Skim Scam: Did Aldi Invite 11-State Coordinated Attacks?

When a gang of thieves physically tampers with point-of-sale systems, the tampering is usually a local operation. But that may be changing. Discount grocer Aldi said Friday (Oct. 1) that it has found tampered payment-card readers in stores in 11 states, spread from the east coast to Illinois. The retailer said the tampering was only in a limited number of its 1,100 U.S. stores, and all those stores were clustered near 10 cities—but the stolen data is being cashed out thousands of miles away.

That's reason to worry. Physical tampering with PIN pads is typically local because it's labor intensive. Thieves have to physically modify or replace the card terminals, which is why hacked terminals are usually found in a local cluster. This time there are clusters, all right—10 of them, stretching from Illinois to Georgia. Meanwhile, part of what made this $70 billion global grocery chain so successful—both in terms of European shoppers and fiscal profitability—could be playing a key role in making it a cyberthief target today: The scarcity of store employees.

The 10 areas hit with tampering were Chicago; Indianapolis; Pittsburgh; Philadelphia (including stores in New Jersey); Atlanta; Washington, D.C. (including stores in Virginia and Maryland); Rochester, N.Y.; Hartford, Conn.; Raleigh, N.C; and Charlotte. N.C. The retailer won't say exactly how many stores got the tampered devices, but a spokesperson said that they were found in only a "limited number" of stores, and they were probably placed there during June, July and August.

By September, the thieves started using the stolen data. Customers of a single suburban Chicago Aldi store reported $130,000 in fraudulent ATM withdrawals using their debit card information, according to the Chicago Tribune. Local police said most of the ATM withdrawals were made in southern California, in amounts ranging from $100 to $900, although some withdrawals were also made at ATMs in Ohio and in the Chicago area.

Aldi said that the chain has examined card readers at every U.S. store, removed suspect readers and tightened security.

It's not hard to guess why Aldi was targeted. "Have you even been in an Aldi store? There are almost no employees," said payment systems specialist Andy Orrock, COO of On-Line Strategies.

The chain's stores, which are all in the eastern half of the U.S., are the very definition of "no frills," and staffing is minimal. That makes it much easier for a thief to steal a PIN pad from an unattended checkout lane, or to swap in a PIN pad that's been outfitted with a skimmer, Orrock said.

And because Aldi only accepts debit cards, not credit cards, at most stores, the card information collected by a skimmer (complete with PIN) would give direct access to a customer's bank account.Still, if hacked card readers had been installed in one Aldi store, or in a group of stores spread around a single city, it would be unremarkable. But over the summer, it happened in 10 urban areas&#8212and all the cases appear to be related.

Look at those cities on a map, and the striking thing is that they're so spread out. How could one gang of cyberthieves hit that many stores in that many areas at once, swapping the skimmer-equipped PIN pads in and out to collect card information?

Maybe they didn't. It may be that this really was a summer road trip by one set of thieves. It could be a simple enough process: Steal PIN pads from a few Aldi stores. Install skimmers in them. Distribute them to stores spread across a city and its suburbs. Wait a day or so, then swap the original PIN pads back in the stores, collect the card information and head for the next city on your list to repeat the routine.

If the thieves waited until their trip was done before using the stolen card information, they might have spent weeks collecting it without getting caught. That would explain why the money started being taken from ATMs suddenly—and thousands of miles from the tampered card readers.

These kind of physical attacks should be much less common than they are, and they would be that much less common if retailers were more meticulous about reviewing their network activity logs, said QSA-and StorefrontBacktalk PCI Columnist-Walter Conway. "There should be huge red flags in the logs if anyone disconnects a terminal. That should immediately trigger an alert," he said.

If the thieves are especially brazen-and come prepared with vision-blocking props and a couple of accomplices skilled at distracting an employee-they might be able to attack the machine without actually disconnecting it from the network. "Done properly, it should only take 5 to 10 minutes and probably closer to five," Conway said. "You solder a couple of wires and you put the top back on. You could do it very quickly, but you have to expose yourself."

However, on-the-spot tampering would also be very risky, requiring that the cashier be distracted for as many as five or ten minutes without noticing someone hanging around the unattended checkout line. Even with minimal staffing, that wouldn't be easy in a typical Aldi store with its shotgun layout, where everything is visible from anywhere in the store.

Truly sophisticated tampering might even include setting up the hacked card readers to transmit card data by Bluetooth or across the Internet. But that seems less likely. It's a lot more work and expense to collect data from just a few hundred cards at each store.

There's another, more unnerving, possibility: that there were actually 10 groups of thieves, one in each of the areas where the skimmers were installed. That would involve a lot more coordination among the thieves, and might signal far more headaches for retailers facing the prospect of gangs of cyberthieves who could hit stores in multiple cities at once.

Then again, cyberthieves are known for being fond of Internet discussion groups so finding like-minded thieves wouldn't be that difficult, which would explain the widely dispersed geographies hit and the ease with which the numbers could be cashed out thousands of miles away.