Tom Spring, PC World
Friday, May 18, 2007 12:32 AM
Living cashlessly is convenient. We swipe our credit and debit cards to buy gas, lunch, coffee, and groceries. But now, data thieves--eager to exploit U.S. consumers' dependence on plastic--are targeting keypads that we don't think twice about swiping our cards through.
Authorities in a number of states have reported local instances of a new high-tech crime: Crooks replacing or "bugging" checkout keypads at grocery and convenience stores. The rigged keypads record your credit card number or the personal identification number (PIN) that you key in when using your debit card. The crooks later return to collect the keypads--sometimes by ripping them from checkout aisles--and use the intercepted data to siphon large sums of money from unsuspecting store patrons.
Usually, the keypad devices show no outward signs of tampering. But inside, authorities say, scammers attach skimming devices that pass along customer data to the merchant (just as a normal keypad would), but also collect and store every credit card number, name, and debit card PIN entered on them.
The amounts that authorities suspect keypad thieves of stealing vary. Las Vegas police say that the total take in a crooked keypad scam in their jurisdiction may have been in the "millions of dollars"; representatives from the other affected states--California, Florida, Massachusetts, Pennsylvania, and Rhode Island--put the estimated cost to consumers at around $100,000 in each case. The magnitude of the actual losses may never be known, authorities say.
In Las Vegas, for example, hundreds of people had their financial information stolen when they stopped at convenience stores to grab a snack or fill up their gas tanks, according to the Las Vegas Metropolitan Police Department. Both in-store point-of-sale keypads and gas-pump keypads were compromised in a number of locations in the city, police say. Law enforcement officials are still investigating complaints, but no arrests have been made.
In Rhode Island, the Coventry Police Department says that it had better luck catching keypad crooks. In February, with help from U.S. Secret Service agents, four suspects from California men were arrested for having replaced checkout-lane keypads with the equivalent of electronic bugs. Investigators discovered bugs designed to steal customers' account information in keypads at Shop & Shop grocery stores in Bristol, Coventry, Cranston, Providence, and Warwick, Rhode Island, and in Seekonk, Massachusetts.
Subsequently, Coventry police, together with Rhode Island State Police, arrested the men when they returned to collect compromised keypads from affected stores, says detective Marcos Saenko, amember of the financial crimes unit of the Coventry police. The four suspects, all of whom are natives of Armenia, face two federal charges each: credit-card fraud and aggravated identity theft. Conviction on the first charge carries a penalty of up to five years in prison, while a finding of guilt on the second charge carries a mandatory two-year sentence.
Mari Frank, attorney and author of " Safeguard Your Identity," says that theft of customer data at the point of sale is one of the most dangerous security risks facing consumers. "If someone gets your financial information, your entire bank account can be wiped out," she says.
Unfortunately, protecting yourself isn't easy.
"There really isn't much anyone can do if the store has been compromised," says William Oettinger, who works with the Las Vegas Metropolitan Police Department and the Secret Service's electronic crimes task force.
Oettinger recommends vigilance in examining activity in your checking or credit card accounts as the best way to spot fraud. This means scrutinizing your credit card and checking account statements regularly. Often the amount skimmed from each victim's bank account is so small that victim might easily overlook it. So don't limit your review of your accounts to major debits or charges. Beyond monitoring, authorities advise consumers to be wary of using any keypad that looks as though it may have been tampered with in any way.
Police in the city of Alameda, California, just outside San Francisco, are investigating compromised point-of-sale keypads in their city after receiving more than 100 complaints from people who shopped at a local Albertsons supermarket and subsequently reported that money was missing from their checking accounts. Authorities suspect that the thefts are related to similar criminal activity involving an Albertsons in San Lorenzo, California, several towns away.
A spokesperson for Save Mart Supermarkets, the company that owns the Albertsons stores in question, says that it has taken steps to prevent further fraud and has examined its stores' keypads to verify that they have not been tampered with. "At this time we have no suspects," says Charles White, assistant special agent in charge of the Secret Service office in San Francisco.
Meanwhile the Secret Service says that similar tactics have been used to steal financial information from consumers in Miami, Florida, and in Philadelphia, Pennsylvania.
Each scam follows the same basic pattern. Crooks target point-of-sale keypads at grocery and convenience stores. Police believe that scammers enter the store carrying the compromised keypad machine, which they have outfitted with a data capture device that records transaction data surreptitiously.
Authorities are tight lipped about how the device works to capture transaction data. What is known is that the keypads have been tampered with. Inside a keypad device extra equipment--described in one instance as a "circuit board"--has been installed. The keypad is then installed at the point-of-sale checkout aisle or counter.
They device doesn't interfere with transactions between the customer and the merchant, so the store can't catch the intrusion. Instead, the board sits inconspicuously in place, recording the data from each transaction on the fly until the person who planted it retrieves it. Scammers may create a diversion to swap the rigged device in or out while store employees are not looking.
That's what happened in Rhode Island, police say: The scammers visited one Stop & Shop grocery store at around 10:30 p.m. when only one cashier was on duty. Then, while one of the conspirators diverted the cashier with a request for help finding shampoo, the other went to a keypad in a closed checkout aisle and swapped out the keypad machine.
After removing the poisoned keypad, criminals extract the stolen data and create a phony credit or debit card that they use to make purchases and cash withdrawals far from where the theft took place, according to authorities.
"The merchants are never the wiser," says Sergeant Joe McNiff of the Alameda Police Department. There is no indication that anyone working for Albertsons or Stop & Shop knowingly participated in the breaches, according to authorities in California and Massachusetts. Las Vegas police, however, say that an insider may have helped set up the rigged keypad devices in their jurisdiction.
Companies need to get better at identifying vulnerabilities, says security expert Frank. Companies must protect not only transaction data, but physical equipment as well. "It doesn't matter how well you encrypt the data if you can't secure the machines that collect it," Frank says.