Costco Wholesale Corporation, a big-box retail store company, discovered a breach at one of its retail store terminals where a card skimming device was being used at the payment counter to skim data.
On discovering the payment card skimming device, the company issued notification letters updating customers about the possibility of their card data being stolen if they had made a recent purchase at that particular store.
Costco said, “We recently discovered a payment card skimming device at a Costco warehouse you recently visited. Our member records indicate that you swiped your payment card to make a purchase at the affected terminal during the time the device may have been operating.”
“If unauthorized parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card number, card expiration date, and CVV,” Costco alerted.
Data Breaches Digest: Costco Wholesale: US Membership-Only Retail Chain Discloses Data Breach After Payment Card Skimming Device Discovered In Warehouse https://t.co/uwiLNZH9QU
— 🏴🏴Max’s Headroom🇨🇦🇺🇸 (@Custodela) November 13, 2021
A routine inspection of pin pads resulted in device detection by the Costco personnel, and law enforcement agencies were notified.
As a cautionary measure, the company has asked its customers to check their recent bank and credit card statements for unauthorized charges or transactions. In addition, it is offering the victims IDX identity theft protection services, which provide 12 months of credit monitoring, a $1 million insurance reimbursement policy, and ID theft recovery services.
The Skim Game
The device was supposedly a physical device that is placed on the payment card scanner to intercept details from the magnetic strips of the cards.
In an era where malicious cyberattacks like ransomware and phishing emails are more popular, old-school methods like data skimming cards are less heard of. Digital skimmers like Magecart attackers have been found distributing PHP web shells, known as Smilodon or Megalodon, disguised as favicon to obtain remote access to the targeted servers.
Security researchers from Malwarebytes had found the Magecart Group 12, a cybercriminal gang best known for their attacks on online stores, targeting Magento online stores to pilfer customers’ sensitive information. Magento is an e-commerce platform that allows websites to create their online store.
“This technique is interesting as most client-side security tools will not be able to detect or block the skimmer. There are several ways to load skimming code but the most common one is by calling an external JavaScript resource. When a customer visits an online store, their browser will request a domain hosting the skimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these skimmers using a domain/IP database approach,” Malwarebytes said.
Typically, these fraudulent transactions are common at ATMs, fuel pumps, and POS terminals where card readers are manipulated to store or ape the swiped cards details.
As pandemic regulations ease globally, citizens flock supermarkets, restaurant chains, and other public services along with continued online purchasing. The threat surface is only ever-expanding, and all we can do is be alert and mitigate risk with precautionary measures to prevent data skimming.
Also read: New “Baka” Skimmer Designed to Evade Detection: Visa