A debit card breach disclosed late last week by discount grocer Aldi Inc. shows how hardware hacks are starting to pose as much of a threat to payment card data as software-based attacks.
Batavia, Ill.-based Aldi, which operates 1,100 stores in 31 states, disclosed on Oct. 1 that hackers tampered with payment terminals at stores in 11 states from June to August.
The hackers gained access to various debit card data, such as name, account data and personal identification numbers (PINs) of an undisclosed number of customers, the company said.
So far, officials said that hacked terminals were discovered at Aldi stores in Connecticut, Georgia, Illinois, Indiana, Maryland, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, and Virginia. All the hacked terminals have been replaced, the company said.
More than 1,000 Aldi shoppers in the Chicago area and from Indianopolis have already reported fraudulent activities related to breaches at Aldi stores. There have been similar reports in other states as well. Analysts estimate that there could be some tens of thousands victims.
Analysts said the number of payment terminals and the widespread area affected by the Aldi breach makes it unusual. It comes at a time of growing concerns about the security of payment terminals.
Typically, payment terminal breaches are localized because hackers must physically access each device to manually tweak or replace the internal electronics.
The geographic breadth of the Aldi attack suggests intricate planning, said Jim Huguelet, a Sugar Grove, Ill.-based consultant, who advises clients on payment security issues. "It looks like this was the work of a network of criminals who went into stores and somehow distracted store personnel long enough to take out PIN pads and swap them out with retrofitted devices" designed to steal payment data, he said.
The theft of the PIN data suggests that the crooks most likely used a transparent overlay of some type so that that customer PIN numbers could be captured before it was encrypted, Huguelet said. It is also more than likely that the rogue PIN pads allowed the attackers to capture payment card data wirelessly from within the store itself or from a nearby location such as a parking lot.
The tampering likely occurred over a period of several months, he said.
Colin Sheppard, director of incident response at Trustwave, which provides security auditing services to large retailers, said that such attacks against U.S. retailers have grown over the past couple of years, as criminals are finding the tactic a relatively easy way to obtain magnetic stripe and PIN data.
Also driving the trend is the easy and growing availability of sophisticated counterfeit payment terminal kits designed for use in such schemes he said. Many of the rogue kits are offer virtually the same appearance and functionality as terminals used in stores. The rogue devices also support Bluetooth and GSM to enable quick, wireless transfer of stolen payment card data, he said.
"There are certainly rings of fraudsters, largely from Eastern Europe, that are descending on the streets of America, literally traveling up and down highways and inserting skimming devices on ATM machines," said Avivah Litan, an analyst with Gartner. "So I can certainly believe that these same types of fraudsters are organized to attack multiple stores in multiple states simultaneously."
In Aldi's case, the scheme likely started with the theft of just one point of sale device, she said, "They figured out how it worked, how to tamper with it and how to steal the PINs," she added. The next step was to hire people to take part in the mass attacks, Litan said.
"I'd expect to see more of this type of attack in the coming year," she said.