European law-enforcement officials uncovered a highly sophisticated credit-card fraud ring that funnels account data to Pakistan from hundreds of grocery-store card machines across Europe, according to U.S. intelligence officials and other people familiar with the case.
Specialists say the theft technology is the most advanced they have seen, and a person close to British law enforcement said it has affected big retailers including a British unit of Wal-Mart Stores Inc. and Tesco Ltd.
The account data have been used to make repeated bank withdrawals and Internet purchases, such as airline tickets, in several countries including the U.S. Investigators haven’t pinpointed the culprits. Early estimates of the losses range of $50 million to $100 million, but the figure could grow, said the person close to British law enforcement.
The scheme uses untraceable devices inserted into credit-card readers that were made in China.
The devices selectively send account data by a wireless connection to computer servers in Lahore, Pakisan, and constantly change the pattern of theft so it is hard to detect, officials say.
“Pretty small but intelligent criminal organizations are pulling off transnational, multicontinent heists that only a foreign intelligence service would have been able to do a few years ago,” said Joel F. Brenner, the U.S. government’s top counterintelligence officer.
U.S. intelligence officials, including senior National Security Agency officials, are monitoring the case, in part because of its ties to Pakistan, which has become home to a resurgent al Qaeda.
The scheme comes on the heels of the August indictment of a fraud ring that stole more than 40 million credit-card numbers from U.S. companies, including TJX Cos., the parent company of TJ Maxx.
In March, security officials at MasterCard Inc. saw a pattern of potential fraud in northern England. Meanwhile, a security guard at a U.K. grocery store noticed suspicious static on his cellphone and alerted authorities. Scotland Yard learned of the report and eventually connected it with the warning from MasterCard, according to the person close to British law enforcement.
Examining the store’s credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology.
The bug would read an individual’s card number and the corresponding personal identification number, then package and store the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next.
A MasterCard spokesman declined to discuss details of the case but said safeguarding financial information is a top priority for the company.
There is no obvious visual indication that a machine has been altered, but those with the bugs weigh about four ounces more. For the past several months, teams of investigators have been weighing thousands of machines across Europe with a precision scale.
So far, investigators have found hundreds of machines in at least five countries: Britain, Ireland, Belgium, the Netherlands and Denmark. They have turned up at European grocery chains including Asda, which is owned by Wal-Mart; Tesco; and J Sainsbury PLC, according to the person close to British law enforcement.
A spokeswoman for Asda said, “It’s subject to a police investigation, so we can’t comment.” A spokeswoman for Sainsbury denied its stores were hit by the scheme. A spokeswoman for Tesco said: “We’re aware that this was an issue for retailers.” She said Tesco tested its devices and is confident they are now secure.
The device can be told to copy certain types of transactions — for example, five Visa platinum cards or every tenth transaction. It can also be instructed to go dormant to evade detection. On average, only five to 10 card numbers would be phoned in to Pakistan, the person close to British law enforcement said.
Write to Siobhan Gorman at firstname.lastname@example.org