Dec. 9, 2011 -- Thieves who inserted data-skimming devices into card readers at Lucky's supermarket self-checkout counters ripped off as many as 500 of the California chain's customers, officials said.
Lucky's, owned by Save Market Supermarkets, said in a statement that the company has removed tampered credit/debit card readers from 24 stores. The readers have been sent to the Secret Service, which is investigating the scam.
Data-skimming devices inserted into the readers allowed the crooks to steal information like the shoppers' PIN numbers, expiration dates and security codes from the cards wirelessly. Lucky realized something was up, according to its statement, when during a regular review it discovered a reader that "looked suspicious."
Barry Shiller , a public relations consultant from Burlingame, Calif., was one of the shoppers whose account was compromised. He realized something was wrong on Sunday.
Lucky's Customers Hit By Digital Card Readers
"I just happened to look at my online account , and I noticed a large withdrawal that had occurred in San Francisco," which he hadn't visited recently, he said. The withdrawal was for $300. He called his bank, Wells Fargo, right away, and found out that a second withdrawal attempt had been made for $500, but the bank fraud detection system stopped it.
Wells Fargo restored the missing funds to his account, and Shiller didn't realize what had happened until the next day when he saw news coverage.
"It was then that I put two and two together," he said. "I realized I shop at one of the stores," the Lucky market in Millbrae, about half an hour from San Francisco.
"It was extremely anxiety-provoking," said Shiller, who spent two hours on the phone Monday trying to reach Lucky's through the chain's 800 number.
Lucky said in its statement that its customer-support team has been fielding up to 2,000 calls a day. It said all the readers that were tampered with were replaced by Nov. 23. The company doesn't know how much money was taken illicitly because of the tampering.
To protect themselves against skimmers, shoppers should consider using credit rather than debit cards, says identity theft expert John Sileo, author of "Stolen Lives, Identity Theft Prevention Made Simple."
"It's much more attractive to a thief to get a debit card, and it's much harder on a victim," Sileo says.
The reason: with a debit card, consumers often have only a couple of days to notify the bank that they were victims of fraud, whereas credit-card companies generally allow 60 to 90 days and do the investigation themselves.
Sileo recommends checking out the reader you are about to use and making sure it looks just like the one in the other aisles--with nothing loose, sticking out and with no sign of a camera attached.
He also suggests setting up debit and credit card alerts via text message or email. "If you're home watching the football game and you just spent $5 in Starbucks, you know you've got a problem," he said.
Self-checkout makes fraud easier, he said. "There's nobody watching. It does make it easier to slip on a skimmer or put in a camera that records people's PIN numbers," he said. But he doesn't think shoppers need to stop using self-checkout. They just need to be vigilant.
But Shiller, who is thinking about whether he'll go back to Lucky's, says he's sure of one thing. "I'm not going to use a self-checkout machine."