Michaels Stores said this month that it had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced machines to include point of sale (POS) technology capable of siphoning customer payment card data and PINs. The specific device used by the criminal intruders has not been made public. But many devices and services are sold on the criminal underground to facilitate the surprisingly common fraud.
POS skimmers typically are marketed and sold in one of three ways: Pre-compromised POS terminals that can be installed at the cash register; Fake POS devices that do not process transactions but are designed to record data from swiped cards and PIN entries; or Do-it-yourself kits that include all parts, wiring and instructions needed to modify an existing POS terminal.
I spoke at length to a POS skimmer seller who has been peddling POS modification devices on an exclusive underground fraud forum for more than a year. From the feedback left on his profile it is clear he had many satisfied customers. Buyers specify the make and model of the POS equipment they want to compromise (this guy specializes in hacking VeriFone devices, but he also advertises kits for devices manufactured by POS makers Ingenico, Xyrun, TechTrex).
His skimmer kit includes a PIN pad skimmer and two small circuit boards; One is a programmable board with specialized software designed to interact with the real card reader and to store purloined data; The other is a Bluetooth-enabled board that allows the thief to wirelessly download the stolen card data from the hacked device using a laptop or smartphone.
The PIN pad skimmer is an ultra-thin membrane that is inserted underneath the original silicon PIN pad. It records every button pressed with a date and time stamp. The thief must also solder the two boards to the existing PIN pad device to hijack the machine’s power and data processing stream.
Many POS manufacturers include tamper-proof seals and other security devices designed to maintain the POS’s original function and form and to make it difficult for would-be thieves to modify the machines. Most POS skimmer makers furnish instructions for bypassing these protections.
The model shown here sells for $3,000 — including the skimmer devices, software and tutorial. Customers who purchase 10 or more kits can get them for about $2,000 apiece.
POS skimmer thieves use the data they steal to create counterfeit cards that can be used in combination with the victim’s PIN to withdraw cash from ATMs. Some POS skimmer sellers I’ve interviewed sell services that allow you to “rent” their skimmers; a few will even handle the ATM “cashout” process for a percentage of the proceeds from the theft.
POS skimmers serve as another reminder that debit cards can be riskier to use than credit cards. KrebsOnSecurity regular reader and commenter said it best in a recent comment:
“Using a credit card is safer for consumers who want to protect their bank accounts from unauthorized entry. Consumer protection laws are a lot stronger for credit cards than for debit cards. Unauthorized transactions on a credit card are simple to report and reverse. Resolving unauthorized withdrawals of [cash from] a debit card requires a lot of time and paper work. Many banks require that you file a police report before they will investigate an unauthorized withdrawal.”
Have you seen:
Gang Used 3D Printers for ATM Skimmers…An ATM skimmer gang stole more than $400,000 using skimming devices built with the help of high-tech 3D printers, federal prosecutors say. Apparently, word is spreading in the cybercrime underworld that 3D printers produce flawless skimmer devices with exacting precision. In June, a federal court indicted four men from South Texas (PDF) whom authorities say had reinvested the profits from skimming scams to purchase a 3D printer.