December 3, 2013

Point-of-sale (POS) skimmers — fraud devices made to siphon bank card and PIN data at the cash register — have grown in sophistication over the years: A few months back, this blog spotlighted a professionally made point-of-sale skimmer that involved some serious hacking inside the device. Today’s post examines a comparatively simple but effective POS skimmer that is little more than a false panel which sits atop the PIN pad and above the area where customers swipe their cards.

In scams, as with most things in life, there is a certain elegance in simplicity. This is doubly true with ATM and credit card skimmer scams: The more components and electronics involved, the greater the chance that the fraud devices will malfunction, lose juice, or else be detected too quickly. In fact, some of the most elegant skimming attacks I’ve seen to date never even touched the cash machine, and relied on very basic components.

Recently, I encountered a fraudster selling a remarkably simple but brilliant POS skimming device that can be installed and removed in the blink of an eye. This video, which was produced by a fraudster who sells these devices for thousands of dollars on semi-private underground forums, shows a late-model Verifone point-of-sale device retrofitted with a skimmer overlay. The underside of the device (not pictured) includes a tiny battery and flash storage card that allows the fake PIN pad to capture the key presses, and record the data stored on the magnetic stripe of each swiped card.

Such a device would be an enticing buy for a crooked employee at a retail store. It might even be installed surreptitiously by thieves posing as customers at a retail establishment. Last month, this blog featured a story about several fraudsters in Florida who did just that, installing hardware-based register skimmers at Nordstrom department stores while co-conspirators distracted sales personnel.

For more on ATM and POS skimmers, check out my series: All About Skimmers.


16 thoughts on “Simple But Effective Point-of-Sale Skimmer

  1. pin 1234

    I don’t believe you .How do we/you know that it is what you say it is and not just a normal POS . Where is the rest of this video ? Maybe he is just a scammer .

    I want to see some proof .24 sec video Is Not Very Convincing .

  2. S Lam

    I wonder why US do not implement chip and pin POS. Consumer end up paying for this.

    1. pboss

      $$$$

      Plus consumers get zero liability on credit card fraud. And obviously the fraud isn’t large enough for the banks to care yet.

      1. Aaron

        There is up to$50 liability on credit card fraud, if you report it within a set amount of time, normally 90 days. The liability for credit card fraud is routinely waived.
        However if it’s a debit card, which many skimmers target, the liability is dependent on the time it takes to discover and report it. Within 2 days it’s $50 after that it’s $500 and you only have 60 days to catch it otherwise you are totally liable for all loses.

    2. J.

      Consumers end up paying to implement chip and pin POS also.

      You think a magical marxist waves his hand and industry-wide adoption of one technology just happens for free?

      Europe should adopt chip + pin + coffee-grinder-to-baby-freeze b-boy move for every transaction.

      1. **EJ**

        Right…

        And why pay once for chip+PIN implementation when the consumer sheep can pay over and over for fraud losses that get passed on continuously. Nice rant, though.

  3. IA Eng

    You know what would prevent things like this from working?

    It’s quite simple. Just use a bullard style bump that is put on the original device, randomly on the face. It doesn’t have to be overly intrusive, just large enough to keep the skimmer from laying flat and clicking into place.

    Yep, then, I am sure as you circumvent one of their contraptions with one of your own, they in turn will return the favor with a slimmer model. Then you will have to paint or change the face of the original device to easily recognize any changes.

    Its not that hard. I bet the cost to implement one of these changes costs less than a few bucks.

  4. JimV

    Was that incredibly thin, form-fit but fake front shell for the skimmer constructed with use of a 3D printer?

  5. jaded

    @JimV, it was so thin it looks like vacuum-formed plastic. If made from a clear polycarbonate, it can be painted very cleanly from the back, and will look great. And vacuum-forming is cheap and very easy to do at home.

  6. silly rabbit

    Everytime I read about this, hear about it on the news, of which it happened recently in Aspen and Denver…

    I wonder why can we not encrypt credit and debit card data the way we can encrypt our mobile/static devices? It seems more cybertheft happens wirelessly w/skimmers too, so isn’t it possible to do this, so that only the merchant has a one-time keycode to unlock the encryption?

    I think of some cryptology programming methods, but I am really a newbie at understanding how cryptology + algorythmic coding works.

    There has to be a better way, and I don’t think adding more hardware is the solution, but more of a software encryption/approval method. I also think that for every tranx I make, I should get a code sent to my mobile that IDs me as the only buyer (mobile device number = personal ID authentication) and I am the only one who knows what the approval code is for the purchase to go through (kiosk keycode gen). Just a thought, but I think it is doable.

    Crooks will never be outsmarted entirely, but they are the only reason security was invented.

    1. Alex

      Pinpads are encrypted. They send the pin you enter in encrypted form. That’s why crooks use the overlays. Some banks do the mobile thing for online banking already because too many people fall for scams

      1. Alex

        Lol. Hit post.

        Too many people fall for scams that get several TANs from them. Some vanks use Tan generators instead so you dont have a tan list any more. An intermediate step is an indexed tan list where they need to scam you into providing all of your tans.

        Of course that for my European ban. In Canada I have yet to see anything but a simple pin and then youre free to do whatever you like online. Pathetic.

  7. Rod

    I still believe in cash- currencies forgive me for the old way of thinking, I also believe in a hand shake is better than a contract. I guess those ways will die soon with me.

    1. Bruce

      I sympathize with your way of thinking. But really, modern printers and copies do a really good job at counterfeiting cash. And while I agree that a contract is worthless if you don’t trust the person you’re doing business with, I’m guessing that Bernie Madoff had a really convincing handshake.

  8. Alex

    Interesting … I think it is the best POS skimmer that I have seen, so far… any idea what board/marketplace had this one for sale?

Comments are closed.