NORTHAMPTON — Executives announced Tuesday that the Big Y store on North King Street was one of five in the area targeted by hackers, and a local detective called such crimes among the biggest menaces of our time.
A store official said no thefts have been reported as a result of the so-called skimming attack, in which devices are laid over an existing keypad and card scanner, mimicking their appearance. The hackers are then able to steal customers’ credit card and PIN numbers.
Northampton Police Detective Corey Robinson told the Gazette Wednesday he was surprised to hear such technology was placed within a retail store. Typically, he said, tech-savvy perpetrators have targeted stand-alone machines without a lot of people nearby.
Describing a separate recent incident, during which an observant ATM user found and removed skimmer technology from a local unit, Robinson said these types of attacks are increasingly a threat to the U.S. economy.
“It’s a vulnerability within our system that we have to address,” he said.
Claire D’Amour-Daley, a spokeswoman for Big Y, said Wednesday the devices were found by employees during regular security checks. It was unknown how long they had been in place.
“We haven’t heard of any issues, yet, but we want to be sure to alert customers,” D’Amour-Daley said, adding that she encourages customers to monitor their bank accounts.
The five units compromised — of some 1,400 Big Y terminals throughout the region — were all at the chain’s pizza counters. She said the five were “satellite registers,” meaning they’re along the edges of the store and not within the “main bank” of registers.
A manager at the Stop & Shop supermarket in Northampton said Wednesday that store employees are on “high alert” and are keeping a close eye on coffee and florist counters, which are in the far corners of the store. The manager declined to give her name before hanging up the phone.
D’Amour-Daley said the devices discovered were consistent throughout the five stores targeted. She declined to get more specific about security measures or the technology involved, but said the company is working with federal law enforcement on the investigation.
“Believe me, we have increased our security protocols dramatically” in the last week, she said, adding the chain had already been working with software vendors to deploy magnetic chip readers before the incident. “We have a responsibility as retailers to protect the security and privacy of our customers, and customers also have a responsibility to check on their end.”
Robinson said there are many different types of skimming technologies, and when these types of crimes occur locally, they are more often committed by people coming to the area from larger cities.
Robinson said it can be difficult to pinpoint how long a device has been in place, and those who apply them often know how to avoid security cameras.
“A lot if it has to do with accessibility,” Robinson said. “They’re going to go to areas where they’re not out in view of people — I think a lot of it’s just opportunity.”
Brian Krebs, former Washington Post journalist and national blogger known for his cybersecurity coverage, told the Gazette the overlay devices are designed to be quickly deployed.
“They’re really easy to put on,” he said, adding that terminals at major retailers often come from one of two manufacturers, VeriFone and Ingenico. “It takes maybe two seconds.”
The problem will continue, said both Krebs and Easthampton Savings Bank Executive Vice President Lynn Starr, until magnetic strips on credit cards are done away with entirely and all retailers have chip readers.
Starr said local adoption of the emerging technology has been slow — only 23 percent of transactions with ESB cards last month were done with chip readers, also called EMV technology.
“It’s taken a year for it to almost double,” she said. She said retailers have to pay not only for the unit itself but also back-end expenses such as software and fees. “It’s hard to move the pile, here.”
In the meantime, Starr said she advises that people turn on banking alerts, use encrypted technologies like Apple Pay and make use of bank-specific tools. Hers, for example, offers an option for people to turn on and off their debit cards through a mobile app, meaning nothing can move in or out of the account unless the user turns the switch as they’re approaching the register and then off once they leave.
“Until the strip is gone completely from the card, it’s going to persist,” she said. “We’ve tried to give very user-friendly tools so the consumer can be proactive while the industry figures this out.”
Amanda Drane can be contacted at adrane@gazettenet.com.