only to be told that they did not have the software to allow the chip piece of the terminal to work, and that I would still have to swipe.

    This is why we cannot have nice things.

  12. Noelle

    I saw posts on FB last night about this happening in Texas as well.

  13. Chris

    Even if there were no credit or debit cards there would be fraud – it would be called counterfeiting. I see that $20, $50 and $100 dollar bills are given the “pen test” in local stores, suggesting bogus bills of those denominations have been found. The surprise for me was that they’re testing $20s.

  14. Scott

    This article states “In order to steal card data and personal identification numbers (PINs) from Safeway customers, the thieves would have had to open up the card processing terminals at each checkout lane. Once inside, the thieves can install a device that sits between the keypad and the electronics underneath to capture and store PINs, as well as a separate apparatus that siphons account data when customers swipe their cards at the register.”

    This is not the only way that the MSR data and PIN can be captured. This indicates that the PIN pad was opened so that a skimmer is installed internally. This may not be the case here.

  15. mica

    Thank God that Safeway immediately contacts law enforcement.

    Moreover, I feel blessed everytime I come out of my local Walmart and my vehicle’s catalytic converter hasn’t been removed.

    BTW, (as of this moment) only one 8″, one 10″, one 12″ & one 16″ [unmentionable brand] power hacksaw blades left @[unmentionable online site].

    ~God Bless & have a safe and wonderful holiday season~

  16. Michael

    Looks like the way they handled security wasn’t a …. safeway

  17. John

    This has been going on for years at Safeway. When I was young and dumb using a debit card all the time it was always stolen right after a Safeway purchase. Inside job for sure.

    People shouldn’t be using a debit card for retail purchases. Simple. If you can’t get a credit card than use a prepaid card. Amex via Bluebird offers one for all for free available at Wal-Mart.

    1. midwestjones

      The pre-paid card won’t solve the debit v credit card issue. For both debit and pre-paid cards it’s “my” money. If I use a credit card and it’s compromised, then the banks money is stolen and I can still pay my bills.

  18. Aaron

    Well, they got me.

    Yep, to the tune of $400 yesterday. The only place I use my ATM card’s PIN is at Safeway for groceries, and at Safeway for gas. That’s it. Safeway does not have chip enabled terminals in their machines.

    I live in Sacramento. This morning, poof! $400 is suddenly gone from my checking account to an ATM in Marietta, Georgia.

    I have already shut down my ATM card. Luckily, I will get the money back from my bank, in 7 to 10 days.

    1. Scott

      This is not specifically a problem with Safeway. Card skimming is a major problem for all merchants that take magnetic stripe payment devices. This is 1950s technology and shame on the card brands for not fixing this a long time ago. Most small scale skimming attacks are not reported but they happen all the time.

    2. peter

      Glad you’re getting your money back, even though it will take a while.

      As for me, I only use my ATM/debit card at the bank ATM. Everywhere else it’s credit cards only.

  19. Mark Lafayette

    http://www.raleys.com store security told me it was difficult to install a skimmer because if any credit card reader is unplugged at the register, an alarm goes off in their security system. This article does not mention if Safeway has such a security system in place for their credit card readers.

    1. Janet

      That’s good that they’re doing that. Just don’t let it make anyone complacent, as I’m sure the alarm/security system can be worked around somehow…

  20. Mark Lafayette

    The article does not mention if the Safeway stores had an alarm system which would sound if the credit card readers were disconnected/tampered with.

    In 2013, northern California Raleys stores (including Nob Hill Foods and Bel-Air) were infected with point of sale malware which stole credit card info. Some victims originally thought they were victimized by skimmers in the Raleys stores but Raleys security told victims an alarm goes off if the card readers are disconnected or tampered with. Raleys continued to deny the victims’ claims that Raleys was at fault until Raleys admitted they had point of sale malware infection several months later which was reported at:

    http://www.raleys.com/www/promotions/promotions.jsp?contentid=3165805

    UPDATED AUGUST 9, 2013
    Customer Fact Sheet: Cyber Attack

    What happened?
    On June 6, Raley’s Family of Fine Stores announced that a portion of its computer network systems may have been the target of a complex, criminal cyber attack. We initiated a thorough investigation and we notified the FBI. At this time, we have not confirmed any unauthorized access to payment card data, but our investigation remains ongoing. We continue to encourage our customers to monitor their accounts and notify their banks or credit card companies of any suspicious activity.

    What has Raley’s done?
    Since we issued that notification, we have been intensely focused on getting answers for our customers. We continued our internal investigation. We launched a separate, independent investigation on behalf of credit card companies. We’ve brought in some of the best security experts and they are satisfied with the security measures we have in place. They continue to work with us to determine what happened. We have full confidence our customers can continue using their payment cards in our stores.

    What kind of information may be at risk?
    Our investigation is ongoing relative to payment card data. Raley’s has no reason to believe that customers’ debit PIN numbers could have been accessed. In fact, it is our policy that we do not store debit card PIN numbers. Raley’s does not collect Social Security or drivers’ license numbers in association with payment card transactions. Robust security measures specific to PIN number entry have been, and remain, firmly in place.

    Is my pharmacy information at risk?
    We have no reason to believe any information connected with pharmacy orders may have been targeted or removed.

    Is my Something Extra card information at risk?
    We have no reason to believe the information our customers shared to participate in our rewards program may have been targeted or removed.

    How many customers may have been affected?
    Our investigation remains ongoing.

    How many customers have you heard from?
    Since the June 6 notification, our response team has fielded approximately three thousand calls from customers who have contacted Raley’s with questions or concerns relating to the notification, or simply to thank us for letting them know they should be on alert. Some customers have told us they have been contacted by their banks and some customers have said they have noticed unusual activity on their accounts. While we encourage our customers to continue to work with their banks to determine the cause and address these incidents appropriately, we still have not discovered any evidence of unauthorized removal of information from Raley’s payment card system. Our response team remains available for our customers.

    Is it safe for customers to use their credit or debit cards at Raley’s?
    We have full confidence that our customers can continue using their payment cards in our stores.

    When did this happen and how did you find out?
    We learned from a major credit card company there was some questionable activity. We immediately launched a full investigation. At this point, all of the evidence that something may have happened remains circumstantial. We are continuing to look into this further, as well as continuing to assist outside investigations. We are continuing to listen to our customers, and continuing to work with our card processors to monitor for suspicious activity.

    Who is responsible?
    We do not know yet. We have reached out to the FBI and we are continuing with our investigations to find out who is responsible for this attack.

    What can customers do?
    We encourage our customers who may have used payment cards in our stores to take the following steps to protect their accounts:

    Check and monitor your bank and credit card statements for any evidence of unauthorized transactions; and
    Contact your bank or credit company immediately if you identify suspicious charges.

    Will I be charged for unauthorized charges on my card?
    Cardholders are typically not held responsible for fraudulent charges made by unauthorized parties if reported promptly to the card issuer.

    Is Raley’s Payment Card Industry (PCI) compliant?
    Raley’s has committed substantial resources to protecting customer payment card data. Earlier this year, a qualified security assessor conducted an assessment of Raley’s security measures regarding payment card data and validated Raley’s compliance with the Payment Card Industry (PCI) Data Security Standards.

    Am I at risk for identity theft because of this attack?
    We do not believe any sensitive information such as debit PIN numbers were accessed and we do not collect Social Security numbers or drivers’ license numbers in association with payment card transactions. Our customers should not be at risk of identity theft due to this criminal attack. Identify theft occurs when someone illegally assumes the identity of another person often by using someone else’s name and their Social Security number or other sensitive information which then is used to assume control over a victims’ credit cards or bank accounts.

    Do I need to contact law enforcement?
    No. Raley’s is working with card issuers and has reached out to the FBI. You should monitor your bank and credit card statements closely and report any suspicious transactions to your card issuer who will handle it from that point.

    Will Raley’s ever call me and ask for financial information?
    Raley’s will never call, email or text you to obtain personal information such as social security number or credit card numbers.

    What is Raley’s doing for its customers?
    Protecting our customers’ privacy is a top priority and our company sincerely regrets any inconvenience that this apparent attack on our network may have caused. We have established a dedicated response team to answer customers’ questions that is available extended hours seven days a week from 7 a.m. to 9 p.m. by telephone toll-free at 1-800-925-9989.

  21. L. Walters

    What I want to know is…

    What’s the point in having chip readers at POS terminals if the merchant does not activate them on the device…and requires customers to swipe the card only to facilitate the transaction?

    I recently shopped at a local store of a national chain in my community where I used a MasterCard card with a chip. But, after I inserted the card into the chip reader, nothing happened. The cashier instructed me to swipe the card only and said that the chip reader never worked.

    So…what’s the point in looking or appearing compliant with the installation of POS terminals with chip technology? This store (and maybe more in the national chain) is anything but compliant, especially since this store continues to rely on swipe technology only for its POS terminals.

    1. timeless

      At some point, if you’re a merchant, you’ll want to activate the chip reader. (Financial liability)

      But, imagine you’re a large merchant w/ many checkout lanes and many stores.

      You’d probably rather deploy all the hardware to all the stores, and then deploy the software to activate the feature everywhere, instead of incrementally.

      The software update is probably tied to some other deployment testing and probably significantly impacts lots of other systems, so they’ll delay it until all of the other pieces are ready.

      It also means the new software won’t have to support older terminals.

      I’m not saying I necessarily agree w/ this approach. But it reduces confusion. Imagine you’re a customer, and you go to store A, and use your chip, then a few days later you go to another store from the same merchant, and can’t use your chip, you’d be confused, and even more annoyed. This way, everyone has a single answer “it isn’t deployed yet”.

    2. Chad

      There are several pieces in play. The Manufacturer of the Terminal Pin Pad, POS Software company, Possible Third Party Payment Facilitator, and the Merchant’s Bank. If all aren’t in sync and EMV ready, the merchant can’t turn the EMV piece on. Big retailers like Wal-Mart were able to be EMV ready because IIRC, their software development team controls all pieces from the pinpads to the bank.

    3. Me

      Retailers had to get their debit terminals with a chip reader in by October to be compliant. They have until the 1st of the year to coordinate the software.

  22. jim

    Another good source on locking systems is the old 2600 magazine. They had several issues on locking systems. Another source, showing my age was the cookbook. And one of the earliest attempts at cooking systems was frequency traveling. Google stop changing garbelinging to traveling. Superposing alternate frequencies onto chips, can be done, by messing with the base voltage inputs.adding a sine to a flat or varying the input base frequency. But, oh, these are 115/60 cycle, rectified to 12 vdc. It can be done by missing or supimposing waveforms. Not counting power outages, skipped cycles, brownouts, and spikes that are present in the everyday electrical service, and program security in the chip overlay? Who says security is ingrained in systems? Does the average store have to have built in pos ups?

  23. Erik Novales

    Pretty sure this goes back further than September. Back in March, after stopping at the Safeway in Walnut Creek, CA (mentioned in this story about the skimmers: http://www.ktvu.com/news/57813111-story), my credit card was compromised. I attempted to pay with the credit card at a self-service terminal, the transaction was denied, and then I wound up just paying with cash instead. A couple of days later, that card number was used to fraudulently purchase gas at two separate stations, and then $500+ of stuff from Home Depot.

    Because I never shop at that Safeway, and I knew that was the last time I had used the card for anything, I called the police and told them that I suspected that there was a credit card skimmer active there. I also told my credit card company as well, along with extremely specific information about where and when I suspected the card was compromised. But it seems like nothing ever came of that (or at the very least, until much later).

    1. Jonathan Jaffe

      Erik Novales: Feedback is something we rarely get when communicating with monoliths who want to maintain their public “perfection” appearance.

      In many states there are “safe harbors” where companies don’t even have to tell you your data was taken. If the data was encrypted (even weakly or poorly encrypted) they might not have to tell you there was a breach. more at http://nc3.mobi/references/when/

      Jonathan @NC3mobi

  24. William

    I’m getting in the habit of paying cash for relatively small purchases and just using my credit cards for larger purchases. It minimizes my attack vector and makes it easier to track charges each day. I know part of the reasoning for using credit cards is that by not carrying cash, you’re protecting yourself from a robbery. But i would much rather lose $100 or so in cash then have my checking or savings account drained.

  25. JJ

    All of my credit cards, checking account, debit cards and prepaid cards are set up with text alerts for every transaction over $1.00. I know within 1-2 minutes whenever any activity occurs on my accounts.
    The downside is when checks clear my checking account at 2am and I get text messages, but I will tolerate that for the relative peace of mind that I will know if unauthorized activities occur on my accounts.

    1. William

      JJ, that’s a really simple and straightforward solution. I’m going to look at my bank and credit cards to set up something similar. Thanks for the tip.

  26. patti

    I think everyone’s sort of missing the point. This is an attack on the entire financial system, not customers. The US cannot even afford to make New Orleans safe for the future, and the financial drain from these sorts of things is only spiraling upward. Can the current financial (i.e., debt based) system even function in the longer term?

  27. ksw

    I suspect that this is a system-wide breech of Safeway’s card processing platform. Both my spouse’s and my cards were shut down over the past week. Not much damage done, mainly because our bank seems to be aware of the problem and suspended the cards when the suspicious activity started. We’re in the L.A. area and do shop at Von’s, a Safeway brand. From the timing, I suspect the breech is pretty recent, 8 weeks or so. It takes a little time to spread the card down to the “street” for theft at brick-and-mortar stores.

    Way back in the early 90’s I was involved in the technical operations of a major retailer’s payment processing platform and boy, times were easier. Internet was dial-up and connections to clearinghouses were point-to-point leased lines. Things have gotten too complicated to properly secure. PCI standards publications help but I can’t seem to shake the notion that security has changed focus from “keep out” to “clean up”.

  28. Novae

    FWIW, shortly before the CO hacks occurred, a Safeway in the Englewood / Centennial area closed down.

    It’s worth looking into whether hacks were associated with the self-checkout machines that may have been transferred from that closed store into the other ones. If so, the chain of custody of those machines would likely reveal the culprit.

    1. PIN head

      I doubt the two have anything to do with one another. There were a number of stores closed because of the Albertson’s merger. And, more importantly, the skimmer is most likely an overlay type attack as opposed to internal modifications. So chain of custody would not be an issue.

  29. Fnarf

    These Safeway skimmers have Bluetooth, like the ones you found in Mexico. Are they broadcasting the same FREE2MOVE signal that those ATMs were, or something different?

Comments are closed.