Costco Card Skimming Incident is Warning for Holiday Shopping Period

The recent incident involving a payment card skimming device at a Costco warehouse in Issaquah, Washington, serves as a timely reminder to retailers and shoppers alike about how easy payment card information can be illegally obtained. Costco made the public aware of the incident on November 5 when notification letters were sent to all shoppers of that location. Costco believes that the skimmer first appeared on the scene as early as August 2021. Since then, Costco shoppers have reported on social media sites such as Reddit that they recently experienced fraudulent charges on their credit card accounts.

People often associated credit card skimmers with gasoline stations or isolated ATMs but the problem is far more widespread. Costco did not disclose whether the card skimmer was found within the warehouse or on one of its pumps. The skimming device was discovered during a routine security check and was quickly removed. Considering just how busy Costco locations are, one may wonder how the unauthorized device could have been placed so easily in a heavily monitored environment with so much foot traffic. According to experts, card skimmers can be installed in a matter of seconds by someone who knows what they are doing. Often, the individual will make an actual purchase and install the device using a slight-of-hand trick. Other instance can involve the impersonation of a technician that was supposedly dispatched to replace or repair faulty equipment. Card skimming is but one of the primary means of credit card fraud. Fraud losses of nearly $28 billion were experienced in 2018 and are projected to rise to more than $35 billion by 2023.

In addition to removing the device, Costco alerted the authorities and is cooperating with them during the active investigation. Because skimming attacks only involve the use of a single device, containment efforts are rarely required other than a close inspection of the premises for other devices. In the notification letters sent to the potential credit card victims, Costco said:

“Our member records indicate that you swiped your payment card to make a purchase at the affected terminal during the time the device may have been operating. If unauthorized parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card number, card expiration date, and CVV.”

The company advised all notified customers to monitor their bank and credit card statements for unrecognized charges and to report any suspicious transactions to their financial institutions. Costco is offering 12 months of identity theft protection, credit monitoring services, and an insurance guarantee for any required refunds.

Data breaches involving the use of payment card skimmers are not uncommon, especially during the holidays. Security professionals state that the current labor shortage across the country makes attacks such as these even easier as retailers don’t have enough employees to keep a watchful eye on everything. The FBI has provided a list of measures that customers can take to help protect themselves from skimming attacks. They state that fuel pump skimmers cannot be easily identified by customers as they are usually attached to the internal wiring of the machine. They suggest customers choose a fuel pump that is closer to the store and in direct view of the attendant. ATM skimmer devices on the other hand are usually fitted over the original card reader. The FBI suggests that customers look for anything loose, crooked, damaged, or scratched and to walk away if anything seems the least bit unusual. Extra precaution should take place when using ATMs in high volume tourist areas. If possible, only use credit cards with embedded chip technology.

Prepare for cyber threats through an Incident Response Readiness program.