Stop & Shop’s PIN Pad Breach Follows Similar Cases in Canada

Although many details remain unclear, a security breach at a big supermarket chain in the Northeast bears some resemblance to a sophisticated rigging of point-of-sale equipment to capture PINs and other card data last year in Canada. Quincy, Mass.-based Stop & Shop Supermarket Cos., which has 385 stores in New England, New York, and New Jersey, reported over the weekend that it discovered last week that debit and credit card account and PIN numbers from cards used in early February at two Rhode Island stores had been stolen. In a release, the company cited PIN pads in one lane of the stores in Coventry and Cranston as the source of the stolen data, and said fraudulent activity may be connected to cards used in those lanes. Upon investigation, the company also found suspect activity at four more stores, in Providence, Bristol and Warwick, R.I., and Seekonk, Mass. A spokesperson tells Digital Transactions News that the company has no reports of fraudulent activity involving data from those stores. According to a Monday story in the Boston Globe, PIN pads involved in the breach were removed, tampered, with and reinstalled. After discovering the tampering, Stop & Shop bolted down every PIN pad in all of its stores, the spokesperson says. A bank alerted Stop & Shop to card numbers linked to the Coventry and Cranston stores, the Globe said. The company isn't commenting further today, citing an investigation that includes the U.S. Secret Service and local police. A Secret Service official did not return a Digital Transactions News call for comment. The names of Stop & Shop's card processors could not be immediately determined. The Stop & Shop spokesperson emphasized that the company has not uncovered any evidence that company employees were involved in the theft. But the course of the investigation could reveal otherwise, some outside observers suspect. “It sounded to me like an inside job; they [the data thieves] got access to these registers that are supposedly manned,” says Avivah Litan, a payment-technology analyst at Stamford, Conn.-based Gartner Inc. who closely follows security issues. “This is unusual because it requires inside access.” The perpetrators may have exploited an inspection loophole in point-of-sale systems that was closed in the recent update of the Payment Card Industry (PCI) data security standards promulgated by the leading payment-card networks. Under the old PCI standards, POS equipment that did not run on an Internet Protocol (IP) operating system did not require an assessment for PCI compliance, says Scott Laliberte, IT risk group director at Protiviti Inc., a Chicago-based security firm and PCI auditor. The types of exempt systems included certain dial-up operations and those that relied on Novell Inc.'s IPX-based operating system, he says. In contrast, Microsoft and Unix operating systems are largely IP-based and were not exempt. Laliberte estimates about 20% of POS systems used by medium-sized or large merchants may have been exempt under the old rules. Under the upgrade?version 1.1?issued by the new PCI Security Standards Council LLC last September, the non-IP inspection exemption ended Dec. 31, except for a small number of systems with no Internet connectivity, including those with dial-up connections, he says. Last summer, Canadian police arrested at least 10 people they said used rigged card terminals to intercept PINs as cardholders entered them at the point of sale as part of a scheme in which they stole $4 million (Canadian) from 18,000 customer bank accounts (Digital Transactions News, June 21, 2006). In what press accounts called one of the most technologically sophisticated cases of debit card fraud yet discovered, the suspects swapped their own card readers for those installed in some 42 retail locations in the Montreal area, then used Wi-Fi connections to send PINs and card numbers to a remote receiver. With that information, they were able to forge cards and loot the associated accounts through ATM withdrawals. Similar cases of tampering cropped up in other Canadian cities last year, as well.