Payment card theft involving compromised PIN pad devices is not new. In 2010, discount grocer Aldi Inc. disclosed a data breach in which criminals stole debit card data from an undisclosed number of people after tampering with PIN pad terminals at stores across 11 states.
Last year, crafts store chain Michaels Stores disclosed that close to 100 payment card terminals at stores across 20 states were tampered with by criminals looking to steal debit and credit card data.
Contrary to what one might expect, tampering with payment card terminals at retail stores is not very hard, said Avivah Litan, an analyst with Gartner Inc.
In most cases, crooks begin by targeting specific payment devices, not necessarily the store itself, she said. "What they do is study the equipment. They take it apart, look at it and then build [a card skimmer] that can be slipped into it very quickly."
The skimmers are often small and unobtrusive and are designed to capture and wirelessly transmit stolen card data to offsite servers. The crooks then attack stores using those devices, she said.
"I know of at least one case where they did this at a bank. With all that security they just went in and slipped a skimmer into a bank ATM."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.