Recent local news stories about credit card skimmers found in self-checkout lanes at some Walmart locations reminds me of a criminal sales pitch I saw recently for overlay skimmers made specifically for the very same card terminals.
Much like the skimmers found at some Safeway locations earlier this year, the skimming device pictured below was designed to be installed in the blink of an eye at self-checkout lanes — as in recent incidents at Walmart stores in Fredericksburg, Va. and Fort Wright, Ky. In these attacks, the skimmers were made to piggyback on card readers sold by payment solutions company Ingenico.
This Ingenico “overlay” skimmer has a PIN pad overlay to capture the user’s PIN, and a mechanism for recording the data stored on a card’s magnetic stripe when customers swipe their cards at self-checkout aisles. The wire pictured at the bottom is for offloading the data from the card skimmers once thieves have retrieved the devices from compromised checkout lanes.
This particular skimmer retails for between $200 to $300, but that price doesn’t include the electronics that power the device and store the stolen card data.
Here’s how this skimmer looks when it’s attached. Think you’d be able to spot it?
Walmart last year began asking customers with more secure chip-enabled cards to dip the chip instead of swipe the stripe. Chip-based cards are more expensive and difficult for thieves to counterfeit, and they can help mitigate the threat from most modern card-skimming methods that read the cardholder data in plain text from the card’s magnetic stripe. Those include malicious software at the point-of-sale terminal, as well as physical skimmers placed over card readers at self-checkout lanes.
In a recent column – The Great EMV Fake-Out: No Chip for You! – I explored why so few retailers currently allow or require chip transactions, even though many of them already have all the hardware in place to accept chip transactions.
For its part, Walmart has deployed chip-enabled readers, and last year began requiring customers with chip cards to use them as such. Indeed, it’s interesting to note that the Ingenico overlay skimmer pictured above also includes the slot at the bottom center of the device where customers can insert a chip card, although in these recent skimming incidents at Walmart the thieves were no doubt hoping more customers would simply swipe.
The Mercator Advisory Group notes that only 60 percent of all credit cards in the United States have been updated with chip cards, with debit cards lagging further behind. Even so, only 20 percent of card terminals in the U.S. have been activated for chip use as of April 2016, Mercator found.
The United States is the last of the G20 nations to move to chip-based cards — much to the delight of fraudsters and organized cybercrime gangs that have siphoned tens of millions of credit and debit cards in major data breaches at retailers these past few years. Financial industry consultant Aite Group predicts that credit card fraud stemming from hacking will reach a record level in 2016 — $4 billion. Aite Group says fraudsters are busy milking this cash cow for all it’s worth as U.S. merchants start to pivot toward chip-card transactions.
Update, 12:41 p.m. ET: Corrected location of Kentucky Walmart.
The worst part about this is it takes 10 business days to get the replacement card. Oh, if I wanted it quicker, it would be $60. Luckily I have another account I can transfer money to. Getting cash from an out of state bank is tedious.
My card was compromised on May 30 at Wal-Mart in Wake Forest, NC. Got the call today (5-31) that it was shut down. A transaction took place in Orlando, FL for $50. At the store, my card “timed out” twice for $28.27. The clerk said that had been happening earlier in the day. This was in the garden center at Wal-Mart.
Interesting. I had the exact same issue, with the exact same amounts at a Wal-Mart in TX.
I wonder if this is some time of technique buyers of stolen CC numbers use.
Not sure where you live but, this is one of so many reasons I use a credit union. I can walk in anytime and get a replacement card in about 5 minutes at UFCU in Austin. The replacement is printed in the bank but, you still have to wait 2 weeks to get a new card with a chip.
Based on the photo, they had time to pull the entire reader off the register. Pop the cover. Install the device inside and put it back without being seen? Wow.
No, they didn’t have to pull the reader off or install the device inside the reader. The skimmer is an overlay that simply attaches to the face of the reader. There is actually video of this incident showing this guy attach the skimmer overlay to the face of the reader. It took him about 2 seconds.
The only “hack” here is the guy writing the headline.
I’d be checking into the subcontractors hired by NCR, through the various outsourcing sites. With all these pin pad projects being posted and the compensation is dirt, yet the work is still being done, maybe one or more of the technicians have found a way to make it worth their while?
I am really Tired of the practice of Wal-Mart making it more challenging in my opinion to run the debit card with a chip as credit (so I can use a Signature instead of entering my PIN number – lessening the risk of exposure for my card to be compromised in a breach). Wal-Mart is suing/sued VISA to require Chip and Pin transactions as they say it does not reduce the risk of fraud if signature is used. (It also costs them more per transaction in transaction fees when you choose a signature method or use a credit instead of a debit card) – as it does every retailer.
I see both sides. If there is flaw in my logic feel free to chime in.
Yes, there is a flaw in your argument.
1) With mag stripe and signature: the mag stripe can be duplicated on another card and any signature attached to the false card. – highest risk
2) With chip and signature: you need the real card because of the chip (providing the company is smart enough not to allow swipe any more) but if someone gets your real card they also have the sample of your signature from the back of the card (didn’t sign the card? they can put any signature they like on your card) – reduction of risk from skimming but not from theft
3) With chip and pin: getting the real card is not enough because the crook now also needs your pin number which should not be written down in your wallet. There is still the risk of theft from the internet where chip is not supported but this shuts down much of the theft at brick and mortar store. – Lower risk
My walmart has fixed that. I was pissed when thwy started doing signiture only. Anyone can take my card and sign. After months of complaints they finally stopped using the chips for a while. They recently started using them again but now finally require a pin number. My complaint tho wasnt only that of the signature (which was the biggest issue) but made sure to complain that it makes it impossible to get cash bk when and if we need it.
Walmart in Lawrenceville, GA has excessive fraud issues. Someone skimmed my card & either sold my info or created a new card and used it for $153 purchase. They swiped the card and cashier never asked for ID to verify the signature. This is the second time in a month. Good news is that although USAA said it would take 10 days to get a new card, they also offered expedited shipping so I got a replacement card within 3 days. Walmart needs to step up their policies and procedures to protect their shoppers.
To give you a heads up: It is against the retailer agreement to ask for an ID for credit card use, unless, the card is not signed. If you don’t sign the card, you have not agreed to the banks terms.
It’s happening in Illinois too. Just happened to me this week. I shop at the Joliet Walmart and use self checkout. Found out when a $99 charge was made at a Niles IL Walmart using my card that was never lost. The only way this could have happened is if my card was cloned. Couldn’t believe it!!
Just had my card compromised a week and a half ago couldn’t figure out where or how, well now I know long story short I had shopped at Walmart in southern California earlier that morning and by that evening my card was shut down due to three transactions in oakland. The first two went through from shell one for 50.00 and another for 9.00 the last one was denied for 10 @ a jenny Craig. Thank goodness our bank caught it in time could have been worse. I was refunded my money and have to file a police report. Sad that now days you can’t even shop in a store in peace
the only question I have about this going to a chip transaction is…how is it anymore secure..??? I mean I could run my chip card, go outside and lose my card and the next person can find the card, come back inside and run it up, becuz with the chip you don’t need a pin number just sign the name that is on the card. I think going to the chip was a huge mistake
It’s NOT just self serve lines any longer either. We used our card at a full service line Monday and woke up this morning with $500.00 plus fees stolen via ATM from our account. Good news, because we belong to a Credit Union we got another debit card right away, bad news, because we belong to a credit union they don’t have “chipped” cards yet and it’ll take 4 or so days to get our money back. We’re seniors and OK..but for other folks that might be rough. I AM threatening to pull all accounts out of this CU unless they hurry with the chipped cards. If Walmart doesn’t want you to use the chip push in…don’t go there…I’m certainly not about to start carrying cash..
Now that MCX is defunct, maybe Walmart will consider finally allowing NFC payments. In my opinion, NFC is a much better solution that chip cards.