The scam involving a card-reading device slipped inside a grocery chain's self-checkout terminals has ballooned to include nearly 140 Petaluma residents among more than 500 victims across the Bay Area who filed fraud reports with police and Lucky Supermarket staff.
U.S. Secret Service agents with expertise in financial fraud are now taking the lead in the investigation into what appeared to be a widespread scheme involving the surreptitious installation of a device that transmits financial data over wireless networks.
Executives with Lucky corporate owner Save Mart Supermarkets now count 24 stores from Petaluma to San Jose where tampered card scanners resulted in the theft of debit card information and losses.
"The number of stores targeted here suggests some level of sophistication," said Andy Adelmann, special agent in charge of the service's electronic crimes task force in San Francisco and San Jose.
Agents were still analyzing the device as well as the time and tools it would take to install what company officials described as a computer memory board. Adelmann wouldn't discuss what they've learned so far. However, he did say they've investigated such wireless devices before.
Save Mart Supermarkets officials said the terminals were somehow opened, the devices placed inside the machine and connected to VeriFone card readers.
Similar devices have been used to capture financial information at gas stations and bank ATMs. Agents with the Northern California Computer Crimes task force are building a case against two men linked to Southern California Armenian gangs suspected of placing card-reading skimmers at banks across California, including at a JP Morgan Chase branch in Petaluma.
Bank staff in September 2010 discovered a facade over a card swipe device on the door of an ATM kiosk on South McDowell Boulevard, Chapman said.
"They had a camera that picked up the key pad, it was attached to the machine with an adhesive," Chapman said.
Two suspects are in custody in San Luis Obispo County.
"The most important thing people can do is stay on top of their transactions," Chapman said. "A lot of time this type of fraud can continue for months until the person looks at their bank statements."
Lucky staff first found a device Nov. 3 in Mountain View. Company officials delayed notifying the public for 20 days even as they sent technicians to check terminals at all 233 stores.
It's unknown how long the devices collected financial data from customers buying groceries at the untended self-checkout lines. However it appears the devices were in place by Oct. 1.
Scott Hertzberg and his wife, Kimberlee, stopped at the Lucky Supermarket on Lakeville Highway in Petaluma on Saturday on their way home from Christmas shopping to buy a gallon of milk.
An unknown person withdrew $400 from their bank account at a Chase ATM in Burlingame around the same time they zipped through the self-checkout line as they do several times a week for diapers or other last-minute items.
"Whoever did it had the gall to go to a bank," said Hertzberg, 29. "They were in the lobby ATM."
The cash was withdrawn just after the Hertzbergs paid their mortgage and car payments and before payday. They noticed the withdrawal on Monday after learning about the scam in the news. The withdrawal brought their balance to a negative and they watched the overdraft charges pile up as their holiday purchases went through.
They called their bank, JP Morgan Chase and then the police. Chase reimbursed their account Wednesday.
Hertzberg said he was angry at company executives for not warning people sooner.
"They could have said out of order, under maintenance, anything," he said. "They knew about it."
Several US Bank customers said their cards were canceled without notice.
Kelly Moss, 49, of Cotati just barely made it to a gas station "on fumes" Wednesday and swiped her card to buy gas when she discovered her card had been canceled.
After a frantic call to the bank, a representative told her they canceled the cards of customers who had shopped at the affected Lucky stores.
Moss said she doesn't shop at Lucky, but her husband sometimes stops by the Petaluma store on his way home from work.
"I'm never going to shop at Lucky and neither is my husband," Moss said. "I'm not doing it."
Brad Hunter, Exchange Bank senior vice president, said the bank is working with 18 customers who have had their accounts accessed following the Lucky security breach.
All the withdrawals took place at ATM machines and averaged $775 per transaction, Hunter said.
"Cash is king," Hunter said. "It's unusual for these skims to actually get the pin, but the way these devices were set up, clearly that's what they were after."
Hunter said people in the financial industry speculate that the scheme was completed by someone posing as a terminal technician.
Save Mart spokeswoman Rockwell said company officials don't suspect employees or VeriFone maintenance crews were involved in the heist.
However it's unclear how someone opened up the machine without notice.
Chapman said the case resembles a similar card-skimming scam that hit gas stations across the Bay Area.
A group of men drove around Northern California in a rented Cadillac Escalade and installed skimmers inside gas station pumps using a universal pump key to get inside, according to the state Attorney General's Office.
Chapman said the men were able to pose as maintenance workers.
"No one was really concerned about anyone opening a gas pump," Chapman said.
Two Southern California men pled guilty Jan. 11 to stealing nearly $100,000 from about 200 people between November 2009 and February 2010 in that case.
The case prompted some gas companies to separate payment devices from the pump, Chapman said.
Neither the gas station skimmers nor the devices used at Lucky were visible from the outside.
More commonly, thieves place a fake swiper over the real swipe device, and the mechanism gathers financial data while a person is still able to make a transaction as intended.
Exchange Bank fraud risk analyst Hellen Ciudad-Real said staff members check ATMs several times each day.
If customers see anything out of place or loose "walk away from the machine," Ciudad-Real said.
"Tug on it, make sure there's no unusual brochure holders that look out of place. That's usually where they put the cameras. If you do find a skimmer, call the police."
You can reach Staff Writer Julie Johnson at 521-5220 or julie.
johnson@pressdemocrat.com.
UPDATED: Please read and follow our commenting policy: