14
Oct 16

Self-Checkout Skimmers Go Bluetooth

This blog has featured several stories about payment card skimming devices designed to be placed over top of credit card terminals in self-checkout lanes at grocery stores and other retailers. Many readers have asked for more details about the electronics that power these so-called “overlay” skimmers. Here’s a look at one overlay skimmer  equipped with Bluetooth technology that allows thieves to snarf swiped card data and PINs wirelessly using nothing more than a mobile phone.

The rather crude video below shows a Bluetooth enabled overlay skimmer crafted to be slipped directly over top of Ingenico iSC250 credit card terminals. These Ingenico terminals are widely used at countless U.S. based merchants; earlier this year I wrote about Ingenico overlay skimmers being found in self-checkout lanes at some WalMart locations.

The demo video briefly shows the electronics hidden on the back side of the overlay skimmer, but most of the sales video demonstrates the Bluetooth functionality built into the device. The video appears to show the skimmer seller connecting his mobile phone to the Bluetooth elements embedded in the skimmer. The demo continues on to show the phone intercepting PIN pad presses and card swipe data.

Your basic Bluetooth signal has a range of approximately 100 meters (328 feet), so theoretically skimmer scammers who placed one of these devices over top of a card terminal in a store’s self-checkout lane could simply sit in a vehicle parked outside the storefront and suck down card data wirelessly in real-time. However, that kind of continuous communication likely would place undue strain on the skimmer’s internal battery, thus dramatically decreasing the length of time the skimmer could collect card and PIN data before needed a new battery.

Rather, such a skimmer would most likely be configured to store the stolen PIN and card data until such time as its owner skulks within range of the device and instructs it to transmit the stored card data.

Concerned about whether the Ingenico terminals at your favorite store may be compromised by one of these overlay skimmers? Turns out, payment terminals retrofitted with overlay skimmers have quite a few giveaways if you know what to look for. Learn how to identify one, by checking out my tutorial, How to Spot Ingenico Self-Checkout Skimmers.

If you liked this piece, have a look at the other skimmer stories in my series, All About Skimmers. And if you’re curious about how card data stolen through skimmers like these are typically sold, take a peek inside a professional carding shop.

The red calipers in the image above show the size differences in various noticeable areas of the case overlay on the left compared to the actual ISC250 on the right. Source: Ingenico.

The red calipers in the image above show the size differences in various noticeable areas of the case overlay on the left compared to the actual ISC250 on the right. Source: Ingenico.

Thanks to Alex Holden of Hold Security LLC for sharing the above video footage.

Tags: , , ,

44 comments

  1. Or carry a 20000 mAh battery pack (about half a pound weight wise). I kept my mobile phone charged that way for two days on safari in Africa (where amazingly they had LTE service everywhere in the Masai Mara). So potentially they could just leave a car parked in the parking lot shut off and potentially skimming data in real time and then transmitting it to a central server. Go by each car and swap out battery packs every other day and move the car into a different space so it doesn’t look abandoned. Or get a car that doesn’t shut off the cigarette lighter plug when it is off. Though most cars these days seem to shut the lighter off when the car is shut down for some reason. Ford I think still has cars that leave the plug hot when the engine is off. At least they did when I had to leave my electronics in the car.

  2. Or get a car like a Ford that leaves the plug hot when the engine is off and the phone can skim all day forwarding data to a central server in real time. And if the car doesn’t keep the plug hot then a 20000 mAh battery pack will keep the phone charged for a couple of days. Go by each car swap out the pack, move the car to a different spot so it doesnt look abandoned.

  3. Why don’t these credit card terminals have built in tamper detection sensors to detect the presence of a skimmer? This shouldn’t be rocket science.

    • In the case of these overlay skimmers, there really is no “tampering” to detect. It’s just a shell placed on top of the existing pad.

      It’s not worth the return on investment for pad manufacturers to develop physical tamper protections. Firstly, there’s nothing obligating them to do so as they’re not losing any money in this scenario. Secondly, as soon as they develop any sort of tamper protection the bad guys will find a way to get around it the next day.

      This particular skimmer is very easy to spot, so at least retailers can check for it themselves.

      • Problem is, how much do you trust your everyday retail store to actually check these things?

      • Counteracting these overlay skimmers DOES NOT REQUIRE any high tech countermeasures. All that is required is an intelligent REDESIGN of the card reader casing to include cleverly molded “stand-offs” or L-shaped pegs or protrusions that would make slipping on an overlay extremely noticeable. (plastic gap will be apparent if overlay must have holes cut to slip over a 2-inch “L” peg….

        The mfg could even get “fancy” and build the unit so that each retailer can configure the location/dimension/shape/quantity of pegs at desired. This means a scammer much CUSTOM BUILD his overlay for a SPECIFIC reader he wishes to attack… and a retailer might even wish to use random configs for each & every reader, not a set config for their entire chain.

      • This is in part what chip technology on POS systems is trying to thwart. No swiping means little chance of fraud at the terminal.

      • They could, and should, but will they ?

  4. IRS ITUNE cards

    No links to the demo video? confused ?

  5. The ever so “smart” criminal almost got his whole kisser in that video but wears rubber gloves.

    btw: these bluetooth transmissions between POS and cellphone have been found 10 years ago in Italy.

    Brasov in Romania was the capital for these devices.

  6. The person filming has clearly no clue of opsec.
    The reflexion shows he has dreadlocks.
    And very easy identifiable (eye hurting) carpet.

    my2cents

    • Or it’s superior op-sec with a dredlock wig filmed in a motel room. At least, that’s what I would do. Oh, and the wipes? Probably aren’t even sold in that country but were imported through ebay and purposely caught on camera.

      How you like the op-sec now?

  7. BLE doesn’t use that much power though. You could theoretically run a skimmer for a fill day off a AA battery.
    Source:http://www.ti.com/lit/an/swra347a/swra347a.pdf

  8. Seems this could easily be corrected through due diligence on the part of the store operators/owners. After all, who has access to the terminals to place the skimmers on the things in the first place? Especially at places like Wal-Mart that have continuous video surveillance going on of the self-checkouts. This is another example of why scanned credit/debit cards need to be done away with, ASAP.

    BTW, on the ISC250 imaged above, the keypad also seems to be a dead giveaway…

    • Well, these are on self-checkout terminals, so employees won’t be watching as closely.

      It is true that video surveillance might help to identify the person who installed the thing, but they may well wear a disguise of some sort (wig/hat, etc), so there are no guarantees that this will be all that useful.

      • It’s quick, a checker could turn their back for a second and it would be able to be installed. It’s not like they need tools or to crack open the case. A few practices and you could probably pull it out of your jacket and snap it on in 2 seconds. So self checkouts are prime for this, but so is any isle that someone might walk through or where the checker turns around to go scan alcolhol at another register. It’s quick and they’re good. To think they should catch these getting installed is sort of like people saying that a pick pocket wouldn’t get their wallet because they’d feel it.

    • >After all, who has access to the terminals to place the skimmers on the things in the first place?

      It takes all of 2 seconds to pop one of these things on. Check out the video here: https://www.rt.com/viral/335712-card-skimmer-install-video/

  9. Actually, when you think about it.. low tech solution… the pin pad manufacturers could supply their own overlays to stores..

    Provided the layout of the device has a lot of elevations and declines, you could use those known widths, complete with probing parts in the overlay. If the overlay doesn’t fit on a given pinpad, there’s something blocking it that’s not part of the factory design.

    • … could even be a business in it for third parties to use 3D scanning + 3D printing to build custom security overlays … and/or for PIN pad manufacturers to supply 3D printing files to their customers such that they could have them printed on demand by various 3D printing houses. Someone could publish stuff on shapeworks etc… heh, you could probably even reverse engineer the dodgy overlays to improve the security check ones :)

      • You could even have a rotating set of ones with unique features. Then have someone whom would, weekly, remove the current and put on a new one….
        In otherwords a process to look at each unit regularly.

    • That’s a very good idea.

  10. Notice the need to swipe the card. EMV effectively blocks this hack.

  11. No, it just shows the age of the film. Now someone had a good question. Who has unfettered access to these devices, Walmart security, and who else, those that fill and maintain the machines.none of them are vetted. Or trained to maintain the machines outside of their field of expertise. Put in key, turn, do their job, secure the machine, don’t notice that thing. Do the job.
    Even Walmart, has been cutting store security and depending on the local police. So the first line is gone.
    About the new cards, just give them time, the. Bad guys will find a way. Don’t doubt it, they will. And it will fly under the radar, for a while.

  12. Another good story on github, I found it on Slashdot.org/story/317497 about online stores.

  13. Who needs to sit in a car to download the data from the skimmer, we’ve all seen the vast numbers of folks standing in various locations on street corners and in store aisles, navigating their smart devices, comparing prices online, catching up with a text, or….downloading the info from skimmed cards. Too easy….

  14. Add a form-fitting ABS cover, hinged at the back, with a central ring around the hinge, and the ring cabled to an anchor behind the counter. To use, lift the cover and swipe.

    If the cover cannot be closed, then something is in the way.

  15. Strange. My Bluetooth devices only have a range of about 10 meters. Are you sure that wasn’t a typo?

  16. I don’t know why they must use something which is over the air. pretty soon they’ll be scanning fingers, hands, and/or eyes. I wonder how long they will sit on their thumbs before implementing the ultimate lazy device: the implanted microchip. never take the mark, even if it enabled you to always remain connected to the Internet, gives you super powers, telepathy, etc.

    • Don’t push the implant route please, I have no interest in needing one of those to manage my day to day life. And please remember, just because it’s new and seems secure to you doesn’t mean it is. What happens when they can clone them or man in the middle through a nearby device, or fake your code being transmitted. It’s just new, that doesn’t make it secure.

  17. Tokenisation, Apple Pay and Android Pay, why are you not using it?

    Swiping a card like a caveman from 1984 will only get you into trouble.

  18. Well… maybe a new[ next? ] generation [ a real one ] of radio-firewalls / sniffers / monitors would be something useful.

    Maybe… only if the market requests it, of course.

  19. In the event that a normal person did identify a skimmer at, let’s say, Walmart, what should they do? Call the police? Notify Management directly? Go WWE SmackDown on it in the checkout isle?

    • WWE SmackDown would be awesome to see. Just rip it off the lane and bodyslam it on the floor. A quick leg drop to finish it off and walk out the front door like a boss.

  20. codec networks is best institute in Delhi it is best place for recommended

  21. No doubt convenience will continue to outpace security and bluetooth is very convenient for all. I even turn my WiFi off my new TV when not connected to the net. Ahh nothing like technology…