03
Feb 16

Safeway Self-Checkout Skimmer Close Up

In Dec. 2015, KrebsOnSecurity warned that security experts had discovered skimming devices attached to credit and debit card terminals at self-checkout lanes at Safeway stores in Colorado and possibly other states. Safeway hasn’t disclosed what those skimmers looked like, but images from a recent skimming attack allegedly launched against self-checkout shoppers at a Safeway in Maryland offers a closer look at once such device.

Safeway Store, Germantown, Maryland

A skimming device made for self-checkout lanes that was removed from a Safeway Store in Germantown, Maryland

The image above shows an simple but effective “overlay” skimmer that banking industry sources say was retrieved from a Safeway store in Germantown, Md. The device is designed to fit directly over top of the Verifone terminals in use at many Safeways and other retailers. It has a PIN pad overlay to capture the user’s PIN, and a mechanism for recording the data stored on a card’s magnetic stripe when customers swipe their cards at self-checkout aisles.

Safeway officials did not respond to repeated requests for comment about this incident.

My local Safeway in Northern Virginia uses this exact model of Verifone terminals, and after seeing this picture for the first time I couldn’t help but pull on the terminal facing me in the self-checkout line on a recent store visit, just to be sure.

Many banks are now issuing newer, more secure chip-based credit and debit cards that are more expensive and difficult for thieves to steal and to counterfeit. As long as retailers continue to allow customers to avoid “dipping the chip” and instead allow “swipe the stripe” these skimming attacks on self-checkout lanes will continue to proliferate across the retail industry.

It may be worth noting that this skimming device looks remarkably similar to a point-of-sale skimmer designed for Verifone terminals that I wrote about in 2013.

Here’s a simple how-to video made by a fraudster who is selling very similar-looking overlay skimmers for Verifone point-of-sale devices; he calls them “Verifone condoms.” As we can see, the device could be attached in the blink of an eye (and removed quickly as well). The device in the video is just a shell, and does not include the POS PIN pad reader or card reader.

Tags: , , , ,

85 comments

  1. So what can joe/jane customer do at the self-checkout (or regular checkout) to see if the pad is fake ?

    • Exactly what Brian did: yank on it. Try to avoid stores that don’t take chipcards, and default to the chipcard, don’t swipe. If that’s unavailable, I use Android Pay, since that generates a card number for just that transaction.

      Just pull on and generally be suspicious of anywhere your sticking your card.

      • *you’re…

        • Yes I use Android Pay/Apple Pay for this reason also – the virtual card number is handy. Though I have not linked any debit cards to Android Pay.

          Apparently a few banks are going to start to roll out Android Pay/Apple Pay at their ATMs, but while I appreciate the security of the physical transaction for cards, I’m not convinced I want my debit card stored with my Android/Apple account.

      • I always feel like a nut for tugging on the card reader and pin pad area 🙂

        I also make sure to press all the numbers in PIN pad first before inserting my card to make sure they all work and aren’t stuck.

      • That seem professionally cast. Not a simple overlay. Naturally, if one could have seen the back, and seen if the unit was a cover, or a replacement, that screwed on, one would have been able to justify the tug comment. So now the stores will have to vet the cleaning crews, and the loafers who hang around the front end? Plus many of the devices, that have a motion detector, will fail if yanked. Then default to the register. So what can the customer do? Shake the register? Like a piggy bank till the cops take you away? Snorting coffee…

    • First and foremost, never use the debit always opt the payment a credit along with a quick review of your monthly card statement (or turning on email/test notifications from your credit card bank).

      • I agree, but some vendors don’t allow this. No matter what we tried, CVS would not accept our debit card as “credit” to avoid entering a PIN. We won’t go back. Unfortunately you don’t know who imposes these draconian restrictions until you check out.

        • Why do you try to use a debit card as CC?
          Just use a CC.

        • I believe there’s some (probably dumb) issue with chipped debit cards and actually using them as debit cards. So some stores have just gone the route of disabling debit.

          • That’s just stupid. Retailers don’t have to pay the swipe fee for a debit card transaction (the bank does), but they do for a credit card transaction.

      • Personally, I say the opposite. You know how much you can lose.
        1. Have a cheap debit card. One that you have to refill by depositing cash into.
        2. Keep a bank account separate from the internet.
        3. If you have a account, at a bank, use it only for check deposit on the internet. Make sure your bank knows that. Make yourself go to the bank for withdrawals.
        The logic, limit your loss. Only you know how much you can lose. If the account is tied to your bank, you can lose it all, a debit card with the amount you deposited, you can lose the card. Therefore you can go to the new Safeway sale. Or pay cash, just to be safe, way?

    • The self checkouts i go through, i just use paywave. I actually use paywave for everything that accepts it, so don’t have to worry about inserting my card unless its over $100.00 then i have to remember what my pin is. The self checkouts also always have someone watching them.

      • Many times I have gone through the Kroger self check and there is no one in sight unless there is a problem. Walmart has so many self checkouts with only one person working it, there is no way they can watch everyone checking out at once.

  2. @George…I make it a habit to give a slight tug on all terminals (gas station, grocery store, etc) prior to inserting my card. Never hurts.

    • I do the same thing Brian mentions. Every POS terminal/kiosk, even ATM machine (and the ones at my bank and/or at a Wawa) I yank, push, twist, side-to-side,up and down to make sure that thing is genuine. No luck thus far finding a fraudulent device. Which is good thing I suppose.

  3. I look for dust or dirt that settles on horizontal surfaces of readers to indicate that the reader has not been disturbed by a scammer recently.

    If I see dust or dirt it most likely is genuine.

    • Actually that is what I do too!

      • That is a good idea. There should definitely be some wear patterns, dirt, etc on the unit. If not, then its worth asking an employee whether they received new units recently.

        Moreover, in the case that there are multiple terminals, look at the other units too and see if they all look the same age. If only a few look brand new, that would be a very odd sign.

  4. So who actually takes chip cards in the US? I’ve seen no one except Walmart and Target. I’ve been told no one else has the backend set up correctly. Not that they don’t have the readers, they don’t work with an actual chip card entered.

    • Amazing when it’s Walmart that leads the pack.

      • Walmart own ASDA in the UK so they’ve been dealing with chip’n’pin cards for 10 years now.

      • The tiny local independently owned pet boutique where I buy catfood was the first place I ever saw that used it. Even before Target/Walmart.

    • Home Depot does. Last visit there about a month ago, I swiped as usual and it didn’t work, cashier asked me to insert the chip to continue.

      • Just realized this: If you see a chip slot on the terminal ask first if its operational before swiping the stripe. If its a chip and stripe terminal, and you swipe your card first a skimmer can still grab your magnetic card info before you switch to using the chip.

        So from now on, I’m just going to ask first and default to chip unless they tell me otherwise 😉

    • My local Walgreens store has enabled the chip slot on their terminals.

    • Rite Aid is another one that has the chip enabled, and at the store I visited the system would not let me swipe with a chip card.

      Another Krebs-related observation: at a newish Wawa convenience store I noted that their ATMs have little enclosures around the keypad, presumably to make PINs harder to see for both cameras and shoulder surfers.

    • I was very pleasantly surprised to discover my local independent auto mechanic already takes chip.

    • Trader Joe’s in SE Michigan seems to take chip cards now.

    • Target has been taking chip cards for more than six months.

    • I find that it is easier to find places that take Android Pay than it is to find places that take the chip. I am not that fussy either way – I can deal with both. But if the only credit card option is to swipe I will probably use cash.

      For Android Pay, I have had success at Harris Teeter, Lunds, Whole Foods and Walgreens.

  5. I don’t know what to pull on

  6. I’ve gone old-school. I pay cash. Anonymous, skimmer-proof, tangible. Who knew?!

    • Well, that cash came from some machine at some point, which you extracted with a card, unless you just keep a box with millions of dollars in cash in it at home.

      • There’s always the old-school method of going to the bank and cashing a check. I’ll do that sometimes to get $5 and $10 bills; I don’t like to use the card for every little thing and as an ex-retail worker I try not to drain the register by using $20s for small purchases.

      • Or, you know, just like walk into a bank and withdraw money?

      • What “Million Dollar Box [of cash]”? For in-person purposes I use either CASH (I seldom need more than a hundred dollars on-hand) or a hand written check from my normal checking account. The cash I use is based upon my normal spending habits, and is easily replenished by once or twice a month cashing a check at my bank for no fee.

        For on-line purchases I use one specific credit card.

        • None of the retailers around me take checks anymore. Literally, none of them. Even the old guy at the dry cleaners has a little sign, “no checks”. This might have something to do with the wall of bad paper that every store used to have on display next to the register.

          In my neighborhood it’s about 1/3 chip acceptance. The first one was the small independent wine shop.

    • I’ve gone new school, Cashless all the way.

      • Matt: I find it difficult to understand your (and others) rationale for going ‘cashless’ unless you are fully dependent upon using some form of credit to extend your purchasing power.

  7. Interesting. I’d love to know who installed these and when. Grocery story checkout lanes are heavily monitored by video cameras. So, was it a customer during the day at a peak hour? Was it a store employee in collusion with the security team? Were they delivered to the stores with the skimmers already attached. Was it the butler in the dining room with the candle. Would love to learn more Krebs _ keep digging! You’ve obtained quite a collection of skimmer pics.

    • If these skimmers can be jostled loose by pulling on them, why don’t these stores, as a matter of daily routine, have the manager or asst manager check each device at opening and at closing of the day procedure? Seems like a fairly simple, straightforward security check. Also agree, how do they get installed and who is watching the store??

  8. Trader Joe’s in California takes chip.

  9. You commented about retailers not “dipping the chip”. I was at my local Northern Virginia Safeway yesterday and the chip card slot was covered with tape to prevent its use. I did not ask the cashier about this, but maybe Safeway has customers trying to use that slot because they dip their cards at other locations and since Safeway is not yet dipping chips they want to avoid customer confusion.

    • My local grocery store has what look like the chip readers but when i tried to use it she told me no. She told me that the slot was for those Welfare cards only, not chip/pin.

      Really though i think they have the ability but have not enabled it…. Also this grocery store is Tom Thumb which is the same as Safeway so I was pretty disappointed to have to keep swiping my card.

  10. There was a post on the trendmicro blog from back in March of 2014 with a similar picture. The post claimed that a cybercriminal named Gripper was using a 3D printer to mass produce fake versions of the actual VeriFone terminals themselves. However, the pictures on this old post look so similar to the skimmer enhanced terminal ‘skin’ that Brian has pictured that I suspect the same technology is probably involved. The original post is here: http://blog.trendmicro.com/trendlabs-security-intelligence/mass-produced-atm-skimmers-rogue-pos-terminals-via-3d-printing/

  11. “Similar attempts have stumbled. Safeway, the grocery chain, isn’t a member of MCX, but it’s offered a bank-account-linked payment card called Fast Forward since 2013. It’s still only available in certain counties in California, and doesn’t seem to have gained much traction, despite Safeway offering discounts on gasoline purchases.”

    http://readwrite.com/2014/10/29/currentc-mcx-doomed

    Safeway, not being handcuffed by being a Walmart/MCX/CurrentC partner, would do well to accelerate their transition to Chip/NFC terminals and also start accepting secure systems like ApplePay.

  12. Since reading Krebs, I always check the terminals first. When I do have to hand it to a clerk, I watch them closely. It’s a different world.

  13. Seems like every terminal I encounter in daily life has a slot for chip-and-pin but almost none actually accept it. “Our system doesn’t do that yet” or “Yeah, that doesn’t work.” The only exception that comes to mind is Target, who won’t let you swipe a chipped card. That’s nice to see, but it’s disconcerting the number of terminals where this *should* be in use but isn’t.

  14. It’s interesting to see people nowadays tug on and inspect down the throats of card readers before inserting cards into them. And how a number of retailers have put metal privacy enclosures around their VeriFone readers.

  15. My local Safeway said they check their terminals weekly for skimmers

  16. Yeah and to top this off the last time I paid cash and gave the guy a $50 he pulls a $5er out of his pocket and tells me that I didn’t give him a $50. POS skimmers…

  17. My company specializes in physical security and we have our clients as part of their daily security routine check all card transaction machines for any signs of tampering. Employees are expected at the end of their shifts to sign off that they have physically checked the terminals.

    It’s a simple step that any size company can do.

  18. *All* retailers in Australia, small and large, require use of the chip and pin. No pos terminals accept a swipe anymore.

    • The same goes foe EU since 2005. They have moved on to introduce NFC transactions before apple/android pay was invented. If a non-chipped CC is being used, the retailer is responsible if the card is fraudulent. The NFC chip is now default on every new banking card an I received a new Amex card with one embedded yesterday. Tranactions below 25 euro are accepted w/out PIN, above the PIN is asked. To protect against wireless skimming I found out that having two NFC enabled cards together in my wallet works flawless. As I’m now practically cashless I recently was given a SecrID. Very handy and NFC protection build in :).

  19. I’ve had my card number stolen once or twice. I’ll find some small random charge like $200 for something. But guess what, the bank reverses it, no questions asked.

    I stopped using credit cards a few years ago. I have no credit card debt now. Use the debit for everything, if I don’t have money to pay for it, I don’t buy it.

    I’m not terribly over concerned if someone steals my number, I bank with one of the top 3 banks in the US. They protect me in these cases.

  20. Don’t use the self check out as BK points out that’s where the problem (s) occurred.

  21. CVS uses the chip slot here in California

  22. Thaumatechnician

    One way to combat this is to make the terminal, or at least the part where the card is inserted, transparent.

    There is at least one retailer in Canada that does this, the card slot for the ATMs in the store is transparent, albeit coloured. A skimmer cover would be apparent to almost anyone.

  23. I’ve gotten chip cards from my bank and AmEx now, but many of the POS machines that I use in North Carolina don’t have the chip enabled, making it virtually impossible to use the safer technology.

  24. How about the stores putting a simple camera over the checkout lanes to identify the people that try to install one of these devices?

    • Camera monitoring is only useful if there’s a rapid [manager/security/AP] response to anything fishy. My store doesn’t have anyone watching the screens, instead the burden falls on us grunts to “let them know” (but we’re forbidden from taking any action)…typically by the time anyone in a position to do something gets there the culprit is gone. It wouldn’t be hard if the store’s crazy busy, there’s one attendant and they’re tied up with pointless ‘calls for assistance’ (someone needs their hand held, doesn’t know what a melon looks like, etc)

  25. I live in the San Francisco Bay Area in a smallish suburban community with only one full service grocery store. There is also a Safeway in the next town over, plus Trader Joes and Sprouts. Most of my Visa debit purchases are for groceries. Trader Joes accepts Apple Pay and Chip. . Safeway in my area accepts no Apple Pay, no chip readers (installed not functioning) and no self checkout. I end up going to two or even three out of town stores for groceries and I think in the year I have had my chip card I have used it once other than at Trader Joes. One thing I have to buy weekly is gas, and I have resorted to getting cash back when getting groceries, and buying gas in $40 transactions. My bank which is Wells Fargo now sends me daily emails of purchases paid with my card and my spouse’s card. That way at least I can stop the bleeding sooner than waiting to view the statement.
    I quit using Quicken (too buggy, too expensive, no customer service) and I changed every bill I have over to ACH. But not having a way to download various checking and CC accts to one program makes budgeting and paying cards on time a pain. There seems to be no easy way to be safe from skimmer theft. One can carry cash but that is a very unreasonable solution for purchases of family groceries where on order can exceed $200.

  26. Perhaps I missed it, but I don’t see any discussion here about HOW this skimming device was actually installed in the first place? Normally, the self-checkout lanes are pretty well lit and visible and also manned by an employee, so it would be pretty hard to install it in front of everybody. How, then, could this be anything but an inside job?

    • >> ? Normally, the self-checkout lanes are pretty well lit and visible and also manned by an employee

      Not at off hours. There is a constant parade of vendors coming and going all night long, and the front of the store is deserted. It’s the easiest place I can think of to install a skimmer, except maybe at an unattended ATM with no foot traffic and poor lighting.

  27. Actually most merchants have EMV terminals. It has been the standard terminal issue for the last 5 years+. Normally if the merchant isn’t taking Chip they have a plastic blocker plate in the bottom of the terminal. A lot merchants are just waiting for their EMV scripts to fire off. This of course comes at a cost from their processor. For some reason the one of the most puzzling places where I found that the terminals were not capable of inserting a Chip card were at Las Vegas casinos last year. Hopefully they have changed by now.

    Also, while it might seem like a good thought to avoid POS terminals that do not default to Chip you will run into issues with that plan at your bigger stores. All of the big box stores (dependent on store) might do a PIN bypass and/or go straight to fallback (swipe) for all of their transactions just to speed through the lines. This means you will be swiping even though they are EMV capable.

  28. How about photos of skimmers that readers encounter? Reminds me of the 2600 back cover photos of foreign telephone booths.

  29. Hey,
    Thanks for sharing this informative article with us 😉

  30. The new chips on my card have not been very useful as only 2 stores have the reader activated, so I end up swiping anyway. Is there any deadline for these merchants to activate their chip readers?

    • There’s no actual “deadline” by which they MUST accept chip cards. But the effective one was last October. Beginning October 1, 2015 merchants became liable for fraudulent “swipe” transactions. So they can keep accepting them as long as they can stand the losses.

      Of course, at some point, the mag stripe will disappear as it has done in some [many?] countries. But that’s a few years off yet.