February 6, 2018

When you realize how easy it is for thieves to compromise an ATM or credit card terminal with skimming devices, it’s difficult not to inspect or even pull on these machines when you’re forced to use them personally — half expecting something will come detached. For those unfamiliar with the stealth of these skimming devices and the thieves who install them, read on.

Police in Lower Pottsgrove, PA are searching for a pair of men who’ve spent the last few months installing card and PIN skimmers at checkout lanes inside of Aldi supermarkets in the region. These are “overlay” skimmers, in that they’re designed to be installed in the blink of an eye just by placing them over top of the customer-facing card terminal.

The top of the overlay skimmer models removed from several Aldi grocery story locations in Pennsylvania over the past few months.

The underside of the skimmer hides the brains of this little beauty, which is configured to capture the personal identification number (PIN) of shoppers who pay for their purchases with a debit card. This likely describes a great number of loyal customers at Aldi; the discount grocery chain only in 2016 started accepting credit cards, and previously only took cash, debit cards, SNAP, and EBT cards.

The underside of this skimmer found at Aldi is designed to record PINs.

The Lower Pottsgrove police have been asking local citizens for help in identifying the men spotted on surveillance cameras installing the skimming devices, noting that multiple victims have seen their checking accounts cleaned out after paying at compromised checkout lanes.

Local police released the following video footage showing one of the suspects installing an overlay skimmer exactly like the one pictured above. The man is clearly nervous and fidgety with his feet, but the cashier can’t see his little dance and certainly doesn’t notice the half second or so that it takes him to slip the skimming device over top of the payment terminal.

I realize a great many people use debit cards for everyday purchases, but I’ve never been interested in assuming the added risk and so pay for everything with cash or a credit card. Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

The Lower Pottsgrove Police have been admonishing people for blaming Aldi for the incidents, saying the thieves are extremely stealthy and that this type of crime could hit virtually any grocery chain.

While Aldi payment terminals in the United States are capable of accepting more secure chip-based card transactions, the company has yet to enable chip payments (although it does accept mobile contactless payment methods such as Apple Pay and Google Pay). This is important because these overlay skimmers are designed to steal card data stored on the magnetic stripe when customers swipe their cards.

However, many stores that have chip-enabled terminals are still forcing customers to swipe the stripe instead of dip the chip.

Want to learn more about self-checkout skimmers? Check out these other posts:

How to Spot Ingenico Self-Checkout Skimmers

Self-Checkout Skimmers Go Bluetooth

More on Bluetooth Ingenico Overlay Skimmers

Safeway Self-Checkout Skimmers Up Close

Skimmers Found at Wal-Mart: A Closer Look


114 thoughts on “Would You Have Spotted This Skimmer?

  1. Larry in Upstate NY

    @Peter & Dave-
    Thank you both for your replies!

  2. Tom

    Crooks must make a lot of money from skimmers. They have to figure out which scanner, get specs, create the 3D design, the electronics, install it, retrieve it. Out of curiosity, are there dark web sites that sell pre-made skimmers. If so, what’s a typical price?

  3. Exploit4awareness

    Everyone in the industry knows that skimmers have been around for decades, and won’t be disappearing anytime soon. If you’re browsing this website, then you’re already a step ahead of most. Be alert for anything that looks even remotely out of place, misfitted or loose , and yes, tug on the overlays. Keep doing good work, Brian.

  4. ThaumaTechnician

    Every time I see a pinpad with that gawdang rubber shield that makes it obvious what buttons you’re pressing, it takes a lot of self-control for me to not rip it off.

    Now, I’ll be able to to claim that I’m testing for skimmers. Thanks!

  5. Forebode

    I guess this might be a silly question but… why keep using these aio devices for entering data. Why not separate them. Run a wire to the card reader that would be more in plan sight. model the exterior with a flat/flush face where you enter the card the same way for both chip and stripe. leave it in there for stripe read, quickly insert extract for stripe read.

    Add a auto closing cover that covers the slot when not in use, activate by cashier when they select credit or put the order in payment mode. Shield the crap out of the device. Add an insert, that when the cover closes, an insert the exact size minus a 1/10 of a mm on each side, slides into the slot for cleaning and to avoid any slim skimmers.

    Build the touchpad similarly, with an off/deactivated mode where the cover closes and the spacing is close enough that nothing could be overlayed.

    Costly? How much is a breach of this nature worth to you?

    1. Geebo Harris

      This is a great suggestion. There’s no real reason these things have to be sitting out exposed all the time, put them in a friggin metal box bolted or welded to the counter that the cashier activates a door when they close a sale. The times there isn’t a cashier, the box just stays locked.

    2. SkunkWerks

      “Costly? How much is a breach of this nature worth to you?”

      Not all that costly if you’re talking about the company producing the tech (and therefore responsible for the design). They’re not held liable.

      The company using the tech is usually insured, and not much incentive is there to seek out better-designed tech.

      The cost is usually felt by the bank offering the account that got defrauded.

      But that cost is felt even more by you, the person who is- whether he knows it or not- inheriting the cost of said fraud insurance.

      When crooks say “victimless crime” it’s probably mostly true that this is uttered mostly to absolve their consciences.

      Still, the ultimate responsibility is spread so broadly that the idea that the term might have a valid application becomes more tantalizing.

  6. Paulette

    Are the Google Pay, Apple Pay, Samsung Pay or Pay Pal safer than using a card?

    Thank you

    1. Beeker

      Yes. It is. Due to the EMV standard, it provides a virtual card that is different from the actual card you have on hand.

    2. Beeker

      Yes. It is. It is based on the EMV standard that uses a virtual card instead of the real one.

      I had a person that thought like you when I returned an item and I didn’t have my receipt. I explained to him that I used my phone to pay for the product. He insisted that I used my card. When I did, it rejected it. I told him to “try it again, this time I use my phone.” It worked magically. You should have seen his face when I told him that I tried to tell him.

    3. SkunkWerks

      It’s considerably less vulnerable to ATM/card-reader skimming.

      Then again your debit card isn’t anywhere near as vulnerable to phishing attacks aimed at stealing the credentials you use to sign into these services.

      In that sense I suppose it’s a matter of what ~sort~ of risk you want to assume here.

  7. Maria Davis

    Last week, my debit card information was stolen. I had no idea how this could have happened. My credit union’s fraud center called to inform me. The credit union blocked my card so I didn’t have to deal with funds being taken. After I read the article on Aldi supermarket, I realized I had been to Aldi for the first time ever in Harrisburg, NC on 2/3/18 and the fraud attempt was on 2/5/18. Called my credit union and they will be reporting my suspicions to Master Card. Great article!

  8. Peg Kidon

    I was just at the Lower Pottsgrove Aldi’s on Feb. 8th, and when I was checking out, to be sure, I wiggled the keypad to make sure it wasn’t loose, and the cashier said rather abruptly, “It’s OK!” I felt like she was annoyed that I bothered to check, but in view of everything that has been going on, I felt completely justified in doing so.

  9. desentupimentos cascais

    skimmers for what? why not spend time working and skimmers!
    What do you think?

    Como sou português vou publicar tambem em portugues:
    skimmers paara quê? poruqe não passar o tempo a trabalhar e poupavam nos skimmers!
    O que acham?

  10. Beeker

    While it is a great article on the length that skimmers go through to put it on the POS while the employees are working, the reason it is easy is that most stores don’t train their employees how to spot it unless they put it out on the bulletin board to implore them to check it when they sign on.

    In this case, it happened while the store was open and there were no front end manager or supervisors watching the lanes something I complained about when I used to work at one such store in the past. The only reason it happens is due to the magnetic stripe on the back of the card. Until the banks starts eliminating it, it will happen again and again.

    This is one of the reason why I use AP (Android Pay) no matter where I shop. It is more secure and virtually impossible to clone due to its level of security required (EMV). It also have security features that you can lock it . On top of that, I put a daily limit on it through the bank.

    1. Dan

      To be honest, I don’t think I’d care about going over a checklist to check that kind of stuff if I was making 7.00-something an hour at a cash register. As long as all of my cash is present in the drawer at the end of the day, I’m good.

      One of the issues that management (across most disciplines) struggles with is overburdening employees with checklists and punch cards.

      1. Beeker

        While I agree with you about the employees not checking because they don’t get paid, however the system is set up to force the employee to check it before they are able to start work on the register.
        This is why I said that cashier heads (there’s several under the direction of the front end manager) should be stationed to be able to see the POS and be able to assist the employee when they run into problem that needs their approval code not hiding where they can’t see these things so they can socialize, or play with their phone during the course of the day. I had my share that I had to chew out the management staff about it- didn’t care what they think.

  11. Geebo Harris

    So people & clerks don’t get suspicious when the payments don’t go through?

  12. Michael

    The card terminal at my local Aldi looks very much like this skimmer, right down to the shield around the keypad. I told cashier that I’d never use it because it looked just like a skimmer I’d read about that very morning. (This article) Her reply. “Oh really?”

    The shield leads me to wonder how the heck this skimmer could fit on top of a legitimate terminal that has a shield. (Maybe a legitimate terminal has no shield? In that case (shudder) my local Aldi has at least one skimmer!)

  13. Dave

    One glaring thing here is how did they get it to sit over the rubber shield. It looks like this is an overlay and it does not appear that it would be easily placed on top of one of the devices that actually had the rubber security shield in place. So that must have been either missing or removed from all or just that one machine. If it was just that one that was missing it, it would have been obvious it did not match the others in the store on other checkouts. If that is the case what are the chances that cashier is open when the skimmers are there?

    Seems like there might be an inside operative pulling the rubber security shield in preparation for placement of the skimmer. I am putting my tinfoil hat back on now 🙂

  14. Brad

    I would never have picked up on this thanks for alerting me. I will let our client bases know as well.

  15. Mark

    One further example of lacking infrastructure in the US. The skimming problem would not be around anymore for years, had the US adopted faster to the chip-technology used in Europe for well over 10 years now already.
    Europe is more or less 99+% chip-capable and skimming is no issue at all anymore.
    America First – at least not this time….

    1. Casey

      Mark-

      Ironically enough, the reason that Europe adopted the chip as part of their bank card systems was not only to counter fraud, but also to allow for secure batch processing of transactions at the end of the day. Telecommunications in Europe was far more expensive and not as reliable/pervasive as it was in the U.S. in the 1980s and 1990s, so to save money, transactions would be approved with the chip and PIN combination, and cryptographically signed for anti-fraud purposes, so that the bank card industry in Europe would only verify that the chip key had not been compromised, and the transaction could be quickly processed one way at the end of the day.

      The U.S. had such a widely available, reliable, and affordable system in place that credit card transaction terminals could process the transaction at the time of sale. Since transactions could performed at the time of sale and checked against stolen card databases at that time, the need to encrypt that bank card data was not as strong. When the bank card infrastructure was developed and deployed in the U.S., the cost of card terminals were high, and the electronics and software to create skimmers were not at a point to make an easily concealable device.

      Engineers knew that the design wasn’t the most secure, but the idea was that the security would eventually catch up and be part of any terminal upgrades that would eventually come out. Unfortunately, the system proved to be very “sticky” and those upgrades were expensive. EMV cards have been discussed in the U.S. since the late 1990s and early 2000s, and banks issued them, but there were no terminals to utilize them.

  16. GBLOCk

    Could the authorities not look at the card that he used during that checkout to capture his identity?

  17. Caldeiras Gaia

    This young thief seems to have a good body to work, regrettable that his mother has not managed to do a good job!

    it seems certain that if they dedicate themselves to doing something useful, they would have great success!

  18. Occam's Razor

    Aldi is absolutely liable for any fraud that occurs due to the fact that they did not enable chip and pin transactions by the October deadline. The data was stolen because they are still using swipe and sign. It also would not be hard for cashiers or a manager to check the card readers for skimmers at the end each day, as skimmers are increasingly a known and widespread threat.

    https://www.usatoday.com/story/tech/2015/01/06/chip-and-pin-credit-cards-computer-security/21008389/

    1. Max Power

      The crazy thing is that I was at Aldi just a couple of days ago and they STILL have the chip readers disabled! (They accepted chip cards about 8 months ago but then stopped.)

      At least they do still accept NFC payments but very few people use those.

Comments are closed.