Aldi data breach shows payment terminal holes
Thieves hit point-of-sale terminals in Aldi grocery stores in 11 states
Computerworld - A debit card breach disclosed late last week by discount grocer Aldi Inc. shows how hardware hacks are starting to pose as much of a threat to payment card data as software-based attacks.
Batavia, Ill.-based Aldi, which operates 1,100 stores in 31 states, disclosed on Oct. 1 that hackers tampered with payment terminals at stores in 11 states from June to August.
The hackers gained access to various debit card data, such as name, account data and personal identification numbers (PINs) of an undisclosed number of customers, the company said.
So far, officials said that hacked terminals were discovered at Aldi stores in Connecticut, Georgia, Illinois, Indiana, Maryland, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, and Virginia. All the hacked terminals have been replaced, the company said.
More than 1,000 Aldi shoppers in the Chicago area and from Indianopolis have already reported fraudulent activities related to breaches at Aldi stores. There have been similar reports in other states as well. Analysts estimate that there could be some tens of thousands victims.
Analysts said the number of payment terminals and the widespread area affected by the Aldi breach makes it unusual. It comes at a time of growing concerns about the security of payment terminals.
Typically, payment terminal breaches are localized because hackers must physically access each device to manually tweak or replace the internal electronics.
The geographic breadth of the Aldi attack suggests intricate planning, said Jim Huguelet, a Sugar Grove, Ill.-based consultant, who advises clients on payment security issues. "It looks like this was the work of a network of criminals who went into stores and somehow distracted store personnel long enough to take out PIN pads and swap them out with retrofitted devices" designed to steal payment data, he said.
The theft of the PIN data suggests that the crooks most likely used a transparent overlay of some type so that that customer PIN numbers could be captured before it was encrypted, Huguelet said. It is also more than likely that the rogue PIN pads allowed the attackers to capture payment card data wirelessly from within the store itself or from a nearby location such as a parking lot.
The tampering likely occurred over a period of several months, he said.
Colin Sheppard, director of incident response at Trustwave, which provides security auditing services to large retailers, said that such attacks against U.S. retailers have grown over the past couple of years, as criminals are finding the tactic a relatively easy way to obtain magnetic stripe and PIN data.
Also driving the trend is the easy and growing availability of sophisticated counterfeit payment terminal kits designed for use in such schemes he said. Many of the rogue kits are offer virtually the same appearance and functionality as terminals used in stores. The rogue devices also support Bluetooth and GSM to enable quick, wireless transfer of stolen payment card data, he said.
"There are certainly rings of fraudsters, largely from Eastern Europe, that are descending on the streets of America, literally traveling up and down highways and inserting skimming devices on ATM machines," said Avivah Litan, an analyst with Gartner. "So I can certainly believe that these same types of fraudsters are organized to attack multiple stores in multiple states simultaneously."
In Aldi's case, the scheme likely started with the theft of just one point of sale device, she said, "They figured out how it worked, how to tamper with it and how to steal the PINs," she added. The next step was to hire people to take part in the mass attacks, Litan said.
"I'd expect to see more of this type of attack in the coming year," she said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!