If you hand your credit or debit card to a merchant who is using a wireless point-of-sale (POS) device, you may want to later verify that the charge actually went through. A top vendor of POS skimmers ships devices that will print out “transaction approved” receipts, even though the machine is offline and is merely recording the customer’s card data and PIN for future fraudulent use.
This skimmer seller is a major vendor on one of the Underweb’s most active fraud forums. Being a “verified” vendor on this fraud forum — which comes with the stamp of approval from the forum administrators, thus, enhancing the seller’s reputation — costs $5,000 annually. But this seller can make back his investment with just two sales, and judging from the volume of communications he receives from forum members, business is brisk.
This miscreant sells two classes of pre-hacked wireless Verifone POS devices: The Verifone vx670, which he sells for $2,900 plus shipping, and a Verifone vx510, which can be had for $2,500. Below is a video he posted to youtube.com showing a hacked version of the vx510 printing out a fake transaction approval receipt.
From the seller’s pitch: “POS is ‘fake’ and stores D+P [card data and PIN], prints out approved receipt or can be setup for connection error. Software to decrypt the data is provided. It keeps d+p inside memory for manual retrieval via USB cable.”
These types of hacked POS systems, known as “offline POS skimmers” in the Underweb, are marketed for suggested use by miscreants employed in seasonal or temporary work, such as in restaurants, bars or retail establishments.