Skim Scam: Did Aldi Invite 11-State Coordinated Attacks?
Written by Frank HayesWhen a gang of thieves physically tampers with point-of-sale systems, the tampering is usually a local operation. But that may be changing. Discount grocer Aldi said Friday (Oct. 1) that it has found tampered payment-card readers in stores in 11 states, spread from the east coast to Illinois. The retailer said the tampering was only in a limited number of its 1,100 U.S. stores, and all those stores were clustered near 10 cities—but the stolen data is being cashed out thousands of miles away.
That’s reason to worry. Physical tampering with PIN pads is typically local because it’s labor intensive. Thieves have to physically modify or replace the card terminals, which is why hacked terminals are usually found in a local cluster. This time there are clusters, all right—10 of them, stretching from Illinois to Georgia. Meanwhile, part of what made this $70 billion global grocery chain so successful—both in terms of European shoppers and fiscal profitability—could be playing a key role in making it a cyberthief target today: The scarcity of store employees.
The 10 areas hit with tampering were Chicago; Indianapolis; Pittsburgh; Philadelphia (including stores in New Jersey); Atlanta; Washington, D.C. (including stores in Virginia and Maryland); Rochester, N.Y.; Hartford, Conn.; Raleigh, N.C; and Charlotte. N.C. The retailer won’t say exactly how many stores got the tampered devices, but a spokesperson said that they were found in only a “limited number” of stores, and they were probably placed there during June, July and August.
By September, the thieves started using the stolen data. Customers of a single suburban Chicago Aldi store reported $130,000 in fraudulent ATM withdrawals using their debit card information, according to the Chicago Tribune. Local police said most of the ATM withdrawals were made in southern California, in amounts ranging from $100 to $900, although some withdrawals were also made at ATMs in Ohio and in the Chicago area.
Aldi said that the chain has examined card readers at every U.S. store, removed suspect readers and tightened security.
It’s not hard to guess why Aldi was targeted. “Have you even been in an Aldi store? There are almost no employees,” said payment systems specialist Andy Orrock, COO of On-Line Strategies.
The chain’s stores, which are all in the eastern half of the U.S., are the very definition of “no frills,” and staffing is minimal. That makes it much easier for a thief to steal a PIN pad from an unattended checkout lane, or to swap in a PIN pad that’s been outfitted with a skimmer, Orrock said.
And because Aldi only accepts debit cards, not credit cards, at most stores, the card information collected by a skimmer (complete with PIN) would give direct access to a customer’s bank account.
-Marc
October 8th, 2010 at 5:51 pm
As a person that works for a company specializing in hardware and pinpads in the grocery market, I find this hard to believe. Any pinpad (unsure what Aldi uses) that has been manufactured in the past few years loses its PIN Encryption if tampered with. Hell, we have customers that “bump” them hard and they will lose encryption. Sometimes they loose encryption in shipping too. Trust me, it is difficult to get pinpads injected with either legacy DUKPT keys or TDES keys. Serial numbers are logged with the company doing the encryptions (TASQ, POS Portal, etc). Isn’t this covered in the PCI PTS standard?
October 8th, 2010 at 6:09 pm
Editor’s Note: This was addressed and it appeared that the pads in question were older.
October 9th, 2010 at 9:21 am
We have one here in Albemarle NC. Does anyone know if that store was affected also? Our stupid paper here has not said one thing about it!
October 11th, 2010 at 10:57 am
US definitely needs to upgrade to chip & pin. There are 100 ways to skim the mag stripe data and once thats available you just need a 4 digit pin to withdraw/purchase anything.