26
Feb 17

More on Bluetooth Ingenico Overlay Skimmers

This blog has featured several stories about “overlay” card and PIN skimmers made to be placed atop Ingenico-brand card readers at store self-checkout lanes. I’m revisiting the topic again because a security technician at a U.S.-based retailer recently shared a few photos of several of these devices pulled from compromised card terminals, and the images and his story offer a fair bit more detail than in previous articles.

An "overlay" skimming device (right) that was found attached to a card reader at a retail establishment.

An “overlay” skimming device (right) that was found attached to a card reader at a retail establishment.

The device featured here is a Bluetooth-based skimmer; it is designed to steal both the card data when a customer swipes and to record the victim’s PIN using a PIN pad overlay.

The Bluetooth component of the skimmer allows the thieves to retrieve stolen data wirelessly via virtually any Bluetooth enabled device — just by being in proximity to the compromised card terminal (~30 meters).

If we look on the backside of this skimmer, we can see the electronics needed to intercept the PIN. The source who shared these pictures said an employee thought the PIN pad buttons were a little too difficult to press down, and soon discovered this plastic overlay and others just like it on two more self-checkout terminals.

PED1

Here’s a closeup of the electronics that power this skimmer (sorry, this is the highest resolution photo available):

closeupe

This model of overlay skimmers appears to be quite similar to a version sold in the cybercrime underground and detailed in this post.

According to my retail source who shared these pictures, the overlay skimmers used parts cannibalized from Samsung smart phones. The source said the devices placed themselves in a mode to transmit stolen card data and PINs as soon as they were turned off and back on again. Investigators also discovered that they could connect via Bluetooth to the skimming devices by entering the PIN “2016” on a Bluetooth-enabled wireless device.

However, the source said none of the overlay skimmers they found appeared to have any on-board data storage, suggesting the thieves had planted a second wireless device somewhere in or near the store and were hoovering up card and PIN data via Bluetooth in real time. Or, perhaps the crooks were simply sitting outside the store in the parking lot, using a laptop and high-gain antenna to pull down card and PIN data.

skimside“We combed the property for something like an old cell phone gathering data, but we didn’t find anything,” the source told KrebsOnSecurity.

Customers generally are the first line of defense against these types of scams. Not long ago, KrebsOnSecurity published a post on how to spot Ingenico self-checkout skimmers. Unfortunately, most of the telltale signs are only noticeable if you are already well familiar with the appearance of a legitimate Ingenico ISC 250 terminal. Nevertheless, most of these skimmers will detach themselves with a gentle tug on the card reader.

For more tips on spotting these Ingenico overlay skimmers, check out this post. Want to read more about skimming devices, check out my series, All About Skimmers.

Tags: , , ,

78 comments

  1. banks are bad. Dont use credit cards or etc.
    use e-wallets.
    in Eastern europe africa uk europe they are very convient to use.
    and you have alot of exchangers. Basecly you have access yr funds 24/7 just beatiful
    Good payment solutions: payeer. (U get nice atm card)*
    PM.-its fast and speedy reliable service.low cost.
    bitcoins- localbitcoins exchange the best
    e wallets and crypto currency no errors no bs.
    quick no names no bs. Instant money transfers world wide.
    and no fraud.
    I got no time to waste in my life.

    • LOL , where do you think the money in an e-wallets is besides a bank?
      Bitcoin – ya know where your money is if the bit bank gets robbed, GONE lol. If your bank gets robbed, you still have it. True story.

      • Jim Strathmeyer

        No people steal money from my bank all the time. But for some reason the bank claims the thieves took my money, not theirs.

      • Not all e-wallets / mobile money services are tied to a bank.

        commonly used e-wallet / mobile money in east africa is called m-pesa. no bank tied to it.

  2. I used to work for this company and they don’t take security seriously.
    The know about flaws in their systems but ignore them.
    They dispose of terminal s in skips which the public have access to.
    This would allow any person that wants to have the ability to see inside a terminal.

  3. I find it a bit odd that business haven’t adopted some form of SOP to combat skimmers.

    One would think that they could start checking all POS or any customer facing devices periodically, every 2-4 hours, but then again most business might not have the inclination to add more to their process…

    • PCI DSS requires companies that process payment cards to have procedures for regular inspection of POS devices, and to train staff to identify skimming devices and tampering. Inspection should be performed (and documented) at shift changes.

      Motivation to do this should be passing PCI audit and retaining the privilege of accepting payment cards. Not to mention that any skimmers installed should be detected quickly, limiting impact of the breach (who wouldn’t want that?).

  4. The EMV standard (Chip and PIN) would solve this issue. And RFID solutions probably do as well. SO is this only a problem in retailers that are behind the times in adopting modern, secure technologies?

  5. Did you highlight this guy because of the video smack he made of you Brian Krebs? https://youtu.be/ZUg_MposOZ8

    funny!

    • Funny how older video uploads by the same user show a friends car and the full license plate of that car. “How did they catch me….?”

  6. In the picture of those unit next to each other, the name of the unit is different. The phony leaves out the word “touch” on the front of it.

  7. Notice the + and – are different. =)

  8. Cash is KING!

  9. I seen one of those for sale at a local flea market. $199.99

    Deal or dud?

  10. Why is an employee pressing the PIN pad buttons? Hmmm…

    • Maybe because they were making a purchase? It’s not uncommon for employee’s of a retail environment to be buying things…