Evan Schuman's StorefrontBacktalk

Still, if hacked card readers had been installed in one Aldi store, or in a group of stores spread around a single city, it would be unremarkable. But over the summer, it happened in 10 urban areas&#8212and all the cases appear to be related.

Look at those cities on a map, and the striking thing is that they’re so spread out. How could one gang of cyberthieves hit that many stores in that many areas at once, swapping the skimmer-equipped PIN pads in and out to collect card information?

Maybe they didn’t. It may be that this really was a summer road trip by one set of thieves. It could be a simple enough process: Steal PIN pads from a few Aldi stores. Install skimmers in them. Distribute them to stores spread across a city and its suburbs. Wait a day or so, then swap the original PIN pads back in the stores, collect the card information and head for the next city on your list to repeat the routine.

If the thieves waited until their trip was done before using the stolen card information, they might have spent weeks collecting it without getting caught. That would explain why the money started being taken from ATMs suddenly—and thousands of miles from the tampered card readers.

These kind of physical attacks should be much less common than they are, and they would be that much less common if retailers were more meticulous about reviewing their network activity logs, said QSA-and StorefrontBacktalk PCI Columnist-Walter Conway. “There should be huge red flags in the logs if anyone disconnects a terminal. That should immediately trigger an alert,” he said.

If the thieves are especially brazen-and come prepared with vision-blocking props and a couple of accomplices skilled at distracting an employee-they might be able to attack the machine without actually disconnecting it from the network. “Done properly, it should only take 5 to 10 minutes and probably closer to five,” Conway said. “You solder a couple of wires and you put the top back on. You could do it very quickly, but you have to expose yourself.”

However, on-the-spot tampering would also be very risky, requiring that the cashier be distracted for as many as five or ten minutes without noticing someone hanging around the unattended checkout line. Even with minimal staffing, that wouldn’t be easy in a typical Aldi store with its shotgun layout, where everything is visible from anywhere in the store.

Truly sophisticated tampering might even include setting up the hacked card readers to transmit card data by Bluetooth or across the Internet. But that seems less likely. It’s a lot more work and expense to collect data from just a few hundred cards at each store.

There’s another, more unnerving, possibility: that there were actually 10 groups of thieves, one in each of the areas where the skimmers were installed. That would involve a lot more coordination among the thieves, and might signal far more headaches for retailers facing the prospect of gangs of cyberthieves who could hit stores in multiple cities at once.

Then again, cyberthieves are known for being fond of Internet discussion groups so finding like-minded thieves wouldn’t be that difficult, which would explain the widely dispersed geographies hit and the ease with which the numbers could be cashed out thousands of miles away.