DVD rental kiosk firm Redbox sent an e-mail to customers tonight to warn them about an attempt to capture customer credit card data using a technique called skimming.
Redbox appears to have been prepared for this, and contacted customers to warn them about the threat. Here's part of the e-mail I received:
To Our Valued Customers:A few days ago redbox detected and removed an illegal credit card skimming device at one of our 7,400 locations. At the same time, redbox also discovered evidence of skimming attempts in two other locations. Skimming involves the placement of an illegal device above the credit/debit card reader on a vending machine, ATM, or in this case a redbox. These devices are used to illegally read or store personal credit card information.
The full text of the e-mail folllows after the jump.
The following is the full text of the e-mail sent by Redbox to customers:
To Our Valued Customers:A few days ago redbox detected and removed an illegal credit card skimming device at one of our 7,400 locations. At the same time, redbox also discovered evidence of skimming attempts in two other locations. Skimming involves the placement of an illegal device above the credit/debit card reader on a vending machine, ATM, or in this case a redbox. These devices are used to illegally read or store personal credit card information.
Even if your redbox was not targeted, it never hurts to pay a little extra attention and check for any unusual activities or changes at your local redbox. If you suspect your redbox has been tampered with (click this link to see pictures of skimmer devices: http://www.redbox.com/creditcardsecurity/ ) please call 866-REDBOX3, e-mail alerts@redbox.com , or notify the store/restaurant manager of your concerns immediately.
Although there is no evidence currently that these skimming attempts were successful, consumer security is a top priority for redbox. Reviewing transaction records, there is a possibility that up to 150 customers may have been affected. Although only a small percentage of the millions of customers who use redbox each month, redbox has notified the major credit card companies so that they can monitor the situation. The redbox team is also working with local authorities to investigate the incidents and ensure your security.
Skimming is not new (click this link for more details: http://www.uboc.com/). It has been attempted numerous times on ATMs, gas station pumps, and now redbox has been targeted. Redbox has been aware of these industry threats and has spent significant time and resources to prepare for them. The 7,400 redbox locations are visited frequently by redbox associates to maintain smooth operations and an optimum customer experience. In this case, a redbox associate found evidence of skimming attempts and initiated the actions in the team's response plan (including this e-mail message).
Redbox greatly values our customer relationships. As a result, redbox is open and direct in our communications about this type of situation. The redbox team also utilizes industry-leading technology to ensure you have a safe shopping experience and aggressively combats attempts by criminals to defraud customers. Please see the questions and answers below for some additional details on skimming and how redbox ensures the safety of your account information.
Sincerely,
Trina Graham-Hodo
Director, Customer Service
Bill Caputo
Director, SecurityAdditional Questions / Answers:
Q. What is credit card skimming?
A. Skimming is the theft of credit card information used in an otherwise legitimate transaction. It often involves the placement of an illegal device above the credit/debit card reader on a vending machine, ATM, or in this case a redbox. For more info click these links:
http://en.wikipedia.org/wiki/Credit_card_fraud#Skimming
http://www.uboc.com/about/main/0,,2485_703976951,00.htmlQ. What does redbox do to protect consumer credit card information?
A. Redbox employs state-of-the-art security technology to ensure the privacy and security of our customers' data before, during, and after their visit to our kiosks. Customer credit card information is encrypted the moment it's swiped through our readers. Redbox uses further layers of encryption to protect all data transfers, too. Kiosks are also actively monitored and regularly inspected both on-site and remotely. Redbox never moves or stores unencrypted customer information. Credit card information can not be accessed by outsiders or even by redbox employees once the card is swiped at a kiosk.
Q. Where can I get more information on credit card skimmers?A. Please use these links to get more information on credit card skimmers:
http://en.wikipedia.org/wiki/Credit_card_fraud#Skimming
http://www.usatoday.com/tech/news/computersecurity/infotheft/2007-07-31-gift-cards_N.htm
http://www.uboc.com/about/main/0,,2485_703976951,00.htmlQ. How do I know if a skimmer is on my redbox?
A. Redbox credit/debit card readers are standardized for all locations. Click this link for pictures of the two approved readers and some examples of skimmer devices: http://www.redbox.com/creditcardsecurity/.
Q. Who should I call if I have questions?
If you suspect your credit card information was improperly used, contact your financial institution immediately. If you have specific concerns related to this incident and redbox, please visit http://www.redbox.com/creditcardsecurity/ or call 866-REDBOX3. Please do not reply to this email.
Thanks. I'd never heard of this. I'll start paying more attention where I swipe my card (and hoping the devices don't get so sophisticated they're impossible to spot).
One good thing though; I'm sure these skimming devices aren't cheap. Hopefully the cost of having these devices confiscated will put this type of criminals out of business.
Posted by: Gir | April 05, 2008 at 09:37 AM
Nope. They are just home modified magstripe readers. Cheap. Not impossible to get for free. And the computing device its plugged into (they don't show, but every implementation I am aware of has the reader plug into something else; a laptop, PDA, etc. That is probably taped to the back of the Redbox, or the coin counter next to it, or something. There's a thin wire, then.
The top example, at least, looks pretty halfa**sed. I would hope many folks would notice it. Would have been nice of the redbox guys to have either buried the card reader in the box, or painted the reader red so it's more obvious when something doesn't match up.
There are slicker (harder to detect) skimmers, so be careful if you use a lot of systems like this (in public, unattended, and you are not so familiar with it you might not notice a change). Skimmers on ATMs can cause a lot more damage.
Posted by: Steven Hoober | April 05, 2008 at 09:56 PM
@Steven- Looks like you are wrong. Here is a portable skimmer (that means without wires) that looks strikingly similar to the one in the post. Its under $300 BTW.
http://cgi.ebay.com/Mini-400-USB-Portable-Magnetic-Card-Reader-Magstripe_W0QQitemZ120303886670QQcmdZViewItem?hash=item120303886670&_trkparms=72%3A1163|39%3A1|66%3A2|65%3A12|240%3A1318&_trksid=p3286.c0.m14
Posted by: Chad Bailey | September 14, 2008 at 02:11 AM
I notice that the page that Redbox was hosting now "cannot be found." Hmmmm.
Posted by: Alex Kraus | May 12, 2009 at 08:24 AM