A US retailer, Stop & Shop Supermarket Companies is warning customers at three of its Rhode Island stores and one of its Massachusetts stores of a potential compromise of their payment card data.
The warning comes after the company discovered that chip and PIN pads used by customers to swipe credit and debit cards to pay for purchases had been tampered with at those locations. As a result of the tampering, account and PIN numbers associated with some credit and debit cards were stolen earlier this month, the company said in a statement.
Since the discovery, Stop & Shop said it has taken measures to reduce the risk of something similar happening again. All Electronic Funds Transfer (EFT) devices ,as the terminals are officially known, have been physically secured "to prevent further tampering" the company said. It did not offer any details about what steps it has taken.
Stop & Shop did not provide details on how exactly the EFT devices were tampered with. Typically attacks against EFT and ATM involve "skimming" techniques aimed at stealing card data and PIN numbers when a card is swiped through a reader. Illegal card-readers either attached to or placed over a genuine reader, intercept and record magnetic card data. The data is then used to create counterfeit cards.
According to Stop & Shop, there is no evidence to date that the stolen data has been misused. The company noted that an internal investigation found no signs that an insider was responsible for the tampering.
Avivah Litan, a Gartner analyst said that it is hard to understand how a point-of-sale device such as an EFT could have been modified without some sort of insider involvement. "Somebody had to have had access to the readers," she said. "These are devices that are sitting at the cash register. It is not easy to tamper with them."
Tampering with card readers is a growing problem, Litan said. But in most cases, such tampering involves ATM machines and card readers at petrol pumps. "This is the first time I've heard of something like this," she said.
A spokesperson with Stop & Shop could not be reached for comment.
The Shop & Stop incident however, follows only a month after UK researchers supposedly hacked a tamper-proof Chip and PIN terminal to allow it to play Tetris.
Steven Murdoch and Saar Drimer posted their proof-of-concept results in a video on YouTube in early January. The proof-of-concept video highlighted wider EFT security concerns after the researchers replaced most of the internal electronics after opening up the terminal.
The attack made the possibility of physically modifying terminals for more malicious, financially motivated purposes appear technically possible.
Additional reporting by Miya Knights