A KrebsOnSecurity story last month about credit card skimmers found in self-checkout lanes at some Walmart locations got picked up by quite a few publications. Since then I’ve heard from several readers who work at retailers that use hundreds of thousands of these Ingenico credit card terminals across their stores, and all wanted to know the same thing: How could they tell if their self-checkout lanes were compromised? This post provides a few pointers.
Happily, just days before my story point-of-sale vendor Ingenico produced a tutorial on how to spot a skimmer on self checkout lanes powered by Ingenico iSC250 card terminals. Unfortunately, it doesn’t appear that this report was widely disseminated, because I’m still getting questions from readers at retailers that use these devices.
The red calipers in the image above show the size differences in various noticeable areas of the case overlay on the left compared to the actual iSC250 on the right. Source: Ingenico.
“In order for the overlay to fit atop the POS [point-of-sale] terminal, it must be longer and wider than the target device,” reads a May 16, 2016 security bulletin obtained by KrebsOnSecurity. “For this reason, the case overlay will appear noticeably larger than the actual POS terminal. This is the primary identifying characteristic of the skimming device. A skimmer overlay of the iSC250 is over 6 inches wide and 7 inches tall while the iSC250 itself is 5 9/16 inch wide and 6 1⁄2 inches tall.”
In addition, the skimming device that thieves can attach in the blink of an eye on top of the Ingenico self-checkout card reader blocks the backlight from coming through the fake PIN pad overlay.
The backlight can be best seen while shading the keypad from room lights. The image on the left is a powered-on legitimate iSC250 viewed with the keypad shaded. The backlight can be seen in comparison to a powered-off iSC250 in the right image. Source: Ingenico.
What’s more, the skimming overlay devices currently block the green LED light that is illuminated during contactless card reads like Apple Pay.
The green LED light that is lit up during contactless payments is obscured by the overlay skimmer. Source: Ingenico.
The overlay skimming devices pictured here include their own tiny magnetic read heads to snarf card data from the magnetic stripe when customers swipe their cards. Consequently, those tiny readers often interfere with the legitimate magnetic card reader on the underlying device, meaning compromised self-checkout lines may move a bit slower than others.
“The overlay design appears to occasionally interfere with the magnetic stripe reads, leading to greater numbers of read failures,” Ingenico wrote.
Finally, all checkout terminals include a tethered stylus that customers use to sign their names after swiping their cards. According to Ingenico, the skimmers made to fit the iSC250 appear to prevent the ordinary placement of the stylus due to the obtrusive overhang of the skimmer overlay.
The overlay skimmer on the left blocks the stylus tray. The picture on the right is a device that’s not been attacked.
It’s probably true that posting information like this online gives skimmer scammers an opportunity to improve their product and to make the telltale giveaways less noticeable. However, this only goes so far without significantly driving up the cost of these overlay skimmers. Each iSC250 skimmer already retails for a few hundred bucks apiece — and that’s without the electronics needed to gather and store card data. The up-front cost of these fraud devices is important because the fraudsters have no guarantee they will be able to recover their skimmers before the devices are discovered.
On the other hand, as I mentioned earlier there are countless nationwide retailers that have hundreds of thousands of these Ingenico devices installed in self-checkout lanes, and that in turn means millions of employees and customers who are the first lines of defense against skimmers. The more people know about what to look for in these fraud devices, the more likely the fraudsters will lose their up-front investments — and maybe even get busted trying to retrieve them.
Brian,
Thanks for all your work.
The first set of photos has the modified device on the left; the second and third sets of photos have the modified device on the right. It’s be easier for the reader if the first set of photos were flipped right-to-left, so that all the images are presented with the same logic. Because we read left-t0-right, I think the unmodified device should be on the left, and the modified one on the right.
Thanks again.
There is always one guy. Always.
Brian I look forward to every one of your stories, no matter what order the pictures are in. David you could always read the blurb underneath the pictures to find out which one is fake
I can provide an replacement with the two swapped if no one has access to Photoshop, or pixlr.com, and five minutes.
Because that was a very valid point. Some consistency will help people immensely.
Brian had a valid point. We do read from right to left and if you are using images to help communicate, you should also place the images so they correspond. By the way, most people don’t read. They “skim”.
Janet
Most people read from left to right in the USA.
Your little pun is noted, but some of us do “glance-overs” instead of “skimming” because we can actually read very fast. If the results of the glanceover are worthy of further attention, then we slow down and dig into the article.
I read the captions of each photo group. It was no problem.
Hugh, I agree with David and thought the same thing. Presentation and consistency in information presentation is key. No matter what the blurb underneath reads. Primarily because people will read the first one and assume the rest follow the same logic.
It is tje saje as wjin the brsin reodiog stuff lihe thos and it still can makes sense of it.
David –
While I do agree with needing standardization, these were company provided photos and not made by Brian. He has no control on what a third party provides him.
Of course the pics were supplied by others, and the first one couldn’t be reversed. But the second row contained individual pics, and could have been; had the second row pics followed the same pattern as the first, it would have been easier for the reader.
Good tech doesn’t preclude good design.
Agreed in all points.
Thanks for the update Brian!
It would be rather stupid to assume the skimmer was the smaller of the devices given it needs to sit above it..
I believe common-sense should prevail here really.
I agree, David. I was thinking the same thing.
David,
I will say that, in order to make sure I understood the story, I was forced to read the captions more carefully than I otherwise would have!
Completely agree. I was assuming that second set of images are in the same order as first set – compromised device on the left and it did not make any sense to me. Had to read the caption.
But to think about it, now I wasted even more time posting this.
The second set of photos doesn’t show a fake, it shows what the actual device looks when powered on vs. powered off.
Good pointers, but not all that easy to determine an overlay is in place based on most of the widths… however, blocking the stylus placement is a sure giveaway. I’d focus on that marker. Thank you. Cheers.
Does the first photo show the real POS as iSC250 and the fake as ISC250 (uppercase “I”) ?
It sure looks that way to me, too.
You appear to be correct, good catch.
Looks like you’re right. The uppercase I is even more visible on the last picture.
Wow. I think I’ve actually inadvertantly seen these in the wild… and swiped.
This is very good faking, albeit in very bad ethics.
Credit Card terminals need to include some kind of tamper sensors to detect when these kinds of skimmers are installed. With a little bit of clever engineering, they should be able to make this much more difficult.
They are touched by lots of people all the time. Those tamper sensors would be constantly going off and ultimately unused. Tamper proof sensing works best when the item isn’t to be handled most of the time.
Better option, tokenized contactless payments where the POS terminal has two physically separated payment processing areas. One where you make the contactless payment, the other where you verify/sign/enter PIN. Increases the number of systems thieves need to compromise increasing their exposure when doing so in store. Also easier add tamper proofing to the contactless payment side and utilize other technology on the verify/sign/PIN side.
We need to start training people to use number pads where the number positions change after each use. Mirroring this behavior on a small sized overlay will be expensive.
As has been pointed out to me for suggesting that bank machines should have the PIN entry on-screen blind people would not be able to use the machine. Same thing with the numbers changing: unless you can make braille change along with it.
Making braille change along with it might be doable. there have been refreshable braille displays for a while. If that could be combined with a positive click sort of solution, and video for the sighted, it could work.
Thank you for the article. I saved it and will take a look at my local Walmart. I skipped the self checkout lane yesterday, I don’t like it much anyway but this was enough of a reason to shun it.
My first thought when I got to the second set of images was the same as the first poster – better to keep the placement of good – bad consistent throughout the article.
I think the difference in the clearance for the stylus tray will be the easiest characteristic of the skimmers for me to spot.
I find it unconscionable on the part of Walmart to have a policy of blocking NFC transactions from Android and Apple Pay just because Walmart is trying to push users into using its own profit enhancing Walmart Pay.
Walmart by trying to force customers to use its kludgey payment system puts NFC equipped customers at risk by making it more likely that those customers will swipe (and given many credit and seemingly more debit cards are not chipped equipped) and expose their accounts to fraudsters.
More evidence of Walmart caring more for itself and its profits than any other thing, principle or person.
Hopefully, this drives more people to Samsung Pay. Contactless tokenized magnetic swipe.
…or Apple Pay. Avoid the swiper!
Samsung Pay is contactless…
Or just stop shopping at unscrupulous and un-American retailers like Walmart who destroy local economies, drive wages to the absolute bottom, and profit from slave labor and sweat shops overseas.
you are ridiculous
Calipers? Guess I will have to invest in a set. Otherwise, good going, Brian!
Or look at all the other items in the list that are easier to use… like the I vs i, the stylus holder, etc.
What can be done to track down those who make these skimmers and put them out of business for making these devices.
How is the skimmer attached to the legitimate terminal – does it snap on or simply sit on top? Just wondering if trying to pull up on the terminal casing might be an additional useful test.
Thanks, Brian, for keeping us informed!
Brian, you are the man!
Brian heads up I am sure the miscreants will start spreading this around about you http://www.nydailynews.com/news/crime/real-life-inspiration-stifler-convicted-murder-article-1.2685641
I’m confused is that not him?
It is Brian’s evil twin.
I understand about readers being touched by a lot of hands in normal operations. But it doesn’t take an engineer (I am not one) to easily come up with several ideas to be alerted to tampering. I won’t post my ideas here, you can contact me if you are interested. I also have some ideas about what to do if a reader has been tampered with that goes beyond just detection and lends a hand to enforcement.
But until all the industry players start thinking about working together this is just going to continue to be game of catch-up where we will never be able to get ahead of the game.
The game of catch up will be with the industry for awhile largely many of the employees hired by retail companies are not technologically savvy to understand this nor want to learn. They are at the mercy of corporate and store management not telling them anything until they are faced with it and they have to bring someone else to figure it out (they are given instructions to use but it is not distributed to those concern). I see this all the time.
Hey Chris
What’s your contact information?
would like to hear your ” ideas about what to do if a reader has been tampered with that goes beyond just detection and lends a hand to enforcement.”
Thanks
Personally, I tinfoil anything that’s NFC. And have lined the wife’s wallet with foil. You ladies, remember, how close you have to be to a reader? It’s said inches, tap, light? Right, tap it with your hand, with the card or device in the other hand. Some devices have better antenna placements. The new copycat readers are phone sized. Is that stranger fiddling with their phone? Or just war driving the neighborhood.
Remember, the proof of concept for RFD, was in 2000, or thereabouts, a briefcase computer and 60 foot away. How much better has RFD reading gotten since.
https://www.google.com/search?q=rfid+shield+sleeve&ie=utf-8&oe=utf-8
Why doesn’t the store put a tamper-proof sticker somewhere on the face of the PIN pad? That way if someone slaps an overlay on top, the sticker will be obviously missing.
Next, they’ll just copy the sticker. It’s a constant game of Whack-A-Mole.
True, but it’s another thing that should drive the cost of the skimmer/overlay up at least. I wouldn’t think it would be too much work for the store to even use a different random sticker colour/design each week to make it even more difficult to match.
You think people would notice a sticker missing? Maybe a store employee but then again they are supposed to be regularly checking those devices anyway according to PCI.
I have not thought out how to stop it entirely as it is a one-up type of game. What about requiring the stylus to be placed (upright) in the middle of the keypad before a transaction. That should make it easier to detect an overlay if people actually pay attention and see a hole.
Then you put a tamper-proof sticker on the sticker.
Almost every tamper-proof sticker I’ve seen on a gas pump has been broken. It’s not my job to report this.
I have never seen a tamper proof sticker broken at Costco and they have two on each pump. One is around the card reader device and the other is next to the key hole for the pump door.
Stickers on point of interaction PIN Pad devices is not PCI compliant because thieves have in the past drilled into devices, inserted skimmers, and then covered up the holes using….stickers!
How about the management staff doing a “look-see” of all the credit card terminals at all checkout lanes a few times a day.
Most major retailers have their own in-house “recovery/security” department. It may only consist of one guy for each shift, who sits in a room with lots of monitors, that they probably don’t watch unless alerted, but there is at least one. These can easily be trained to periodically check each cash register’s terminals for tampering or skimming devices. Not to mention, shift managers can and should be trained to look for these as well.
Of course, the danger is that one of these who has been trained, might think a unit has a scanner attached, then proceed to try and remove it, only to find it’s all original thus damaging the unit and making it unusable.
WOW
THANK YOU Brian
No, seriously, your pictures have just helped remove two machines way up here in Chilliwack, BC
the “dead giveaway” was the stylus holder …
C
ps
ianal
the email address is a spam catcher …
http://www.worldstarhiphop.com/videos/video.php?v=wshhs512VJ3HuJx7G5Ck
Interesting much! I guess everyone should be super paranoid. How the hell would anyone spot that. These are obviously doing the job well.
Brian, are these skimmers bluetooth enabled or do they need to to be removed, in order to retrieve the hijacked cardholder data? Did Ingenico say?
These overlays seem to be very well made, judging from the pictures and wouldn’t be surprised, if they cost more than the POS terminal itself.
Thanks for the article!
Unlikely. A quick google shows that the POS costs $600-$700, plus you’d have vendor install costs and contract costs. Wouldn’t surprise me if it hits $1000 each one.
Not sure how much the skimmer costs, but I think some krebs stories have mentioned several hundred dollars before in terms of skimmer costs.
Bluetooth would be an extra expense and an extra-easy way to get caught. With Bluetooth, you’d need to have someone hanging around with a bluetooth-capable device (laptop, tablet, etc.) listening and scraping. Someone hanging around for long periods of time at a location where these are likely installed — like grocery stores? Very suspect. Plus, if they’re discovered, the cost of that goes up + the cost of the skimmer, so a more expensive loss. It would be easier and cheaper to do a stealth drop + stealth retrieval.
While it is great that you are showing the modified and the actual POS and what to look for supplied by Ingenico, this is just one of many variants utilized by the retailers. The ones I know uses the MX-915 POS with a security cover over the PIN pad made by Verifone. They are a variant of the same model- with and without the security cover.
The keys of the case overlay appear to differ from those of the actual iSC250. The overlay keyboard is a flat surface; its “keys” are designated areas for depressing the actual keys underneath.
Brian,
I find the battle against skimming fascinating and always enjoy your research.
Would it be possible to make a “credit card” device that can sense it is being magnetically “read” twice (or multiple times in a time period, or whatever)?
That it could be used as a tool to maybe do daily security checks on each POS at the retailer via an employee simply swiping it through each reader?
Just a thought. I bet others have thought of it already.
So… …
There were fake audio tapes which were used as CD player adapters in car stereos.
There are some pseudo credit cards which can alternate what content they present — Coin [1] is one…
Coin’s probably the best bet. It logs transactions (according to their advertisement, I’m not a customer). It might be able to recognize when it’s being read twice….
[1] https://onlycoin.com/
I am certain this is the same situation for data recovery if you search local, you get some generic numbers in my area that often lead to one company with many unlisted addresses(drop off or mail in locations.) I haven’t looked for it in years, but I remember being skeptical of the company/service. Consider the price people are willing to pay to recover data from a dead drive and how businesses would not think tice about using a service like this to get more customers.
So far, no one has been able to skim my cash…….
The real interesting stories are, however, how these devices are placed and later removed. This seems like an inside job to me.
Unless of course you have a random team/person walking in during store hours, and just starting to place overlays on all the checkouts, without any of the personel or other customers ever asking a question, calling a manager, etc. And then you need to later return and collect the data and presumably overlays to reuse later.
Sure you’ll get away with that on occassion. But it only takes one attentive person and you are busted. Especially since many stores have camera’s.
The *real* interesting storries seem how they pull that off.
As handy as my cards are, I am seriously considering using cash again. I hate criminals. Sigh….
If you have one of several supported Samsung devices then consider using Samsung Pay. It works with both NFC and swipe readers and is immune to these skimmer attacks.
Just wondering if you could just attempt to remove the top off of the device. If it comes off then you know it’s a skimmer and then report it. Thanks for the article.
Scammers. they are the same as hackers on the internet. It is so scary the lengths people are willing to go to in order to scam honest people out of their hard earnt money.
This particular model we don’t install at my company but the ISC350i up to a ISC670i and all use including the 250 what looks like a modified HDMI connector that goes into the unit and then connects to the POS through a COM port. Waiting now to see how they will shoehorn a Bluetooth transmitter on one of these overlays. I still keep my eyes open when I go on a service call to a customer.
Thanks for the heads up. There is another thing that all retailers can do to help catch these skimmers. Actually all retail associates can do this even without it being a company policy. Why dont all associates inspect their card readers every time they come on shift and again every time they come back to their register after break, bathroom breaks, lunches and shift changes.
If all retailers would simply put a small pkg together of known skimmers and easy ways to spot them and have this become part of their shift change duties, just as they pull and ot count their till. Inspect the card reader and initial till sheet…..
It wont catch them all but it sure would help and absolutely cannot hurt. Maybe offer a reward to any associate that spots one as an incentive to actually inspect the reader when coming on and leaving their register…..
Just my two cents worth
Most retail stores employee people who have a “don’t care” attitude. So, on top of training and policies for inspecting the terminals, they might need to offer incentives for finding one and alerting their security team.