Quincy, Massachusetts-based Stop & Shop Supermarkets reports that several of its stores have been hit by thieves who tampered with checkout-lane card readers in order to steal shoppers' information.
A bank notified Stop & Shop management that fraudulent purchases had been made using data from cards that had been used for shopping at stores in Coventry, Rhode Island and Cranston, Rhode Island.
Stop & Shop executives investigated and found that the keypads shoppers use to submit PIN-based transactions had been broken into, tampered with, and then reinstalled.
Stop & Shop called in the U.S. Secret Service to help with the investigation, and found tampered keypads at four additional stores throughout Rhode Island. The bank which had found the fraudulent purchases was not identified.
The stolen data included customer PINs (Personal Identification Numbers). The thieves had altered the PIN readers to steal the data. Stop & Shop stated that it had since "bolted down" PIN keypads to prevent any further breaches.
Stop & Shop posted a notice providing information about the breach on the company's Web site.
The supermarket retailer claimed it had "internal and external experts to assist us with immediate measures to prevent future fraudulent activity in our stores," and had taken "immediate steps to ensure ourunits are physically secure to prevent further tampering. We believe these steps will protect the security of our payment network and the privacy of our customers using credit and debit cards going forward."
Chip & PIN
Another Massachusetts-based business, TJX Inc., is still reeling from a massive breach of credit and debit card data that it had been collecting without sufficient protection.
Hackers and criminal rings continue to get more sophisticated and dangerous in the schemes to steal personal information. Because identity theft and fraud are so hard to track, and the penalties relatively minor, criminal gangs use identity theft and fraud to fund other enterprises, such as methamphetamine dealing.
Overall debit card fraud is on the rise in the U.S., as the debit card rapidly takes the place of cash, checks, or credit cards as the chief means by which consumers make purchases.
The banking industry lost $546 million in debit card fraud in 2004, $8 million of which came from PIN-based transactions.
However, Americans withdrew over $1 trillion worth of funds from ATMs per year, making the overall loss relatively miminal from the banks' standpoint.
Banks and retailers in Europe and the U.K. are moving towards adding another layer of security to plastic transactions, wherein debit and credit cards contain a computer chip that is linked to the PIN number.
Called "chip and PIN" for short, the newer technology is purported to reduce fraud and make it harder for thieves to purloin card numbers and make purchases without having the actual card in their possession.
U.K. payments association APACS recently touted statistics indicating that 97 percent of the U.K.'s 142 million payment cards are now equipped with chip and PIN technology, and that "face-to-face" physical fraud at U.K. retailers had dropped by 73 percent from January to June 2005, from 73.2 million to 42.1m.
Although critics and security researchers are claiming that chip and PIN isn't perfect, a poll conducted by credit bureau Equifax found that 68 percent of Britons polled thought the technology was "safe."
The United States is lagging behind Europe in the race to upgrade ATM systems and improve security, due to the cost of fixing and replacing the many components in the vast payment-processing network.
As other countries make their retail data security tamper-proof, identity thieves and hackers may target U.S. businesses in even greater numbers, sensing that lax business practices are spilling blood in the proverbial water.