A "Bluetooth" device was used in the phony PIN pads to transmit all the card details, using a wireless connection.
The fraud was discovered when a large number of Edmonton cards started showing up with unusual activity in Montreal.
According to the Edmonton Police, about 400 cards have been identified as having been compromised and used (cloned), but there could be more. They also stated that they don't believe there was employee involvement in the scheme.
One person was arrested in Montreal, but the authorities are saying they don't believe this person was a "major player."
This activity is probably being accomplished with a device known as a point-of-sale (POS) data logger. The stated legitimate purpose of this device (found on a webpage called hackershomepage.com) is to back up data in case of a power failure. It even advertises that it will capture PIN numbers when they are entered on a keypad.
The advertising jargon for this particular device states:
Once the data is logged, the device can be EASILY AND QUICKLY removed (takes about 2 seconds for installation or removal) from the store POS machine and plugged into another computer where you can download and save the data.Hackers Homepage (who claims they are the only ones selling these devices) offers them for $395 each. IF you buy 100 of them, they will sell them to you for $9,999 (a savings of $30,000 off retail).
I'm amazed that these devices are for sale right over the Internet. Maybe someone in law enforcement will read this and do a little checking on this e-commerce enterprise.
Recently in Rhode Island (United States), a similar scheme was uncovered at Stop and Shop stores. Four males from California were eventually arrested after being spotted by employees tampering with a PIN pad.
Edmonton Police press release, here.
Here is my previous post on the Rhode Island scheme:
Could the arrests in the Stop and Shop data breach indicate a tie to Armenian Mobsters?