Grocery chain Aldi Inc. has warned customers in 11 states that their payment card data may have been slurped up by point-of-sale terminals that were illegally planted by identity thieves. The tampered terminals were in use from June 1 to August 31 in an undisclosed number of stores, the company disclosed in a press release (PDF …
Only in the USA
Americans are funny, at what point were these terminals swapped? Where was the checkout guy, (probably eating a burger) and where was the CCTV?
Re: Only in the USA
You obviously missed a few reports on The Register over the last few years detailing the use of interception methods in UK, Canada and EU... Only in America? Far from it - Only in every place that greed thrives - i.e. everywhere!
easy to do in any big chain in any country
walk in wearing the right uniform, say "i'm here to upgrade your card readers mate", know exactly where to go, know the corporate lingo, and it's easy
all it needs is someone to work in an Aldi for a couple of weeks to learn the lingo, and see what company their till support contract is with
as a part-time university job I worked at mcdonalds, an engineer came to install a wifi access point for customer internet one evening when I was shift manager and I had a HELL of a time tracking down that he wasn't, in fact, some random dude trying it on (especially because I was short-staffed and had to leave him along in the back office by himself). The idea that someone would want to confirm an unannounced maintainance visit was almost unheard of
Yet another reason for one-time passwords. Will the banks never learn?
Why was this downvoted?
Who thought that the idea of a credit card number that is always the same, means that anyone who has it can get your money, and you have to give it to everyone to use it?
I'd suggest that the card contains a secret key that is used within the chip on the card to generate a transaction code, based on a code sent to it from the terminal. (The terminal could also be just a small independent battery powered device like a PINsentry).
Even if someone gets the transaction code, it is no use for another transaction.
re: Why was this downvoted?
Probably because people who work for banks read this site too.
At least one German bank I know of does issue one-time codes, if only for use with online money transfers/bill payments from your account. As of 5 years or so ago, they'd send out a list of the transaction codes in one of those envelopes PINs come in. Additionally, the default for issuing cards was to collect them from the branch. In general German banks give a much better impression of taking actual security seriously rather than treating it as another vehicle for making customers responsible for every loss.
This is why the banks are...
Banks have been brainwashing people into thinking that chip and pin is foolproof and the only way there could be problems is if you deliberately tell someone else your pin number, or if you don't cover your pin. They just refuse to accept that there could be dodgy terminals, or that it may be retrieved using some other special techniques. They come on the news when anything happens with chip and pin and say it is the customers' fault. They have deliberately refused to accept that there is a flaw in the system.
That being the whole point....
Chip and Pin provided two things: i) a light level of security to reduce casual card theft, and ii) a delightful opportunity to blame all other fraud on the customer! Ka-Ching! As I believe the banks put it.
We had 3 cards out of 3 cloned over 18 months in sarfend. At least one had pin access.
That's the actual purpose of C+P, to actually give the banks that exact get-out so they don't have to pay up under the terms of their contract with the customer. They know the customer almost never has the resources & tenacity to pursue the issue to a satisfactory conclusion thereby helping ensure the flow of money is more from customer to bank than the reverse.
I thought everyone knew that??
Not this one again...
I wish people would stop trotting this old conspiracy theory out again and again:
In the UK (I realise this story is about the US) the burden of proof is on the Bank to show that the customer has been fraudulent, not for the customer to prove that they weren't. This is written into law.
C&P is therefore most certainly not about the banks moving blame to their customers, it's about security. You can't possibly argue that C&P is worse than magstripe, can you?
But might not C&P...
...actually give the banks the exact proof they need to say, "The customer must've done it. There's proof of the chip, and the PINs match up."?
Pin Pads use internal DES encription
Pin pads, those customer operated devices, use DES encryption so once the Enter button is hit, the data block is transmitted encrypted to the processing network.
This is the reason these devices have to be photographed as tapping the connecting cord is ineffective.
Sure sounds like an inside job!
Sure about that?
> Pin pads, those customer operated devices, use DES encryption
*Legitimate* ones do. What about tampered ones?
The biggest flaw in this security model is that it requires the pin pad to be a trusted item. If that trust is broken, there is no more security...
> Sure sounds like an inside job!
Sounds like a crime committed by someone with physical access to the devices. Once again, impersonating a service engineer is the way to break in :-(
Although on the first roll out....
The story I heard about an early roll out of terminals, for one of the petrol stations, was that the shipment of terminals got "misplaced" and then re-found in the warehouse. In between times they had been hacked to log/transmit the data before encryption. Neat. And of course loads of bankers (I think that sounds right) going "well you must have told someone"...
Now that might be an urban legend, or it might be true.
Encryption, What encryption?
The data isnt encrypted inside the terminal (physically) and along the wire to the POS terminal.
There has been cases of PS2 keyloggers being installed and logging in cleartext.
Cameras and overlays are not used in this type of attack
If the terminal is owned by the bad guys (they replace the real terminal with one of their own devising), it reads the PINs from the keypad and the card numbers from the stripes, then sends that data home.
No cameras or overlays are used to collect the PINs - those are mostly only used in attacks at ATMs, not attacks at shop terminals.
A very similar technique has been used in the UK, often at petrol stations, where the card numbers are collected from the chips and the PINS are collected from the keypad.
However that isn't enough to get money or goods in the UK, where chips are usually needed, so the combination of PIN and card number is typically used in countries abroad where chip readers are not used.
@Cameras and overlays are ...
Quote: " it reads the PINs from the keypad and ..."
Sorry, I was a production manager in a Pin-Pad / Terminal manufacturer moons ago and even then the specifications required PIN data to be passed encrypted through to the card processor where the decryption was applied. This is why crooks find it necessary to use optical devices to read pad entries by customers.
Swapping PinPads between terminals (or cash registers) or with replacements has to be coordinated with the card processor as the DES changed with each transaction. We used special software for testing the Pads before they were 'injected' with the initialisation DES combo that was immediately replaced by the bank computers when the Pads were placed in service.
Pads used with 3rd party terminals, such as IBM, were no different to any other Pad as the data flowed through without modification.
@Cameras and overlays are ...
You miss the point - in this type of attack the pinpad is replaced by the bad guys with a fake. It's straightforward for them to collect the PIN from *their* pad, and the card number from *their* reader, long before they get encrypted.
If they wanted to, they could get *their* pinpad/terminal to tell them the 3-DES key in use.
They may occasionally do that in the US so they can get the data from the line, but in UK retail transactions PINs aren't sent to the card processor (they are verified offline by the terminal).
Bad day with the calculator
June 1 - August 31 is 3 months :D
How can they not know if all of the tampered terminals have been removed?
checksum... the attack is usually in the eeprom... and replacing every reader and checking it also helps
Replacing every unit wholesale would be a start, provided it was from a different place than that which supplied the faulty units.
But you can't always trust checksums. Smart crooks may find ways to tweak their code to produce simple checksum collisions. Now, if the code has tougher or multiple signing, that may be a more difficult nut to crack.
Or you can just sniff the card interface
.. as the VERIFY PIN command includes the actual PIN in cleartext!
Very easily done at Aldis in the US...
The way these stores operate? When I shop there, most of the times the checkouts are all closed. One has a doorbell kinda thing, which you have to press so that the manager/assistant-manager/checkout-lady/bagger person who's probably stocking the aisles with new stuff (out of sight from the checkout / pin terminals) knows that someone wants to check out.
These box stores are not very busy, at least the ones i've been to. Although they have 4 checkout counters, normally one can be operated to serve all customers at one time.
So yeah, plenty of time to quickly unhook the existing reader, replace it with a new one, or place some sort of additional reader thingy in there.
I enjoy reading articles like this as it helps address fellow businesses in regards to "do I need pci scanning"?
We have a card industry that's ran like a mob controlled wholly by visa/mc and they allow this kind of stuff to go on. Why not say enoughs enough here and if you have a issue like this your no longer able to process cards?
Wouldn't that help encourage these businesses to be more responsible? Why does it appear as if customer data is worthless and simply buying people a few years of credit monitoring is enough for their screw-ups?
Keep letting big business screw around like this all the while small business is being forced into paying for pci scanning all because of a problem the card industry creates and one they also have a solution for.
Each affected person should sue whatever card it is be it visa, mastercard, discover etc..
Sue the source, until they start to pay for what they are allowing to go on this kind of thing will never end. They get money for basically doing nothing except marketing now-a-days.
Could me a large number of people hit.
"Presumably, those responsible would have had to travel to each store to physically plant the hardware used to siphon personal identification numbers, card numbers and names."
No, I expect the terminals were modified before they were shipped to the store. Some place between where they were made (likely China) and final distribution. The same thing was reported in the UK some time ago.
The skimming terminals were active for months, they could have collected a lot of card details before they started using them (and the scam was detected).
Smacks of an inside job.
Either with the technicos (since they'd be legally-contracted blokes, no one would suspect them) or with the manufacturers.
You get more at Aldi
More than you bargain for, anyway....
aldi UK staff
are nice folks but I have only met two that were brits - the rest were germans, young students or older poles doing hard, low paid work. Given the lack of security in thier stores and low staff counts, it would be an ideal target for a machine "switch".
FWIICR, I think lidl would be more or a target as unlike aldi only accept debit (not credit) cards and banks dont refund debit transactions in the UK. So the next time you are asked "cash or card" in one of these stores, stick to cash!
Debit card refunds
> banks dont refund debit transactions in the UK.
"banks dont refund debit transactions in the UK"
i've had them refunded after my card was lost and used after it was cancelled before
then again, that was in the days of switch, and was covered by some inter-bank guarentee... now it's visa debit / maestro (mastercard) debit, who knows....
You sure about that? my local Aldi doesn't take cc's.
Lidl also only do debits...
I think its a german, budget store thing. With tight margins Lidl don't take credit cards either. Aldi probably viewed as the more "up market target" or simply has the larger US presence.
I think you need to check with your bank.
My Lloyds Visa Debit card has been refunded before due to fraudulent transactions both by an illegitimate retailer (Esso Petrol Station) and online services (random Cypriot website). Both times it was done without fuss and money was refunded instantly to my account while the dispute was resolved.
Provided you have a good history with your card then there isn't a problem. I never use my Lloyds card for online transactions which look less than secure (I have a crappy second account for that) and I rarely use it outside of major retailers. But I hardly ever use cash.
AFAIK Visa Debit Cards (former Delta cards) are now subject to all the same rules as Visa Credit Cards which is why they can be used in all the same places including in car hire facilities which normally only take Visa CC. I can't say the same for Electron however as even though they are now branded as plain vanilla Visa they still come with several restrictions on their use.
Incredibly easy to do at any store
The first key to pulling this off is realizing that most store staff rarely, if ever, care to know who their customers and vendors are, and cannot identify who may be trying to compromise their systems. I work as a freelance merchandiser and auditor for several different companies. Often times I work for these separate companies at the same store within days of each other. The store staff rarely, if ever, recognize me, even though I live three miles from the store and shop there a few times a week.
The second key is to look like you know what you're doing. When I was working for a company that needed to advertise a big event but didn't have the budget to do so, I once went to every newspaper box and news stand in three towns slipping an advertisement into the daily newspaper. This would have cost thousands of dollars to do if they had paid the newspaper. Instead I spent $20 in quarters to access the news boxes, and nothing to go into stores and news stands to insert the advertisements in the early morning hours, just moments after the newspaper carriers delivered them. If anybody asked me what I'm doing, I told them that the newspaper forgot to include a huge advertisement for a client and I had to go back behind them and fix them. Nobody ever questioned me, nobody ever asked me for ID, nobody ever called the newspaper to verify it.
The third thing is to actually appear to be who you are. When I am a merchandiser, I always wear a nice short-sleeve button-down shirt, a tie, and clip-on name badge etc. I look like I'm representing the client, I go to the front desk and I sign into the vendor log (and often get a peek at what other vendors are coming in and out of the store, at what hours, and how often). When I was impersonating the newspaper carrier, I dressed and acted the part - warm clothing that was slightly worn so I looked like I didn't care if I got news ink on them, slightly rotten attitude because I'm up so early in the morning working, etc.
So I could see these scammers easily working this over. All they would have to do is look like a hardware tech, show up at the store, sign into the vendor log and get to work. If anybody questioned them, they just explain that they're from XYZ company and are here to do upgrades on equipment, convince staff it will only take a few minutes, and then get right to work. Name badges, company cards, even a faked letter of authorization in case some real hard-ass manager questioned anything. I'm sure in nearly every case, few people if any questioned what was going on. Because one assumed the role and demonstrated they knew what they were doing, store staff blindly trusted them. And, in truth, most likely the store staff was either too busy working to notice, or too busy goofing off to care.
stick to cash
It is my favourite near field payment method, and if you move your hands carefully it can be contactless too!!!
Folk need to learn
... That banks cannot be trusted, and you DON'T need a bank account to live!
Where does your pay/benefits go?
Where does your mortgage get paid from?
If I were attempting this...
I reckon sending a new terminal direct to the store with a note from the bank would probably do the job, perhaps an advisory faked email two weeks before...
Surely I'm not the only one
My first thought with this story is that the crooks are clearly fools.
Why target a discount store - a store whose customers, almost by definition, have very limited funds available.
The card details for this type of person a surely less valuable than if they had (for example) done the same trick in harrod's or tiffany's or some similarly over-expensive store.
You also have to consider that people with limited funds tend to keep an eye on their bank account more and so will notice any unauthorised activity far more quickly.
I'm guessing that...
...targetting the lower end of the retail world would be a bit easier than anywhere that sells high-value goods. Just try walking past a high-status store, let alone actually daring to pass over the threshold, let alone trying to then pass yourself off as someone with authorisation to swap out a PIN terminal, and see how much attention you get paid by the staff within.
On top of the increased levels of suspicion amongst the store staff, you also have fewer stores to target, which means fewer opportunities to get your hacked terminals into the wild, and you also have a lower volume of transactions per terminal per store, which means fewer unique card details to capture.
Whilst you're at it, NEVER pay for petrol with card, credit or debit cards (ESPECIALLY debit cards)!
Been skimmed twice now and cards were only used in petrol stations immediately prior to event(s).
Fortunately, the credit card comps paid up on both occasions, but it was still a PITA to do all the paperwork, new cards, pins etc.
Well there have been examples of chip and pin terminals having extra hardware fitted that intercepts the key presses before they get to the logic board and then send all the information off by GSM.
These terminals had the spy units fitted at either the chinese factory or on route, the only way to tell was to dismantle the new units or weigh them.
Could the scale of this issue be down to a similar operation?
There are 2 types of card reader in common use in the UK
There are 2 types of card reader in common use in the UK... one where you slide your card face-up in the bottom, the other where it goes in at right angles at the top.
The ones where it goes face up in the bottom have all the internal components soldiered to the circuit board. The others have the PIN keypad and Chip reader connected by flat ribbon cables... the seperate keypad and card reader both send their data to the circuit board unencrypted.
The latter is well know to be easily hackable, by opening it up and sliding a second connector into each connector. It takes about 30 seconds to fit, and is the reason you see most of them have security stickers sealing them. The kits have been on sale online for over a year... it's been well covered on the reg.
- Updated + vids WHOA: Get a load of Asteroid DX110 JUST MISSING planet EARTH
- Very fabric of space-time RIPPED apart in latest Hubble pic
- 10 years of Facebook Inside Facebook's engineering labs: Hardware heaven, HP hell – PICTURES
- Dell charges £16 TO INSTALL FIREFOX on PCs – Mozilla is miffed
- Google! and! Facebook! IDs! face! Yahoo! login! BAN!