Every so often, the sophistication of the technology being built into credit card skimmers amazes even the experts who are accustomed to studying such crimeware. This post focuses on one such example — images from one of several compromised point-of-sale devices that used Bluetooth technology to send the stolen data to the fraudsters wirelessly.
In October 2012, forensics experts with Trustwave Spiderlabs were called in to examine the handiwork of several Bluetooth based point-of-sale skimmers found at a major U.S. retailer. The skimmers described and pictured in this blog post were retrieved from a retail breach that has not yet been disclosed, said Jonathan Spruill, a security consultant at Trustwave.
Spruill said the card-skimming devices that had been added to the small point-of-sale machines was beyond anything he’d encountered in skimmer technology to date.
“The stuff we’ve been seeing lately is a leap forward in these types of crimes,” said Spruill, a former special agent with the U.S. Secret Service. “You hate to say you admire the work, but at some point you say, ‘Wow, that’s pretty clever.’ From a technical and hardware standpoint, this was really well thought-out.”
Spruill declined to name the breached merchant, and said it was unclear how long the devices had been in place prior to their discovery, or how they were introduced into the stores. But the incident is the latest in a string of breaches involving bricks-and-mortar merchants discovering compromised point-of-sale devices at their retail stores. Late last year, bookseller Barnes & Noble disclosed that it had found modified point-of-sale devices at 60 locations nationwide.
The picture below shows the card skimmer in more detail. The entire green square circuit board with the grey square heat shield and the blue element to the left are the brains of the device. The eight-legged black component in the upper right is the memory module that stored stolen credit and debit card and PIN data from unwitting store customers.
Beneath the large grey heat shield in the center of the circuit board are the chips that control the Bluetooth radio. That entire component is soldered to the base of the board. The blue and white wires leading from the skimming device connect the skimming module to the card reader on the point-of-sale device, while the group of eight orange wires that come out of the bottom connect directly to the device’s PIN pad.
The image below shows the eight orange wires from the skimmer soldered to the POS device. Spruill said the quality of the soldering job indicates this was not made by some kid in his mom’s basement.
“One of the reasons suggesting that the attacker was fairly accomplished is the quality of the solder done with those very small connections to the PIN pad,” he said.
The reverse side of the skimmer circuit board is shown in the somewhat blurry picture below. Clockwise from the top are the yellow and white wires that connect the skimmer to the POS device’s power and ground, respectively. The six open holes running down the bottom right of the board can be used to program the micro controller (the big black chip in the center). The blue and white wires at seven o’clock connect the POS device’s PIN pad to a Magtek chip. Spruill said while Magtek is the technology that’s in virtually every card reader out there, the entire circuit board appears to have been custom made — and possibly mass-produced — to be used expressly for skimming POS devices.
“There is really no other function that this skimming device could have done,” he said. “I would imagine this was manufactured somewhere, but it’s not clear where. Based on the componentry, there is no other function that I could see this being used for. What other implementation would you use to capture magnetic stripe and PIN data and transfer it over Bluetooth?”
Spruill said that beneath the access panel on the device were some SIM card holders, which could enable the device to be used to transmit data wirelessly via a GSM network to anywhere in the world. For whatever reason, whoever modified these point-of-sale devices chose to transmit the stolen card data via Bluetooth. The thieves who planted the skimmers could then periodically retrieve the stolen data simply by using a Bluetooth-enabled wireless phone or other device. Bluetooth devices can generally be accessed within 30 meters, but that range can be extended with special antennas, meaning the thieves could have retrieved the data either by shopping in the store, or potentially from inside of a car or van out in the store’s parking lot.
Card skimmers that transmit data are becoming increasingly common, particularly in skimming devices added to gas station pumps. But this skimmer included some extra technology that indicates its designers had taken precautions to prevent outsiders from being able to intercept or read the stolen card and PIN data: Spruill said the skimming device encrypted the stolen data both while stored on the device’s memory module and when it was to be transmitted wirelessly.
“In this case, the stolen data is encrypted, both at rest and when transmitted over Bluetooth,” Spruill said. “That is strange in my experience, because usually you will find it is stored in plain text or XORed” [a very simple cipher that can be trivially broken].
Trustwave Spiderlabs is still working on decrypting the data on the devices, which Spruill said uses a custom AES block cipher; AES, short for Advanced Encryption Standard, is an encryption scheme that has been adopted by the U.S. government and is now widely used worldwide. Complicating matters more, the skimmer maker set the micro controller’s “lock bit,” a hardware security mechanism that controls whether the code on the chip can be dumped off the chip or read, and prevents any additional writing to the chip.
Whether Trustwave can break the cipher and determine which card brands may have been impacted by the skimming attacks could affect the fines paid by the breached merchant, he said.
“We’ve got a lot smart people working on it, but at present it’s not easy to get around,” Spruill said. “There were no keys or algorithms that we could pull from the controller.”