Supermarket ATM/Card Reader Rigged With Illicit Scanner

Shoppers' credit card, debit card information stolen and used in identity theft scheme in California

Dark Reading logo in a gray background | Dark Reading

Some shoppers at a supermarket in Los Gatos, Calif., got more than they bargained for in the past week: Over 100 have become victims of identity theft after the debit- and credit-card reader at the checkout was rigged to siphon off their debit- and credit-card information.

The perpetrators used the card information and PIN numbers to churn out cloned cards, which then were used to withdraw cash from the victims’ accounts and to incur fraudulent charges on their credit cards. The customers of the Lunardi’s grocery store in Los Gatos have been reporting cases of identity theft to authorities since last Sunday evening, and reportedly have been losing an average of $1,000 from their bank accounts, according to a published report .

"What we have here is more than one person -- they've been able to get in there (Lunardi's) and switch out the ATM card reader," said Los Gatos-Monte Sereno police Sgt. Tam McCarty in an article in the San Jose Mercury News. "Once they've done that, they can read the card and PIN numbers and either make a temporary card or sell the numbers over the phone."

It’s unclear so far whether the scam was perpetrated by an outside criminal or was an inside job. The Lunardi’s supermarket has since replaced its old ATM card readers with new ones that lock to prevent tampering.

Scanner tampering has long been a subject of concern for security researchers, who have demonstrated the ease of ATM machine hacks, as well as of smart card scanners for physical security.

The stolen card account incident at Lunardi’s follows a similar one in Los Altos in March at an Arco gas station’s payment machine.

Rob Enderle, president of Enderle Consulting, says this is yet another type of card-scanning scam. “It speaks strongly for the need for strong multifactor authentication over anything dealing with confidential data, particularly financial data."

“Attacks like this are likely to spread ,and it is relatively easy to search on the Web and find the parts you need to build one of these things," Enderle says. "I’ll bet there are sites in Eastern Europe where you can order the entire solution custom designed for the attack a criminal wants to make.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights