American retail giant Costco Wholesale is alerting customers about a possible breach of their credit card data after its executives discovered a credit card skimming device at one of its warehouses in the US.
Costco, which runs a large number of membership-only retail stores in the US, Europe, and Asia, sent out notification letters to customers after its personnel discovered a credit card skimming device at one of its warehouses during a routine check.
The company has not disclosed the name or location of the warehouse, nor has it shared any details about the number of customers whose credit card data was potentially compromised. It is also not known how long the skimming device remained at the warehouse before it was discovered. However, a copy of the notification letter, obtained by Bleeping Computer, is now in the public domain.
“You are receiving this letter because your payment card information may have been compromised,” the letter read. “We recently discovered a payment card skimming device at a Costco warehouse you recently visited. Our member records indicate that you swiped your payment card to make a purchase at the affected terminal during the time the device may have been operating.”
“If unauthorised parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card number, card expiration date, and CVV,” Costco warned.
Stating that the incident was discovered as a result of regular pin pad inspections conducted by Costco personnel, the retail giant requested potentially affected customers to check their bank or credit card statements for unauthorised charges. Costco also advised customers to work with their card issuers to avoid any fraudulent activity involving their accounts.
Chris Hauk, consumer privacy champion at Pixel Privacy, says that in cases like this, all customers who have shopped at that Costco location should call their credit card issuer to receive a new card (this is a good idea, even if they haven’t received a notice from Costco).
“They should also keep a close watch on their credit card charges for any questionable purchases or transfers. They should also be aware of scammers who may try to contact them posing as law enforcement or Costco officials.”
How can retail customers protect themselves from card skimming operations?
According to Erich Kron, security awareness advocate at KnowBe4, skimming devices are often very cleverly disguised and simply lay on top of the existing machine, attached with double-sided tape or another adhesive. These typically cover the keypad and the card swipe area and are very hard to see.
“The skimmers typically have an additional set of card readers that saves the magnetic stripe information and records the PIN entry that can be retrieved later from a distance, using Bluetooth or other wireless technologies. These low-cost skimmers can be expected to be seen in use more often as consumers hit the streets making purchases for the holiday season.
“To protect yourself, look carefully at the card readers when you use them and even give them a little shake to see if the top feels loose,” Kron says. “In addition, because skimmer overlays have to be slightly larger than the card reader itself, they will often make it impossible to put the signature pen back in the slot on the side. In addition, keep an eye on credit card and bank statements, looking for unknown or unusual charges, and report them to your financial institution immediately.”
Debrup Ghosh, senior product manager at Synopsys Software Integrity Group, says that customers should use either tap-and-go credit card payments which use short-range wireless technology (rather than magnetic tape which can be easily stolen via credit card skimming), or online/mobile payment services such as Apple Pay and Google Pay which create a virtual card for each transaction; thus making it very difficult to skim card information.