Posts Tagged: Safeway


3
Feb 16

Safeway Self-Checkout Skimmer Close Up

In Dec. 2015, KrebsOnSecurity warned that security experts had discovered skimming devices attached to credit and debit card terminals at self-checkout lanes at Safeway stores in Colorado and possibly other states. Safeway hasn’t disclosed what those skimmers looked like, but images from a recent skimming attack allegedly launched against self-checkout shoppers at a Safeway in Maryland offers a closer look at once such device.

Safeway Store, Germantown, Maryland

A skimming device made for self-checkout lanes that was removed from a Safeway Store in Germantown, Maryland

The image above shows an simple but effective “overlay” skimmer that banking industry sources say was retrieved from a Safeway store in Germantown, Md. The device is designed to fit directly over top of the¬†Verifone terminals in use at many Safeways and other retailers. It has a PIN pad overlay to capture the user’s PIN, and a mechanism for recording the data stored on a card’s magnetic stripe when customers swipe their cards at self-checkout aisles.

Safeway officials did not respond to repeated requests for comment about this incident.

My local Safeway in Northern Virginia uses this exact model of Verifone terminals, and after seeing this picture for the first time I couldn’t help but pull on the terminal facing me in the self-checkout line on a recent store visit, just to be sure.

Many banks are now issuing newer, more secure chip-based credit and debit cards that are more expensive and difficult for thieves to steal and to counterfeit. As long as retailers continue to allow customers to avoid “dipping the chip” and instead allow “swipe the stripe” these skimming attacks on self-checkout lanes¬†will continue to proliferate across the retail industry.

It may be worth noting that this skimming device looks remarkably similar to a point-of-sale skimmer designed for Verifone terminals that I wrote about in 2013.

Here’s a simple how-to video made by a fraudster who is selling very similar-looking overlay skimmers for Verifone point-of-sale devices; he calls them “Verifone condoms.” As we can see, the device could be attached in the blink of an eye (and removed quickly as well). The device in the video is just a shell, and does not include the POS PIN pad reader or card reader.


14
May 12

Global Payments Breach Fueled Prepaid Card Fraud

Debit card accounts stolen in a recent hacker break-in at card processor Global Payments have been showing up in fraud incidents at retailers in Las Vegas and elsewhere, according to officials from one bank impacted by the fraud.

At the beginning of March 2012, Danbury, Conn. based Union Savings Bank began seeing an unusual pattern of fraud on a dozen or so debit cards it had issued, noting that most of the cards had recently been used in the same cafe at a nearby private school. When the bank determined that the school was a customer of Global Payments, it contacted Visa to alert the card association of a possible breach at the Atlanta-based processor, according to Doug Fuller, Union Savings Bank’s chief risk officer.

That’s when USB heard from Tony Higgins, then a fraud investigator at Vons, a grocery chain in Southern California and Nevada owned by Safeway Inc.

According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers.

“Higgins said, ‘You have a problem,'” Fuller recalled, of a phone conversation the bank had with Higgins in early March. “He said he had a slew of these people going through their Vons and Safeway stores exchanging cards. He had them on surveillance tape, knew where they were from and everything.”

Continue reading →