Gartner Blog Network

Lucky stores weren’t so lucky – Another Flash Attack?

by Avivah Litan  |  December 8, 2011  |  Comments Off on Lucky stores weren’t so lucky – Another Flash Attack?

What really happened at Lucky and Savemart stores? See for their press release on this.

Something here doesn’t add up. The chain says employee and customer bank accounts were compromised but employees generally don’t swipe their cards at the POS systems. So I for one, would like to understand the connection to employee accounts. There must be more than just card reader tampering going on here.

But if you take the employee piece out of the picture (and I don’t say we should) then this looks like yet another sophisticated POS card reader fraud attack.

The bad guys are very organized. They have the ring leaders that target the POS systems used at the store chain. They must have known which type of POS equipment Savemart uses and designed an attack specifically against their systems.

The ring leader(s) hire ‘flackies’ to insert skimmers in the equipment or to replace the equipment Savemart has have installed altogether. (Most likely it’s the former option although the latter option is more common in South America). They then hire the counterfeit specialists that turn the stolen data into counterfeit cards (with PIN numbers, if they have them) taped on to the counterfeit cards. And finally they hire the ‘cash out’ flunkies to use the cards at ATM machines or other POS systems to turn the stolen cards into stolen cash or easily fence-able goods (like TVs, tablets or other electronic goods).

Then they hire people to collect the cash or to fence the goods before the cash is collected.

They generally use the cards VERY QUICKLY at ATM machines around the country and sometimes in other countries, simultaneously withdrawing small amounts at dozens of machines against dozens of accounts, typically within 10-30 minutes. Then they wait an hour and do it again. This way they can evade many of the fraud detection systems.

I blogged about this months ago – I call this the Flash Attacks. Of course Savemart is only reporting on their piece and the banks generally don’t disclose their side of things so we can’t be sure if Flash Attacks resulted from this hack.

Also the part disclosed on employee account takeover is still troublesome. I’d like to know more about that. As noted, employees typically don’t swipe their own cards at the cash registers.


Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.