FYI.

This story is over 5 years old.

Tech

Credit Card Skimmers Hit Multiple Grocery Stores in Colorado and California

Check your balance and ditch the magnetic strip-based debit card already.
Image: Wiki

Customers at several Safeway grocery store locations in California and Colorado have been hit by credit card skimmers, according to security reporter Brian Krebs.

The full scale of the operation is still being assessed and Safeway hasn't offered much in the way of detail (just that an investigation is ongoing and "multiple" stores have been targeted), but Krebs' bank sources suggest that at least four stores were hit in Colorado (Denver suburbs) and at least two were hit in California (Castro Valley, Menlo Park). The attacks go back at least as far as September 2015.

Advertisement

From Krebs:

Banking sources say they've been trying to figure out why so many customers in the Denver and Englewood areas of Colorado were seeing their debit cards drained of cash at ATMs after shopping at Safeways there. The sources compared notes and found that all of the affected customers had purchased goods from one of several specific lanes in different compromised stores (the transaction data includes a "terminal ID" which can be useful in determining which checkout lanes were compromised.

Meanwhile, a Safeway spokesperson told Krebs that, "this is not unique to our company, and we understand some other retailers may have been more significantly impacted." No further detail was offered.

The curious, crude "hack" of credit card skimming is kind of amazing. The victim waltzes up to a credit-card machine, does everything they normally would with a normal-looking credit-card machine, and leaves without having the slightest clue that that machine had been compromised. The machine itself wasn't fake, but had a fake layer on top of it designed to log the data from your magnetic strip along with your PIN, likely transmitting the data to the attacker via Bluetooth connection. And just like that thieves have your bank or credit card account.

Here's an example from Krebs:

The hardware wouldn't be all that difficult to put together and the internet seems flush enough with skimmer designs—a credit card skimmer is really just another credit card reader, after all—so the actual hacking is more of a social engineering hack than anything. That is, the hard part is getting access to install the thing on top of the legit card reader. For a checkout line machine, that's maybe just a matter of successfully bullshitting a clerk (saying you're doing repairs or something).

In any case, skimming is theoretically a thing of the past, what with Apple Pay and chip-based credit cards. Ditching the magnetic strip means being able to offer individually encrypted transactions—as if every credit card swipe were to require a unique and unused magnetic strip.

Me? I'm the asshole that lets his magnetic strips wear down to nothing and thus often depends on just punching the stupid numbers in, which is its own sort of vulnerability.