May 25, 2016

Recent local news stories about credit card skimmers found in self-checkout lanes at some Walmart locations reminds me of a criminal sales pitch I saw recently for overlay skimmers made specifically for the very same card terminals.

Much like the skimmers found at some Safeway locations earlier this year, the skimming device pictured below was designed to be installed in the blink of an eye at self-checkout lanes — as in recent incidents at Walmart stores in Fredericksburg, Va. and Fort Wright, Ky. In these attacks, the skimmers were made to piggyback on card readers sold by payment solutions company Ingenico.

A skimmer made to be fitted to an Ingenico credit card terminal of the kind used at Walmart stores across the country. Image: Hold Security.

A skimmer made to be fitted to an Ingenico credit card terminal of the kind used at Walmart stores across the country. Image: Hold Security.

This Ingenico “overlay” skimmer has a PIN pad overlay to capture the user’s PIN, and a mechanism for recording the data stored on a card’s magnetic stripe when customers swipe their cards at self-checkout aisles. The wire pictured at the bottom is for offloading the data from the card skimmers once thieves have retrieved the devices from compromised checkout lanes.

This particular skimmer retails for between $200 to $300, but that price doesn’t include the electronics that power the device and store the stolen card data.

Here’s how this skimmer looks when it’s attached. Think you’d be able to spot it?

ingenico_inserted

Image credit: Hold Security.

Walmart last year began asking customers with more secure chip-enabled cards to dip the chip instead of swipe the stripe. Chip-based cards are more expensive and difficult for thieves to counterfeit, and they can help mitigate the threat from most modern card-skimming methods that read the cardholder data in plain text from the card’s magnetic stripe. Those include malicious software at the point-of-sale terminal, as well as physical skimmers placed over card readers at self-checkout lanes.

In a recent column – The Great EMV Fake-Out: No Chip for You! – I explored why so few retailers currently allow or require chip transactions, even though many of them already have all the hardware in place to accept chip transactions.

For its part, Walmart has deployed chip-enabled readers, and last year began requiring customers with chip cards to use them as such. Indeed, it’s interesting to note that the Ingenico overlay skimmer pictured above also includes the slot at the bottom center of the device where customers can insert a chip card, although in these recent skimming incidents at Walmart the thieves were no doubt hoping more customers would simply swipe.

The Mercator Advisory Group notes that only 60 percent of all credit cards in the United States have been updated with chip cards, with debit cards lagging further behind. Even so, only 20 percent of card terminals in the U.S. have been activated for chip use as of April 2016, Mercator found.

The United States is the last of the G20 nations to move to chip-based cards — much to the delight of fraudsters and organized cybercrime gangs that have siphoned tens of millions of credit and debit cards in major data breaches at retailers these past few years. Financial industry consultant Aite Group predicts that credit card fraud stemming from hacking will reach a record level in 2016 — $4 billion. Aite Group says fraudsters are busy milking this cash cow for all it’s worth as U.S. merchants start to pivot toward chip-card transactions.

Footage of crooks installing the card skimmers at a Walmart self-checkout terminal. Source: WLWT.

Footage of crooks installing the card skimmers at a Walmart self-checkout terminal in Kentucky this month. Source: WLWT.

Update, 12:41 p.m. ET: Corrected location of Kentucky Walmart.


123 thoughts on “Skimmers Found at Walmart: A Closer Look

  1. sirk

    Every once in a while I see something like this and think it must be kind of fun to spend your day inventing ingenious evil contraptions.

    1. Craig

      Sure, but these things only facilitate stealing money. Wouldn’t it be much more fun to invent an evil contraption to destroy the world?

      1. John Miller

        That’s already been invented. We call them `politicians`.

        1. Zelco Munye

          Painful but true words, Mr. Miller. Painful but true. = /

        2. Jonathan Jaffe

          We didn’t invent poli-tic-ians, they mutated like all bacteria.

      2. sirk

        Then where would we spend the skimming money? Think, Craig.

      3. BTDT

        Been there, done that. They’re called “fracking wells” and already two cities have been destroyed, New Orleans in 2005 and Ft. McMurray just a couple of weeks ago. The IPCC predicts seriously apocalyptic consequences by 2100.

        1. Nooneyouknow

          Fracking caused Katrina? Riiiiiight…

          What flavor of Kool-Aid are you guys drinking?

      4. Bob E

        Pinky: What are we going to do tonight Brain?
        Brain: We’re going to build a zillion card skimmers, deploy them, and TRY TO TAKE OVER THE WORLD!

  2. JoJo

    Would using Android Pay keep you safe from these skimmers? I assume it would.

    1. Pup Dawg

      Yes. Android Pay sends a iniquity transaction code that can only be used once. Also Apple Pay and even Sansung Pay (even though it can also use the older magnetic readers – it also generates a unique transaction code).

  3. 0.o

    Why can’t all retailers accept Apple Pay/ Google wallet already?

    1. JoJo

      I had just posted a question asking if Android Pay would protect from these skimmers but I guess the moderator thought it wasn’t a good question and it didn’t allow it to post.

      1. BrianKrebs Post author

        @JoJo — I barely have enough time to read half the comments let alone moderate them. For whatever reason, your comment was flagged by my anti-spam system. It is now approved. Have a nice day.

        1. Jerome

          Brian, you may want to verify your anti-spam filter. I had two comments on the LinkedIn story which were summarily denied. I think your settings may be overly aggressive.

    2. MHG

      Because not every bank or retailer accepts Apple Pay or Android Pay and some smartphones don’t have NFC chips and / or are too old to install the supporting app(s)

      1. MichaelK

        Because ApplePay/AndroidPay are pushed by the card issuers. And the Walmart-started MCX (Merchant Exchange) organization requires its members to refuse to support ApplePay/AndroidPay and to only support the MCX wallet solution, which is based on QR codes (square barcodes), not on NFC.

        That is an outcome of the Issuers vs Merchants battle over who “owns” you, the customer, and your data.

          1. SeymourB

            Not really, since only high end Samsung phones support Samsung Pay, and the overwhelming majority of phones Samsung (as well as all Android manufacturers) sell are low-end phones with limited feature sets.

            Beyond that though, one big selling point of Samsung Pay, the electromagnetic feature that mimics a card swipe, would happily transmit that data to the skimmer as well as the terminal. It’s just emitting an EM field, anything within range will pick it up.

            1. Robert.Walter

              I was my understanding that Samsung (Loop) Pay is a transaction similar to Apple Pay.

              I’m a very satisfied Apple Pay user and a big proponent of this system, however for a friend of my mom’s who uses a non chipped debit card at Walmart, and has a new Samsung phone, I am curious, does Samsung Pay (like Apple Pay):
              – issue a proxy card number for the phone in place of the number on the card?
              – use a one time randomly generated PIN code for each transaction?

              If Samsung Pay has these attributes, I am thinking of recommending it as it would be much safer than using a non chip debit card at Walmart. (Assuming her phone has the loop pay feature in it.

              Thanks for any feedback.

              1. AG

                Samsung Pay uses a Proxy Card not your real card number. I would assume there is an added benefit to this even if the skimmer picks up the MFT from the phone. I personally attempt to use Samsung Pay as much as possible for the proxy card benefits.

                Also Samsung Pay prompts you of every single transaction made in real time, swipe, EMV, or Samsung Pay, on your device once you plug your card into the Samsung Pay software. That feature alone has instantly alerted me to some fraudulent transactions that were a result of a skimmer on the DC Metro ticket machines.

          2. Ryan

            There is a reason Samsung pay works with old card readers. It uses Magnetic Secure Transmission. So the magnetic ready in the card machine some how is able to read what every magnetic signal the phone is pushing out. So a skimmer that can read magnetic strips can read the magnetic pulse the phone emits. So no. Not Samsung pay FTW.

            1. tsb

              Samsung Pay doesn’t transmit the customers actual card number, it sends a number that is known to the processors to be associated with Samsung pay/the cardholders data. Samsung Pay is a fairly “ftw” solution.

              1. Ryan

                Thanks for the update. I’ll stick with iOS. 😉

                1. Jim

                  You may stick with iOS pay but remember this part. Use it like a debit card, don’t use it like a bankcard. Do not have your paycheck, bank account, or main money there. Only what you need say for the day, or for the week. One day, like credit cards, they will be hacked. Or your account will be compromised. Remember how long it takes for you to get notified of an overdraw? And there are no guarantees that you will get your monies, or account back. That, and the length of time, it takes to reroute your payroll information.

            2. Cody Barnes

              From what I understand about it, Samsung pay does not transmit the card number, even using the magnetic stripe readers. The number sent to the device is effectively a “one-time” number that cannot be reused. In fact, from what I’ve read, the Samsung pay system does not even store the card number locally. So sniffing the signal would not be useful to even the most technically advanced criminal.

              1. Pupp Dawg

                That is correct, Samsung Pay sends a one-time-use card number which would be useless to a skimmer.

        1. DM

          Its not about who owns you, its about cost. The card issuer has huge leverage over the merchants. This is in the form of percentage of purchase they take for using the card.

          Merchants tried to form a system that allowed them to keep costs lower and hence keep your costs lower, they are still trying it.

          Apple Pay/Google Pay just makes 2 tech companies another layer of cost in the purchase process and gives yet another person leverage against merchants. As an added bonus, both of these issuers are direct competitors so you know that will go well for the merchants.

          The issue here is not using NFC chips 10 years ago. I went to Walmart this week and they required me to use my NFC chip and not the swipe. Times are changing, you just needed to poke the right gorilla in the cage. With Walmart properly on board the NFC boat, there will be no more quiet political donations/bribes to make that pesky NFC chip go away for another 5 years because Merica! couldn’t afford to switch like the EU did.

          1. DM

            Sorry I have NFC on the brain, its EV Chip in card not nfc in card. 🙂

          2. JrSec

            Unfortunately for all of us Customers, the Issuers are winning that battle at the cost of the merchants, and in turn at the cost of the price of goods we have to pay. There is currently litigation between the PCI members and a group of large merchants over this very topic; VISA wants to reserve the right to force merchants to allow the customer to chose whether to pay with swipe or chip. The merchants want the ability to lock down the card readers to only chip for 2 reasons; one its more secure so they are less likely to have to deal with a breach like one of these skimmers, and two because the fees for PIN versus Signature on each transaction are a good bit cheaper for the merchant.

            PCI kinda hates the idea of Chip; it puts more of the responsibility for security back on the issuer and transactional hops across their network, and it makes the transaction fees they are so accustomed to collecting take a direct hit. It would be a Win/Win for the merchants and customers, but a significant loss to the money hungry VISA’s of the world.

            1. Sasparilla

              Good point. And the issuers get an extra $0.07 per transaction if its signature based versus PIN validated. This is why we didn’t switch to Chip and PIN, but rather Chip and Signature.

              1. signaldistress

                couldn’t the reason the Chip and Sig costs more be because it takes more work to secure a signature than a pin, therefore it costs the financial institution more to secure that transaction?

                People seem to be fond of talking about the Merchant AND the Customer VS. the Issuer/Bank, but i think the reality is more like a ping pong game between Merchant and Issuer with the customer as the ball.

                1. JChas

                  It costs more for the signature because of liability. There is less fraud with the PIN so the CCC’s charge less. It all comes down to the cost of covering the fraud.

          3. Robert.Walter

            Re. “adds extra layer of cost”

            In as much as Apple Pay goes, it doesn’t add any cost for merchants or customers because Apple’s transaction fee (0.0015%) is paid by the banks (this is one reason why – another being Apple’s stringent security requirements for the banks – it has taken forever for the bank-by-bank Apple Pay sign-up process to proceed, as opposed to a network-by-network basis.)

      2. Sean

        To add to this, WMT terminals currently are not capable of reading NFC enabled phones. To switch out all of the terminals for NFC capable terminals would require millions of dollars in capital expenditures for a relatively small population of credit card users. Maybe NFC capable terminals will be rolled out as part of necessary hardware refreshes but it’s not going to happen in the immediate future.

        1. Karla

          Is this my son Sean Conway?
          If not
          You’re almost as brilliant as he id

    3. Dan

      Because I disable useless services on my phone, and I do not want my credit card details on my phone with NFC turned on. Why can’t vendors perform better diligence on security monitoring and vetting of contract labor that comes into perform maintenance on their point of sale systems. At the very least it should require 3 people to perform the operation. 1) The Technician 2) The Store Manager 3) and the Cashier to stand there and watch as the maintenance is completed. The Store Manager and Cashier should then have to inspect the device to determine it is operating properly, and look for any markings that could indicate fraudulent devices. If a device is deemed fraudulent then that terminal is disabled until it is replaced with a legitimate one, and that cashier is only allowed to take cash payments.

      1. Robert.Walter

        Unworkable. The costs of doing this across a large organization would cost more, for the uncertain results the non-tech overseers would bring, than the likely cost of fraud that with a properly certified system are passed back to the card networks or banks anyway.

        If you have a credit, or debit card, and phone with Apple Pay or some similar tokenized NFC payment system, and you don’t use it, then, in many ways, you’re doing your payments wrong.

  4. Dye Verus Spy

    A possible solution:

    (1) A tube of glue
    (2) short metal or plastic strip, 1/4″ wide , 2-3″ long, 1/16″ thick

    Glue pieces of strip on the surface of the original card reader.
    This will raise the distance between the skimmer and card readers’ keypads making the skimmer keypad unusable.

    No Cyber tech needed. Works for all card readers. Wipe off excess glue to prevent unexpected customer retention.

    1. Eric

      I trump your glue on strips with newly 3D printer overlays that have recesses for the additional strips.

      I’ll admit I have no idea how the chip cards work but it seems to me that if the chip could only perform a digital signature on the transaction using its private key where the bank can validate using the chips known public key we could solve this problem.

      Phones, laptops, add on USB devices could be produced to interface your chip card to sign online transactions.

      1. MISaunaSnob

        The terminal still has to be able to inject the amount of payment owed and who it is owed too into the encrypted stream… this leaves it open to man in the middle attacks. you think your paying $100 but you end up paying $500, to a different party.

        1. Cody Barnes

          Modern pin pads are generally coded to a specific vendor. Changing the payee is typically impossible without help from the payment gateway.

      2. MISaunaSnob

        If you glued them on by hand, and randomly each overlay would have to be custom made for those particular cut outs. I guess you could maybe take pictures and then come back with a 3d printed one to match the custom risers but in my experience the 3d printed surface finish would stand out.

      3. Mike

        Eric, I think you skipped a beat, despite your good humor. What Dye_Versus_Spy was suggesting is a DIY addition of such strips, not a pre-manufactured set of strips. So long as any physical alteration is not standardized but instead more random, such as putting strips slight angles, then anyone putting an overlay on would have to re-carve each overlay to exactly match each individually altered terminal. I think that’s what DVS was getting at.

        Somehow, I don’t think Ingelico would appreciate knowing that their products must be marred and made ugly as a layer of security, but too bad for their hurt feelings.

          1. Cardy

            And the advice is “do not stick you card in any device that looks as if it has been tampered with?”

  5. Eric E

    Cyber (no) security is an exponentially expanding behemoth ocean where NOBODY has the silver bullet fix to stop the thugs from ruining people’s lives.

    Lots of folks who shop at Walmart could quickly wind up homeless when a cyber crook empties their bank account.

    It’s time for all white hats in this battle of good and evil to go all in and jack up every one of these bastards. I’ve had enough!

    Stay in the trenches, stay vigilant and keep fighting the good fight.

    “All that is necessary for the triumph of evil is that good men do nothing.” (Edmund Burke)

    1. Bruce Hobbs

      First, you’re talking about a debit card, not a credit card. Second, my bank (5/3 in Cincinnati) provides debit cards with a balance that’s separate from your checking account. When my son’s card got skimmed, he got called by the bank. One charge went through and was reversed. The second charge was not approved and thus canceled. The most they could have gotten in any case was $200. His loss? Nothing.

    2. Lisa E

      If your debit card is compromised and its visa, you wouldn’t end up homeless because the consumer has zero liability. The bank takes the loss.

      1. KrebsonSecurityFan

        Isn’t it the merchant instead of the bank under the new system?

        1. Bill

          I believe you are correct. In the age of PCI Compliance, most retailers will take the hit instead of the banks/card vendors.

          1. Tim

            As the compliance officer for a bank, I can tell you that under the current system in which the majority of banks and retailers have not converted to EMV, the bank is liable about 99% of the time. Now, if the retailer converts and the bank does not, the liability is on the bank. On the inverse, if the bank has converted, and the retailer has not, then the retailer will be liable. If both have converted, then the bank will again (under most circumstances) be liable. We almost always lose a Regulation E dispute. But if we didn’t offer debit cards, then we would lose a ton of our customer base, so it is factored in as a cost of doing business.

            1. Christopher

              In the instance that the merchant is responsible (bank issues chip card, but merchant only accepts mag strip) and fraud occurs, what’s the logistics of getting paid back?

              Does the customer talk to their bank, and the bank talks to the merchant, or does the customer have to work completely with the merchant? What’s the time-frame of getting funds back?

              I purely use credit for the reason of not draining my checking, but it’s an interesting question.

  6. Ash

    As a person responsible for a few of these where I work, is there any chance of a few closeup shots of the side where the skimmer joins the base unit? And a measurement showing how much thicker the unit gets once it is together? I don’t expect to be hit by these but I’d rather be prepared in case someone tries.

  7. jim

    Skimmers were actually in Fort Wright, KY not Lexington… Fort Wright is in the Cincinnati, Ohio area about an hour and half from Lexington. Just so happened that the Lexington TV channel news crew covered the incident

    1. jim

      Ft Wright walmart… gas pump skimmers were at a marathon station in Lexington.

  8. Joebob2000

    Why would it be interesting to note that the skimmer faces had a slot for the chip reader? If it didn’t match the original in this critical feature (since they are requiring use of chips when available) the skimmer would have been discovered much much sooner (i.e. hearing this every day “it says put the card in the chip reader? what chip reader? your machine is broken.”)

    1. JW

      Exactly! It’ s interesting because it shows the lengths the criminals go to, to not get caught.

  9. Bait and Switch

    They have the same readers at Home Depot, what are the odds the self-checkouts at the Fraud Depot get hit too. Gas pumps are the real problem, we have a credit card that we use for Gas only, that way when it’s breached it’s not that big of a deal. Those Gas Pump readers are about $1500 a piece to upgrade due to the two factor encryption on the PIN pads and the pump goes out of service for about 4 days. Going to be a long slow adoption, even with their liability shift in 2017. Great job payments industry.

    1. Moike

      >They have the same readers at Home Depot, what are the odds the self-checkouts at the Fraud Depot get hit too.

      The sad part is that Home Depot regressed; when they activated Chip Readers, they took away Apple / Samsung pay. Same think at Bi-Lo grocery stores. Slower, and not as secure if you forget and swipe first.

  10. Ian

    The images you’ve been posting recently aren’t showing up on mobile chrome or my news reader app. They show up with the broken image icon. If I tap on an image I get a Neverending loading graphic. Just an FYI.

    1. Jerome

      It may be your phone, as the pictures show up fine on my Android

  11. mark

    The only thing I notice in the pic of it installed is that it *appears* that the screen is uneven – not quite level – under the skimmer. I also wonder how much deeper the screen is between the real thing, and one with the skimmer on it. I would think that would be noticeable, as the skimmer can’t be so thin around the screen that it would be easily broken.

    Also, I’d think that there’d be issues if they built the skimmer with a clear screen of its own – the difference might catch too many eyes.

    mark

    1. timeless

      I believe you’re seeing a light source effect as opposed to unevenness.

      @Brian: if you look at the top right corner of the screen, it seems

      1. timeless

        … to have a shorter shadow than the top left corner.

        — but I’d bet that’s just because of where the light source is…

    2. timeless

      I believe you’re seeing a light source effect as opposed to unevenness.

      @Brian: if you look at the top right corner of the screen, it seems to have a shorter shadow than the top left corner.

  12. Brian Downard

    How about using CASH! Just sayin…

    1. Donald

      You are right. Cash is king. I use my CC for online purchases.

  13. Jojo

    Would using Android Or Apple Pay protect you from these skimmers??

    1. EricksonTrav

      I’m no pro on all of the tech but my limited understanding is possibly not. If the terminal doesn’t support true NFC (near-field communication) and instead your phone utilizes older MST (magnetic secure transmission) they you will still get skimmed.

      The MST (magnetic secure transmission) basically fakes the magnetic reader into thinking something was swiped by emitting enough EMF that the card reader picks it up, the skimmer will still pick that up as well just as if you had swiped.

      Where NFC wouldn’t communicate at all with the mag stripe reader instead it would be with the NFC reader in the terminal itself, so the skimmer wouldn’t see a thing.

      1. zboot

        Sure, but the MST used by Samsung Pay is also a one-time use token. So capture it all you want, you won’t be able to steal anything from me.

    2. Eric

      Yes, actually- ApplePay and AndroidPay create one time use tokens for use in place of your card details.

    3. roflem

      No using your phone as payment device is the worst idea ever. The banksters introduced it in Spain years ago and the trojan botnet operators were already rubbing their hands expecting other countries to join. Spain was hit so hard by fraud related to compromised phones, that smartphone payments in other EU countries never achieved a significant market share (luckily).
      Cash rules.

  14. Jeff

    How many heads does the skimmer have 1 or 2. Was it noticeable in looking at the slot?

  15. milller

    Walmart owners and all this brand is dodgy ! All this big corps and inc are dirty very dirty

  16. TomW

    Please post a few more pictures of the skimmer from the sides. Especially how it fits around the stylus clip.

  17. Al Sec

    Never ceases to amaze how much fraud is ‘tolerated’ by our commercial system…although I suppose in the grand scheme, these amount are just ‘basis points’ in bank profitability calculations. Copying static data in transit is extremely easy in this digital age, and unlike this case, data is often breached remotely (making prosecution even less likely). Definitely looking forward to increased tokenization adoption, and fewer plastic card re-issuances every time a new breach is uncovered. Of course, it may just be a matter of time until some type of malware finds itself into phones that will try and circumvent the new security.

    1. patti

      It appears that capitalism nowadays just cares if they get a sale and money, the fraud bit is an “externality.”

    2. signaldistress

      Every financial institution has a fraud budget, and the trick is staying within it to help meet a bottom line. Most in the industry think of fraud like a partially filled balloon, every time you squeeze the fraud at one end, it just travels to another part of the balloon. Build a better mouse trap and the mice find another way to get the cheese.

  18. Ken Robinson

    One of the reasons why chip readers are not fully operational in many locations is that the credit card companies (Visa, MasterCard, … ) haven’t signed off on the software to be used for that implementation. It isn’t just the software on the front-end (card reader), but also the backend that has to be signed off on. They have been slow on authorizing the software in many cases, so that is why you might see the same model of reader at two stores, one accepts the chip and the other isn’t able to do anything with it. Big retailers like Walmart, Target, etc were put at the front of the line for reviewing their software because of the volume of transactions.

    Of course, there are consumer complaints that the chip readers take longer for an authorization than just a swipe. This is because of multiple exchanges of information between the card and the backend that the swipe method doesn’t have, but the result is improved authorization and authentication of validity.

    With that, the U.S. mechanisms primarily use the chip and signature method, meaning that if the card is stolen, someone can very easily just use the card elsewhere until its loss is reported. In a number of other countries (not all), the chip and pin method is used, where a pin must be entered in lieu of a signature. Unless the person who steals the card also knows your pin, it is useless to them. In either case, it makes forgery significantly tougher, better protecting the consumer, the merchant, the bank, and the card issuer. At some point, the bad guys will catch up to this, so hopefully, there is continual effort to improve the technology.

    1. Sasparilla

      Excellent explanation. Its good to point out that in the U.S. the issuers get an extra $0.07 per transaction on Signature based transactions versus PIN validated transactions.

      This is why we have Chip and Signature in the U.S. instead of the more secure Chip and PIN. As long as this difference in costs remains, I doubt we’ll ever move to Chip and PIN validation here in the U.S..

      1. signaldistress

        I live here in the US and i have a Chip & PIN debit card and credit card. It depends on what the bank chooses to issue. If you want Chip & PIN, change banks.

  19. Jonathan Jaffe

    Brian – if these overlays are applicable and removable in seconds are they “well” secured? Could a modest grip (somewhere) and a tug reveal the overlay?

    If so, perhaps consumers will start tugging these devices and exposing more skimmers.

    thx

    Jonathan @NC3mobi

    1. Dave from Toronto

      @Jonathan

      While we don’t always agree, today we are on the same page. I routinely test the face of ATMs and PIN pads. I also check the card slot for something called a “Lebanese Loop”. Sometimes you can catch something.

      It would be nice to know when they find a new overlay if they’d let the public know if there is any trick involved in detaching it.

      Nothing better than thousands of informed consumers looking out for themselves. Or thieves having their kit confiscated.

      Dave

  20. KrebsonSecurityFan

    There are 3 tracks of data on the card’s magnetic stripe. From a Wikipedia article, track 1 contains all data used to complete a transaction including the card’s CVV in plain text (unencrypted) while track 2 doesn’t contain the CVV but does contain the other information.

    I can’t understand how the fake snap-on reader is able to get all – or enough – track data. I see the snap-on as sitting higher than the real reader and thus the snap-on’s playback head is reading different track data since it’s higher in the groove; unless the fake playback head is at the end of the real reader’s groove. Does this mean track 2 and not track 1? Does this mean no CVV?

    Also how does this snap-on device record a pin from the keypad?

  21. just say know

    SIMPLE FIX:

    Pay with CA$H whenever, wherever you can, before it all goes digital.

  22. TomH

    There isn’t a blanket statement that can be made for WalMart and their use or support of chip-cards. Ours in this area (PA) use swipe-only for transactions under $50, and they won’t even accept a chip card in the chip-reader under $50. So they may have the chip-capable readers, but that doesn’t mean they allow or require them. (I work for a financial institution)

  23. Ryan

    So how do use the public look for these readers that just blend in? Try to pull the damn think apart before you swipe?

    1. signaldistress

      that really is the best way if you’re unsure

      1. Ryan

        Rips off card terminal… Sorry, just checking for skimmers. Runs out of store.

  24. Sasparilla

    Wow, amazing the fidelity they have – there’d be no way I’d pick that out as being compromised.

    Wish I wasn’t so addicted to the 1% and 2% cuts of my transactions I get back or I’d be cash only at this point (already using cash more and more though).

  25. JD

    I work for a company that makes pharmacy software, and POS system’s, our company uses these signature pads and other model’s from the company. When I go out in the field from now on I will be definitely be looking for these overlays, hope I find one so I can keep it and dissect it. And just a little side info, these are connected to the workstation by comm ports, but the end that goes to the pad is a modified mini HDMI connector, older model’s are straight comm port’t.

  26. Herby

    The biggest problem is unattended terminals. In an effort to reduce costs, they allow customers unfettered access to card reading terminals. It is no wonder they go for the self-serve checkout lines. The cashier attended terminals aren’t tampered with (unless it is an inside job). Perhaps the terminals need some sort of tamper wiring that will tell the central box they have been tampered with. It seems that this would be a simple thing to do, but might cost a few pennies in programming of the terminal, and another I/O pin. One must think of security from conception all the way to implementation.

  27. roflem

    Too bad we dont have better pictures. In 2009 I took an infected POS apart which had much more sophisticated technology: the stolen data was sent via SMS to a cellphone hidden under a trashcan outside the supermarket. These tiny GSM chips with antenna can be bought anywhere and reduce the risk of having to retrieve the device&data. The cellphone outside can even be programmed to forward the SMS message (containing the credit/debit card data) to another country.

  28. Kristen

    I am so leery of debit machines these days that I use cash the vast majority of the time … scary stuff!

  29. Todd

    All I know is when I got my clearance, it was made very clear that if I were to do something like this, I would be in jail. Regardless of political affiliation, putting top secret docs out on a private server should = jail.

    1. todd

      Strange. I had posted this on the Hillary printer on the internet.

Comments are closed.