Skim Scam: Did Aldi Invite 11-State Coordinated Attacks?

Written by Frank Hayes
October 6th, 2010

When a gang of thieves physically tampers with point-of-sale systems, the tampering is usually a local operation. But that may be changing. Discount grocer Aldi said Friday (Oct. 1) that it has found tampered payment-card readers in stores in 11 states, spread from the east coast to Illinois. The retailer said the tampering was only in a limited number of its 1,100 U.S. stores, and all those stores were clustered near 10 cities—but the stolen data is being cashed out thousands of miles away.

That’s reason to worry. Physical tampering with PIN pads is typically local because it’s labor intensive. Thieves have to physically modify or replace the card terminals, which is why hacked terminals are usually found in a local cluster. This time there are clusters, all right—10 of them, stretching from Illinois to Georgia. Meanwhile, part of what made this $70 billion global grocery chain so successful—both in terms of European shoppers and fiscal profitability—could be playing a key role in making it a cyberthief target today: The scarcity of store employees.

The 10 areas hit with tampering were Chicago; Indianapolis; Pittsburgh; Philadelphia (including stores in New Jersey); Atlanta; Washington, D.C. (including stores in Virginia and Maryland); Rochester, N.Y.; Hartford, Conn.; Raleigh, N.C; and Charlotte. N.C. The retailer won’t say exactly how many stores got the tampered devices, but a spokesperson said that they were found in only a “limited number” of stores, and they were probably placed there during June, July and August.

By September, the thieves started using the stolen data. Customers of a single suburban Chicago Aldi store reported $130,000 in fraudulent ATM withdrawals using their debit card information, according to the Chicago Tribune. Local police said most of the ATM withdrawals were made in southern California, in amounts ranging from $100 to $900, although some withdrawals were also made at ATMs in Ohio and in the Chicago area.

Aldi said that the chain has examined card readers at every U.S. store, removed suspect readers and tightened security.

It’s not hard to guess why Aldi was targeted. “Have you even been in an Aldi store? There are almost no employees,” said payment systems specialist Andy Orrock, COO of On-Line Strategies.

The chain’s stores, which are all in the eastern half of the U.S., are the very definition of “no frills,” and staffing is minimal. That makes it much easier for a thief to steal a PIN pad from an unattended checkout lane, or to swap in a PIN pad that’s been outfitted with a skimmer, Orrock said.

And because Aldi only accepts debit cards, not credit cards, at most stores, the card information collected by a skimmer (complete with PIN) would give direct access to a customer’s bank account.


4 Comments | Read Skim Scam: Did Aldi Invite 11-State Coordinated Attacks?

  1. billblack Says:

    As a person that works for a company specializing in hardware and pinpads in the grocery market, I find this hard to believe. Any pinpad (unsure what Aldi uses) that has been manufactured in the past few years loses its PIN Encryption if tampered with. Hell, we have customers that “bump” them hard and they will lose encryption. Sometimes they loose encryption in shipping too. Trust me, it is difficult to get pinpads injected with either legacy DUKPT keys or TDES keys. Serial numbers are logged with the company doing the encryptions (TASQ, POS Portal, etc). Isn’t this covered in the PCI PTS standard?

  2. Evan Schuman Says:

    Editor’s Note: This was addressed and it appeared that the pads in question were older.

  3. Anon Says:

    We have one here in Albemarle NC. Does anyone know if that store was affected also? Our stupid paper here has not said one thing about it!

  4. Anony Says:

    US definitely needs to upgrade to chip & pin. There are 100 ways to skim the mag stripe data and once thats available you just need a 4 digit pin to withdraw/purchase anything.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.