Hackers Skim Lucky Supermarket Customers’ Credit Cards via Self-Checkout

Criminals have tampered with the credit and debit card readers at self-checkout lanes in more than 20 supermarkets operated by a California chain, allowing them to steal money from shoppers who used the compromised machines. The chain, Lucky Supermarkets, which is owned by Save Mart, is now inspecting the rest of its 234 stores in northern California and northern Nevada and urging customers who used self-checkout lanes to close their bank and credit card accounts.

arstechnica

Lucky Supermarkets issued a consumer advisory Monday listing the stores confirmed to have been affected, while also saying, “There have been approximately 80 employee and customer reports of either compromised account data or attempts to access account data, with the majority coming over this past weekend.… We strongly recommend our customers who used a self check-out lane in the affected stores contact their financial institution to close existing accounts and seek further advice. We continue to work with local, state, and federal law enforcement to find those responsible.”

The Mercury News reported today that Lucky Supermarkets has received more than 1,000 calls from customers saying they’ve been victims of fraud. Lucky Supermarkets has been investigating the problem since Nov. 11, when an employee performing routine maintenance on a self-checkout machine “uncovered an extra computer board that had been placed inside the checkout machine, recording customers’ financial information,” the paper said. When the supermarket chain initially warned customers on Nov. 23, there were not yet reports of accounts being compromised, but now they are pouring in. One San Jose resident told the Mercury News that $300 had been withdrawn from her checking account.

Lucky Supermarkets has removed the tampered card readers, which were made by VeriFone, in the stores known to be affected and says it is enhancing security of every credit and debit card reader in all 234 of its stores. Joseph Steinberg, CEO of the security company Green Armor Solutions, released a statement saying “Everyone should always check any device in which they insert/swipe a credit/debit/ATM card, or to which they touch their card, to see if it looks like it may have been modified/covered.”

Expecting consumers to not only check themselves out of a store but also determine whether a credit card machine has been tampered with seems unrealistic, however. Unfortunately, credit card fraud and identity theft are becoming increasingly big problems. We recently noted that two employees of the New Jersey Motor Vehicle Commission were arrested and charged with selling the identities of unsuspecting residents for as little as $200 per identity.

Photo: Roadsidepictures/Flickr