26
Feb 17

More on Bluetooth Ingenico Overlay Skimmers

This blog has featured several stories about “overlay” card and PIN skimmers made to be placed atop Ingenico-brand card readers at store self-checkout lanes. I’m revisiting the topic again because a security technician at a U.S.-based retailer recently shared a few photos of several of these devices pulled from compromised card terminals, and the images and his story offer a fair bit more detail than in previous articles.

An "overlay" skimming device (right) that was found attached to a card reader at a retail establishment.

An “overlay” skimming device (right) that was found attached to a card reader at a retail establishment.

The device featured here is a Bluetooth-based skimmer; it is designed to steal both the card data when a customer swipes and to record the victim’s PIN using a PIN pad overlay.

The Bluetooth component of the skimmer allows the thieves to retrieve stolen data wirelessly via virtually any Bluetooth enabled device — just by being in proximity to the compromised card terminal (~30 meters).

If we look on the backside of this skimmer, we can see the electronics needed to intercept the PIN. The source who shared these pictures said an employee thought the PIN pad buttons were a little too difficult to press down, and soon discovered this plastic overlay and others just like it on two more self-checkout terminals.

PED1

Here’s a closeup of the electronics that power this skimmer (sorry, this is the highest resolution photo available):

closeupe

This model of overlay skimmers appears to be quite similar to a version sold in the cybercrime underground and detailed in this post.

According to my retail source who shared these pictures, the overlay skimmers used parts cannibalized from Samsung smart phones. The source said the devices placed themselves in a mode to transmit stolen card data and PINs as soon as they were turned off and back on again. Investigators also discovered that they could connect via Bluetooth to the skimming devices by entering the PIN “2016” on a Bluetooth-enabled wireless device.

However, the source said none of the overlay skimmers they found appeared to have any on-board data storage, suggesting the thieves had planted a second wireless device somewhere in or near the store and were hoovering up card and PIN data via Bluetooth in real time. Or, perhaps the crooks were simply sitting outside the store in the parking lot, using a laptop and high-gain antenna to pull down card and PIN data.

skimside“We combed the property for something like an old cell phone gathering data, but we didn’t find anything,” the source told KrebsOnSecurity.

Customers generally are the first line of defense against these types of scams. Not long ago, KrebsOnSecurity published a post on how to spot Ingenico self-checkout skimmers. Unfortunately, most of the telltale signs are only noticeable if you are already well familiar with the appearance of a legitimate Ingenico ISC 250 terminal. Nevertheless, most of these skimmers will detach themselves with a gentle tug on the card reader.

For more tips on spotting these Ingenico overlay skimmers, check out this post. Want to read more about skimming devices, check out my series, All About Skimmers.

Tags: , , ,

78 comments

  1. Retail stores frequently have Starbucks or Subways on premises. A hacker could sit there for hours hoovering up bluetooth data. Another point, who is manufacturing the overlay parts? Are they OEM overruns? Are they custom made counterfeits?

    • 3d printers are easy to come by

      • If you look at the images of the back, they are almost certainly not 3d printed. No flow lines. They’re also a poor shape for 3d printing, likely requiring support structure that would be cut out after production.

        They’re slightly larger than the originals so they can slide over as well. So not factory extras of standard parts.

        I’d take a guess that they’re injection molded. It requires an initial outlay ($1,000 US) for many US-based setups, but if they’re being resold online they could easily be produced offshore for a few cents per unit after setup costs.

        • I agree w/ your analysis. (Came here to write the same.)

        • Not all 3D printers do that. High end ones have very nice detail and in all kinds of materials. We’ve used Shapeways to print model train parts and they have come out looking really nice. You can browse other people’s projects to see for your self.

        • We’ve used a company called Shapeways which has produced very high quality stuff without lines so professional grade 3-D printers would be able to produce this, IMHO. You can browse their website to see other people’s work to see it for your self.

          • I’ve seen acetone dips used as a way to smooth the rough edges that are telltale signs of a 3D print. Search “acetone 3d print smoothing”

      • There are not 3D printed. They are 100% plastic molds.

    • They are custom. They have the form and appearance of the real thing but are oversized so as to fit over the real thing.

    • My favorite supermarket has a Starbucks near one corner of the store and their sitting area is largely out of sight in the very corner.

  2. IRS iTunes Card (real)

    Real nice photos

  3. How long does it take to place one of those devices? How come the store staff isn’t paying attention, or is it so quick, that there’s no time. Maybe store front office staff needs to check their skimmers many times a day to make sure they’ve got the legit box installed, not an overlay. When they find an overlay, do they know to call the police?

    • They are essentially a 1-2 second snap over install.

      Videos have shown two persons working as a team where one distracts while the other places the device.

      Cashiers could be trained to take a look afterwards anytime they are so distracted and warning labels could be placed around the cashier’s station to raise awareness. I think the second is unlikely to happen given the fear/risk of scaring off customers from using their debit and credit cards. If customers are scared into using cash, the stores lose because transaction time and cash handling fees increase, and card issuers are deprived of card related fees. So as long as this tech doesn’t become widespread, and a big financial drain, there is quite some incentive for all parties to keep the current model on the way to obsoleting swipe functionality.

      Best advice for users is still:
      – Use a modern payment method like Apple Pay (note Samsung pay using the mag loop technology plus PIN should be as vulnerable as swiping because it transmits the card data into the mag readers);
      – if you must swipe, use a credit rather than a debit card as this deprives crooks of 1) the debit card vector necessary to empty your bank account, 2) the secondary piece of info required by some merchants to charge your CC as you may have to sign rather than enter a PIN;
      – note that while contactless RF/NFC may not require a PIN below certain limits, the tech in contactless cards has become vulnerable due to the ubiquity of Android NFC equipped phones and the ease with which skimming software downloaded from the internet can be installed on them to make portable NFC skimming devices something not believed possible for crooks to do with iPhones as Apple restricts NFC functionality.). Request your card issuer to send you a replacement card w/ chip but w/o contactless functionality. If this is not available, consult the internet to see how to disable contactless functionality by disabling the antenna in the card.

      • As far as I know the card communicates over NFC just like it would for chip-based transaction, that is using challenge-response and not by sending card/account data.

      • My recommendation continues to be to pay cash for all in person transactions. This is the only way to ensure protection and also the only way that the businesses will see that it is costing THEM to not solve the problem.

        Costing THEM in the time it takes to make change and costing THEM in lost card transaction revenue and costing THEM by loosing marketing/tracking data.

      • Robert, you do know that samsung pay works the exact same way as apple pay in the backend? When you add a card to samsung pay, it doesnt simply clone the card stripe. How do you think it gets the card ata in there if it doesnt have a card reader? In order for it to work, your bank has to have a deal setup with samsung so that when a card is added to your phone, a different digital card number is assigned to your device. Then each transaction is created with a unique id that changes each time is the basics of it as far as I was expolained to and understood it.

        Also, in the US, I have yet to see a credit card that allowed contactless payments. Anyone thinking your card works with contactless payments through the chip is wrong. The chip is connected inside the card terminal like a sim in your phone. There’s little metal nubs that slide against the chip to make the connection. The rfid blocking wallets, etc are all completely useless in the US as far as i know. If theres any company offering contactless cards, I havent heard about them. That doesnt mean they dont exist, but theyre few and far between if they do.

        • 3-4 years ago I had a Chase Freedom card that supported contactless payments. Cashiers would look at you like you were an idiot, and then the receipt would print out. This card did NOT support the contact chip cards (EMV).

          More recently, the Citi Costco Visa cards support contactless and EMV.

          Trust me, I know the difference between the tech, as well as a great deal of the PCI-DSS.

        • Wasn’t aware that the Samsung mag loop worked that way as I understood it to be one way communication only from phone to terminal. If it is comparable to AP then good on Samsung.

          Re contactless, we received contactless Pay from Amex Delta Skymiles, US Bank Visa and Costco Visa. The two former were able to be ordered w/o the RF contactless feature. The Costco Visa wasn’t, so we determined the location of the antenna and punched a hole through the card to destroy antenna continuity.

  4. Why are the + and – keys reversed on the skimmer? Was that just a mistake, or does it serve some purpose?

    • If the plus and minus keys, being reversed is somehow more than a one-time careless mistake on the part of the criminals, than you’ve spotted an easy way to identify the fakes. May I suggest to you Brian – that you obtain one more bit of information for us for this article? The right-hand side of the fake where one slides his card is visibly wider than the original. Why not provide us with the dimensions? Users could make two marks from the edge of their credit card(s) – one indicating the width of that area on a “real” machine, one indicating that width on a fake. Then we could all be easily identifying this particular type of skimmer without beating on them during check-out.

        • Hampton DeJarnette

          There is an apparent discrepancy in this photo. I assume that the photo’s ruler is in centimeters, and if so the image on the right (which is the genuine scanner) would measure about 14. 1 centimeters in width if the scanner is actually 5 9/16 inches wide. Instead, the ruler in the photo measures the width at about 11.1 centimeters which is about 4 3/8 inches.

          This would be explained if the ruler was closer to the camera than the scanner. Assume that this is true.

          Now look at the strips on the right-hand sides of the scanners; that is, the narrow strips that run from top to bottom and that have the “credit card” symbol at the top. The strip on the phony scanner is about twice as wide as the strip on the true scanner.

          If you measure the width of the phony scanner by the ruler in the photo, it is about 1.6 centimeters wide. Multiply this by (14.1/11.1) to get 2.0 centimeters or about 0.8 inches as an estimate of the true width of the strip on the phony scanner.

          The payoff? A penny is about 0.75 inches in diameter. If the strip is about as wide as a penny, the scanner is phony.

          Note that I made two assumptions, and each one has only about a 90% chance of being right, so the whole argument is only has about an 80% chance of being right. Sorry it’s not better, but the results are only as good as the photos.

    • Possibly an assembly mistake by the purchaser. The rubber keys can probably be detached and reattached easily, if they are individual, and not a complete one piece pad. In which case, it’s not a sign that will distinguish.
      Can’t tell from the pics if the keypad is a one piece or not.

  5. Great update Brian! Since your first report on this, I’ve been doing tug tests, and explaining to cashiers why and what to look for. Most have had no training whatsoever! I’m still of the opinion, however, that these are inside jobs or at best done by a support contractor that has access to the premises when staff are not there…

  6. All pin terminals in the shops i go to (the netherlands) have custom stickers in strategic places. I have no idea if they are checked (daily) but it would quickly indicate a “replaced” unit.

    We have moved away from stripe to EMV chip so skimming has gone down drastically 40M (2011) to 1,7M (2015).

    Regarding the how to place the overlay i found that they either use a big package (30 rolls of toilet paper) to block the terminal from view or people have themselves locked in to place the equipment.

  7. Living in Germany I only use cash but always check the ATM by being ruff to the Pin-pad.

    According to the photos the skimmers get more and more sophisticated… we definitively need (better) countermeasures in the future!

  8. One simple solution may be to add some molded out protrusions to the design of these terminals. This would make any overlay more difficult to fit.

    Also if the protrusions were adjustable there could not be a standard mold to fit all.

    • I I were the merchant, I’d get my handy-dandy sharpie and put an “X” somewhere on the face of my terminal. And monitor if my “X” disappears.

  9. Why don’t the card reader manufacturers make the bodies of their equipment with large plastic knobs in opposite directions? That would prevent something from being snapped onto the card reader.

  10. I have spent lots of time at Sams Club and they regularly (multiple times a day) measure the physical dimensions of the Ingenicos readers with a ruler to prevent this. Great Practice.

  11. Thats way toooo complicated
    it will take years to me undestood it.
    thats real hi-tech situation here…. what i know is method:
    You have card info.
    1.go online 2.order with info. 3.pick up the parcel.
    sell it and earn.
    2.nd buy some logins do the normal transfer.
    cash out and share with partners.

    • Are you seriously advocating criminal card theft and usage of stolen cards?
      Aren’t you forgetting that the company can track down the address they sent the package to and send cops too?

  12. I have noticed that a lot of card terminals at the point of sale, in both big box and smaller retailers, are now secured by a steel collar and padlock – securing the device to the platform on which it is mounted.

    It took how long for someone to think of this?

  13. (sorry for my english)
    I would love to know more about the guys behind these “skimmers” Brian. Do they happen to have the same “fingerprint”? I mean are they random un-educated crooks, or are they some educated white-collar crooks with background study in college computing or electronics or whatever?
    Are the guys installing these “skimmers” the same who designed and assembled the whole electronics? Or do they mostly buy it ready-to-use from some one else? My question basically is who first engineers these skimmers? who are the “brain” guys? what does they look like? I would say those who use these skimmers are probably uneducated scammers who bought it from internet, am I right? Or are they people who buy electronic parts and assemble themselves with their own knowledge? I would like to know more about the “social” aspect of your story than the technical field (if you please). Those “skimmers”, for me, look quite complicated to build for an average citizen. Thank you.

  14. Forgive me for being blunt, but being in the ‘processing’ realm – I would suggest that most (smaller) merchants would allow a random stranger to walk in and access information and terminal if said stranger provided a ‘real’ looking business card suggesting they are with either their merchant processing bank / ISO/MSP or a card association – and had a ‘story’ for their presence. Further – most merchants would embrace the idea of a “FREE” slip cover to protect their terminal.

    “Mr. Merchant, I’m Joe from MasterCard and we are in the market today installing protective covers on ‘registered’ merchant devices – can I see a statement which shows your merchant number so I can check your eligibility. (Joe then punches in info into a tablet and the screen comes back as approved) … GREAT – you are eligible – further, we’ve also brought you 6 rolls of paper – here put these away (while I slip this on) … This will also help with your PCI (since I saw that you are being pummeled with fees from your statement and this is a great BUZZWORD to draw your attention towards the idea I’m not the devil)”

    I regularly get calls from my merchant’s saying a person either called or stopped in who was with VISA… Yes – VISA has droves of personnel roaming the streets looking to save YOU money… However – the double duty which has been shouldered upon the mattress tag police (they are now also tasked with the challenge of patrolling for such tactics) suggests it’s not going away anytime soon, as they were already overburdened…

    If I call you and say I’m from KrebsOnSecurity to gain access to information or motivate you to do something – I’ve not broken any normally enforced laws… Brian can file suit, but the FBA isn’t knocking at my door. Congress has managed to make America the land of “not responsible for what I say”… When the robo call bothers you next time with “Cardmember Services” to lower your rate. Did they break any law that is enforced? Considering the sheer number of calls – I’m going to guess not.

    THANK GOD for EMV and the “smooth” roll out – otherwise bank’s might have lost a single DIME on Card Present fraud – but now they can easily cast the weight upon the merchant base – and ultimately the public…

  15. Wouldn’t a transparent case help? If everybody KNEW the casing supposed to be transparent, there’s no way to place an overlay-pinpad or additional magstrip reader with power/storage/transmission without being evident.

    • Not a solution, the overlay would then be transparent as well. And who would know what bits of electronics are supposed to be there and what aren’t? The battery would be hidden within other parts.
      How many customers or employees would know how much electronics is supposed to be inside and of what type?

  16. Im not advocating.
    Its just the common way and it sounds simple.
    and its been mentioned here on krebs blog too that how
    carders shop to drop.with card information.
    and police? What they can do ? Item might be sold
    and they dont use real name.
    i think many fraudsers not so tech savy to use
    this terminal hi-tech things. If the would thats the Error?
    Why they not use their brain for university or some
    constructive purposes.
    if person can do something like this then something must be really wrong ? Why we don’t give good jobs for smart people?
    And give them good education? its waste of humen resources.
    now my other question is? Society dont need wise people then??
    Why its like wise people who is capable to help our society structure….but? They end up doing some low life stuff.
    so assome that most of carders fraudsters are uneducated dumbheads….and carding online shop will be easy way for them earn.if they want to earn in this work field.
    If u brain small and u try to acomplishe something too difficult and tech savy then im sure you end up wasting your time to try to something too complicated.
    many people will choose too complicated ways in life.
    i suggest take deep breath meditate…and think whats the easy way.

  17. Best protection – use cash.

  18. The easiest way to spot this overlay is the obstruction to the stylus holder. With this overlay the stylus holder is partially blocked. If there is no space to hold the stylus, there is this overlay in place.

    If you make it a habit to return the stylus to the holder, instead of letting it hang down, there is no way you’ll every be fooled by this overlay.

  19. Any thoughts on using tamper-evident security stickers, placed in visible locations, to make these overlays easily, visually noticeable? I’m thinking of the stickers they use to protect gas pumps. That way the thieves would need to replicate the stickers in addition to the overlays. I know this isn’t a fix-all but I bet it would help.

  20. I thought Bluetooth range was ~10m / 30 feet, not 30 metres?

    I admit my info might be out of date or just plain wrong. Can anyone verify?

    • Bluetooth 4.0 (the current revision built into most mobile handsets) has an effective range of up to 300ft, depending on interference.

  21. For large retailers, perhaps a simple and quick fix would be for checkout terminals have a second-tier of visual confirmation. Something like every week, applying a customized & color sticker on the keypad pad. A low-tech solution, but it would add a layer of complexity as long as the sticker format-content changes and isn’t predictable. Alternatively, simply having a manual physical check of the devices as part of the daily closeout/shift changes. It may not catch immediate installation, but would reduce time in place.

    • Task different checkout employees with finding a small stuffed toy mascot at a different retailer to superglue to an unobstructive area of the casing. Unpredictable, hard to replace (or at least awkward and time-consuming), impossible to just snap an overlay over, obvious if suddenly absent – while just looking like whimsical decoration to shoppers.

  22. I wonder what the viability would be of incorporating countermeasures using an integrated bluetooth component into these POS systems that only scans for any nearby bluetooth devices.

    If a device is visible by the POS unit for a specified amount of time outside of the normal threshold for a shopper’s interaction (indicating a possible hidden/stashed device), it could trigger an alert to the main POS monitoring station. Speaking specifically in regards to the multi-checkout implementations such as Walmart, but could ostensibly be adapted for smaller merchants as well.

  23. If these are injection molded, it is way more than a $1000 up front cost. An injection mold for something this size, even making it over in China or somewhere cheaper, would be a minimum $10,000-20,000 for just a 1-up mold. If you wanted to make a lot of these, you would need to run multiple cavities, and then you are talking more like $50,000 for the tooling, and you need a very large machine to run it.

  24. Has anyone found a good way to scan and locate these devices for removal? Some type of bluetooth scanner/locater perhaps?

  25. Another subtle difference between the actual and fake overlays in terms of identifying the fake is the position of the hole where the green LED in the upper left corner is located. In the actual overlay, the LED is in one of the surface texture holes or dots, if you will. On the fake, the hole for the LED is in between two of those surface features.

  26. http://www.ITMeets.guru is a search engine for hackthons, gaming events, cyber security conferences, upcoming events in 2017, infosec events.

  27. I manhandle ever Ingenico I see now days.. Thanks Krebs!

  28. I am also more concerned about gas pumps since they are not adopting EMV anytime soon(making them prime targets for stolen card data.) I continue to see pumps with no security tape. I have to wonder why this is even considered a solution since it is always messed with my regular customers. Why not come up with a more secure way to protect the card readers, and their inner workings? I realize shim based card readers will be inevitable, but maybe have the gas stations investigate daily as a way to increase protection. I guess there isn’t enough of an outcry about it to garner support.

    • And it is hard to as a customer to register a complaint.

      This may be one instance where governments “hands off” policy has gone too far.

      Time for Gas stations to go all chip.

      When traveling one isn’t always comfortable going inside to pay.

  29. Vendors could add a light sensor that shuts down terminal when covered. I would randomize the location and/or use multiple sensors. Yes, it would add to the cost per unit, but the vendor(s) could promote them as “anti skimming” and write off the costs as marketing.
    OR
    Adding store logo stickers to the front would be a great visual checkpoint.

    • ” This article describes a new design, using ambient light “seen” by the detector in two places – typically between the rails and just to the side of the track. When it notices the track light level fall below the level of the second sensor, it “indicates” the presence of an obstruction (car or loco). The beauty of this “differential” measurement is that it operates over a very wide range of light levels, does not require “aiming” to a target, needs no adjustments . . .”
      http://model-railroad-hobbyist.com/node/26133