Safeway Stores Have Been Hit By Card Skimming Attacks

Illustration for article titled Safeway Stores Have Been Hit By Card Skimming Attacks

If you’ve shopped at Safeway in California or Colorado recently, you may want to check your bank accounts. The supermarket chain has admitted that it’s investigating card skimming attacks at several of its stores in those states.


Krebs on Security reports that financial institutions are investigating a series of attacks that seem to have taken advantage of compromised credit card terminals in Safeway stores. So far, it appears that specific lanes were targeted in stores, though currently Safeway hasn’t announced which of its branches were affected. Krebs does, however, point out that his sources tell him the attacks seem to be linked to Arvada, Conifer, Denver, Englewood, Lakewood, Castro Valley, and Menlo Park.

Perhaps more worrying is the fact that the scam may not be isolated to the supermarket chain. A Safeway spokesperson called Brian Dowling told Krebs that “this is not unique to our company, and we understand some other retailers may have been more significantly impacted.” It’s unclear which retailers he’s referring to, though it is thought that the attacks may have been occurring since early September.

While it’s unclear how the attacks may have taken place, the processes involved must have been elaborate. To obtain card data and PINs, the criminals must have had physical access to the machines at some point. Indeed, Krebs speculates that “skimming incidents involving checkout lanes in retail locations generally involve someone on the inside at the affected retailer.”

In the meantime, the advice remains the same: be wary of suspicious looking pay points, pay using credit card where you can, and alert your bank as soon as you notice any unauthorized activity on your accounts.

[Krebs on Security]

Image by Thomas Hawk under Creative Commons license



This sounds crazy and not possible at the same time. I can tell you for certain that those credit card pin pads are tamper proof, and have several layers of security built into them.

Credit card pin pads are designed in a manner that if you open them up, or in some cases if you simply remove screws from them they just stop working. They’ll display temper detected messages on the screen and no longer process credit cards. Some credit card terminals are so sensitive that if you drop them or bump them too hard they false hit for tampering and stop working. There is little chance that someone could open them up and tinker with them.

Another layer of security built into these devices is that they are all ‘encrypted’ based on the credit card processor. You could not take a credit card terminal from safeway down the street and plug it in at walmart because the encryption is different. Not to mention the way the screen files are programmed will be different as well. All of those buttons you have to press to confirm amount and do cashback and all that stuff, it’s often specific to that specific store. Different point of sale software use different screen files.

If someone really did tinker with these hardware pin pads then it has to be someone at the credit card company or possibly a distributor, the point of sale company, or maybe even a repair company. These are the only people who would have access to ‘reseal’ the devices after a tamper detect message has been displayed.

There is no way a common crook, or even genius level crook would be able to tamper with these pin pads. If this article is accurate, this is an inside job.