In Dec. 2015, KrebsOnSecurity warned that security experts had discovered skimming devices attached to credit and debit card terminals at self-checkout lanes at Safeway stores in Colorado and possibly other states. Safeway hasn’t disclosed what those skimmers looked like, but images from a recent skimming attack allegedly launched against self-checkout shoppers at a Safeway in Maryland offers a closer look at once such device.
The image above shows an simple but effective “overlay” skimmer that banking industry sources say was retrieved from a Safeway store in Germantown, Md. The device is designed to fit directly over top of the Verifone terminals in use at many Safeways and other retailers. It has a PIN pad overlay to capture the user’s PIN, and a mechanism for recording the data stored on a card’s magnetic stripe when customers swipe their cards at self-checkout aisles.
Safeway officials did not respond to repeated requests for comment about this incident.
My local Safeway in Northern Virginia uses this exact model of Verifone terminals, and after seeing this picture for the first time I couldn’t help but pull on the terminal facing me in the self-checkout line on a recent store visit, just to be sure.
Many banks are now issuing newer, more secure chip-based credit and debit cards that are more expensive and difficult for thieves to steal and to counterfeit. As long as retailers continue to allow customers to avoid “dipping the chip” and instead allow “swipe the stripe” these skimming attacks on self-checkout lanes will continue to proliferate across the retail industry.
It may be worth noting that this skimming device looks remarkably similar to a point-of-sale skimmer designed for Verifone terminals that I wrote about in 2013.
Here’s a simple how-to video made by a fraudster who is selling very similar-looking overlay skimmers for Verifone point-of-sale devices; he calls them “Verifone condoms.” As we can see, the device could be attached in the blink of an eye (and removed quickly as well). The device in the video is just a shell, and does not include the POS PIN pad reader or card reader.
All the complex solutions to this problem are, in our opinion, unnecessary. We’ve found the safest (and quickest) method of payment at such checkouts is good, old fashioned, anonymous cash. Over three decades after having left the nest, never have we lost any cash or had any stolen. We’ve suffered no post purchase pilfering from our accounts, and never had to recover ID theft. If you must use a card, at least use a credit card and not a debit card. If there’s a dispute, and you refuse to pay, you’ll have everyone’s attention. With the debit card, you have to rely on your bank’s promise of help.
Can your diagram “The Value of a Hacked Email Account” be used to promote security awareness in a business? I thought it was awesome.
The behaviors (I would guess plural due to extinction burst situation) of pulling on the machine, visual inspection, etc. is an attempt to validate the system. As I have pointed out in the past, the model is based on validating the user/card. Thus we see that even if the system works flawlessly it only addresses half the problem.
You are correct in that the consortium has created the problem of swiping first…even the largest banks have ‘swipe only’ in branches, which reinforces the ‘swipe first, then chip if that fails’ behavior. Given decades of swiping, unless they produce chip only cards w/o mag swipe, the behavior is likely to persist. With the ability to hide the costs of fraud with risk shifting shell games the losses have been ultimately socialized (higher fees, transaction costs, interest rate, etc.).
The good news in my opinion is now more people are starting to understand the problem. Your work in that area continues to be extremely helpful.
Only recently did Kroger finally get on board with using chip based technology. However, my question is when will gas stations start putting chip based tech on pumps?
Probably not for a while. Sources:
Bottom line: Self-serv and pay gas pumps were apparently exempt from the EMV liability shift last year. They’ve got an additional 2 years beyond the Oct 2015 date to comply.
And seeing as how damn near half the places I shop aren’t even ready for chipped cards (or for some abysmally unfathomable reason have the equipment but not the “software”) despite not being exempt from the liability shift, I have trouble seeing most of the gas station corporations meeting that deadline. Yeah, I’m cynical about seeing EMV’d gas pumps by October 2017.
Just returned from a tire store. The store has the Verifone system from this article, and it also includes an NFT for Apple or Google on top of the Verifone. The Verifone plays animations as a screen saver. The manager told me that the chip card reader and the NFT don’t work. I swiped my card as a credit card.
It would be interesting to know how often retailers check their credit card equipment. This is an all too common threat. Maybe they should check the terminal once every two weeks or maybe once a week. Maybe a procedure is needed so that the Store Manager can do the check?