A victim of the recent Sam's Club security breach suggested that fraudsters may have stolen credit card information by using illegal "card-skimming" devices attached to the pumps at the company's gas stations. The fraudulent activity may also have been going on for a longer period than that suggested by the wholesale giant, and it may affect thousands of people (see "Update: Security breach at Sam's Club exposes credit card data").
Sam's Club, a division of Bentonville, Ark.-based Wal-Mart Stores Inc., said in a brief Dec. 2 statement that it was investigating a security breach that had exposed the credit card data of an unspecified number of customers who bought fuel at its gas stations between Sept. 21 and Oct. 2. The company said it was alerted to the problem by credit card issuers whose customers were complaining of fraudulent charges on their statements.
Apart from saying that "electronic systems and databases used inside its stores" were not involved, Sam's Club officials have refused to disclose what happened. They have not returned repeated telephone calls for comment.
The breach prompted the Alabama Credit Union (ACU) to block and reissue debit cards to about 500 of its customers after it learned of the problem last week. The ACU was alerted to the breach by Credit Union National Association Inc., according to Kayce Bell, chief operating officer at the Tuscaloosa, Ala.-based credit union.
The fact that one institution alone had to block so many cards suggests that the breach may have affected a lot more than the 600 or so victims Sam's Club said it knows about, said Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn.
In fact, ACU President Steve Swofford, in comments posted on the credit union's Web site, said that the breach affects "many, many cardholders, card issuers and financial institutions.
"We are certain, in the coming days, more card issuers and financial institutions will be contacting their cardholders to take similar action to prevent fraudulent transactions from occurring," Swofford said. "We're aware of at least one large financial institution in Alabama that has more than 4,000 cards affected, but they have made no public announcement yet.
Dan Zerkle, an employee at a large California software company who was a victim of the breach, told Computerworld via e-mail today that he believes thieves got his data by placing their own counterfeit card reader over the regular credit card reader on the gas pump. "I remember the credit card reader looking different," he said. "Unfortunately, I realized what this meant after I discovered the fraudulent charges."
Zerkle said he suspects his card information was stolen from the gas station at a Sam's Club store in Roseville, Calif., on either Nov. 2 or Nov. 17 -- more than a month after Sam's Club said the breaches took place -- and was used to make fraudulent purchases on Nov. 21. "[The] thieves bought some jewelry at a shop in Sweden with a fake card that had my number on it," he said.
Although the activity drained his checking account, Zerkle said he has since been reimbursed for the fraudulent charges by his bank, Wells Fargo & Co. After realizing that the theft had occurred, Zerkle said he spoke filed a report with local police, and spoke with U.S. Secret Service agents and an automated teller machine fraud investigator at Wells Fargo.
If card skimmers were used to steal credit card data, Sam's Club is only the latest victim of an increasingly prevalent form of credit card fraud. "Gas-pump skimming has become the largest fraud problem for a lot of card issuers," Litan said.
Illegal card-reading devices are increasingly being used to intercept and record data stored on magnetic strips on credit cards when people use the cards to buy gas, Litan said. The skimming devices, which have very small footprints, are sometimes linked to the internal wiring of gas pumps; at other times, they are placed externally on top of the regular card readers, where they are hard to notice, she said.
Getting internal access to multiple gas pumps is often not hard because one key can sometimes be used to open numerous pumps made by the same manufacturer, Litan said. "All you need is one disgruntled employee" to compromise a number of systems, she said.