Aldi data breach shows payment terminal holes
Thieves hit point-of-sale terminals in Aldi grocery stores in 11 states
Computerworld - A debit card breach disclosed late last week by discount grocer Aldi Inc. shows how hardware hacks are starting to pose as much of a threat to payment card data as software-based attacks.
Batavia, Ill.-based Aldi, which operates 1,100 stores in 31 states, disclosed on Oct. 1 that hackers tampered with payment terminals at stores in 11 states from June to August.
The hackers gained access to various debit card data, such as name, account data and personal identification numbers (PINs) of an undisclosed number of customers, the company said.
So far, officials said that hacked terminals were discovered at Aldi stores in Connecticut, Georgia, Illinois, Indiana, Maryland, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, and Virginia. All the hacked terminals have been replaced, the company said.
More than 1,000 Aldi shoppers in the Chicago area and from Indianopolis have already reported fraudulent activities related to breaches at Aldi stores. There have been similar reports in other states as well. Analysts estimate that there could be some tens of thousands victims.
Analysts said the number of payment terminals and the widespread area affected by the Aldi breach makes it unusual. It comes at a time of growing concerns about the security of payment terminals.
Typically, payment terminal breaches are localized because hackers must physically access each device to manually tweak or replace the internal electronics.
The geographic breadth of the Aldi attack suggests intricate planning, said Jim Huguelet, a Sugar Grove, Ill.-based consultant, who advises clients on payment security issues. "It looks like this was the work of a network of criminals who went into stores and somehow distracted store personnel long enough to take out PIN pads and swap them out with retrofitted devices" designed to steal payment data, he said.
The theft of the PIN data suggests that the crooks most likely used a transparent overlay of some type so that that customer PIN numbers could be captured before it was encrypted, Huguelet said. It is also more than likely that the rogue PIN pads allowed the attackers to capture payment card data wirelessly from within the store itself or from a nearby location such as a parking lot.
The tampering likely occurred over a period of several months, he said.
Colin Sheppard, director of incident response at Trustwave, which provides security auditing services to large retailers, said that such attacks against U.S. retailers have grown over the past couple of years, as criminals are finding the tactic a relatively easy way to obtain magnetic stripe and PIN data.
Also driving the trend is the easy and growing availability of sophisticated counterfeit payment terminal kits designed for use in such schemes he said. Many of the rogue kits are offer virtually the same appearance and functionality as terminals used in stores. The rogue devices also support Bluetooth and GSM to enable quick, wireless transfer of stolen payment card data, he said.
"There are certainly rings of fraudsters, largely from Eastern Europe, that are descending on the streets of America, literally traveling up and down highways and inserting skimming devices on ATM machines," said Avivah Litan, an analyst with Gartner. "So I can certainly believe that these same types of fraudsters are organized to attack multiple stores in multiple states simultaneously."
In Aldi's case, the scheme likely started with the theft of just one point of sale device, she said, "They figured out how it worked, how to tamper with it and how to steal the PINs," she added. The next step was to hire people to take part in the mass attacks, Litan said.
"I'd expect to see more of this type of attack in the coming year," she said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts