When you realize how easy it is for thieves to compromise an ATM or credit card terminal with skimming devices, it’s difficult not to inspect or even pull on these machines when you’re forced to use them personally — half expecting something will come detached. For those unfamiliar with the stealth of these skimming devices and the thieves who install them, read on.
Police in Lower Pottsgrove, PA are searching for a pair of men who’ve spent the last few months installing card and PIN skimmers at checkout lanes inside of Aldi supermarkets in the region. These are “overlay” skimmers, in that they’re designed to be installed in the blink of an eye just by placing them over top of the customer-facing card terminal.
The top of the overlay skimmer models removed from several Aldi grocery story locations in Pennsylvania over the past few months.
The underside of the skimmer hides the brains of this little beauty, which is configured to capture the personal identification number (PIN) of shoppers who pay for their purchases with a debit card. This likely describes a great number of loyal customers at Aldi; the discount grocery chain only in 2016 started accepting credit cards, and previously only took cash, debit cards, SNAP, and EBT cards.
The underside of this skimmer found at Aldi is designed to record PINs.
The Lower Pottsgrove police have been asking local citizens for help in identifying the men spotted on surveillance cameras installing the skimming devices, noting that multiple victims have seen their checking accounts cleaned out after paying at compromised checkout lanes.
Local police released the following video footage showing one of the suspects installing an overlay skimmer exactly like the one pictured above. The man is clearly nervous and fidgety with his feet, but the cashier can’t see his little dance and certainly doesn’t notice the half second or so that it takes him to slip the skimming device over top of the payment terminal.
I realize a great many people use debit cards for everyday purchases, but I’ve never been interested in assuming the added risk and so pay for everything with cash or a credit card. Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).
The Lower Pottsgrove Police have been admonishing people for blaming Aldi for the incidents, saying the thieves are extremely stealthy and that this type of crime could hit virtually any grocery chain.
While Aldi payment terminals in the United States are capable of accepting more secure chip-based card transactions, the company has yet to enable chip payments (although it does accept mobile contactless payment methods such as Apple Pay and Google Pay). This is important because these overlay skimmers are designed to steal card data stored on the magnetic stripe when customers swipe their cards.
However, many stores that have chip-enabled terminals are still forcing customers to swipe the stripe instead of dip the chip.
Want to learn more about self-checkout skimmers? Check out these other posts:
How to Spot Ingenico Self-Checkout Skimmers
Self-Checkout Skimmers Go Bluetooth
More on Bluetooth Ingenico Overlay Skimmers
Not saying that the crooks installing them are, but the overlay skimmers themselves are pro. The only thing I can think of that might give them away is the two pieces at the top or maybe the borders but without seeing it installed over a reader I cant say for sure.
Retailers who don’t accept cards with chips should be not allowed to process any credit card. I walk out of such places.
Retailers who don’t accept cards with chips bear the full responsibility for the fraud. That’s the incentive for them to upgrade their terminals.
Yes, they bear the responsibility of people using fraudulent cards to buy groceries in their own store or whatnot, but this is different. Aldi will not bear the responsibility for the missing money from these peoples’ bank accounts.
I love how the story says that the cops are saying Aldi is not to blame (and I agree that the blame really does lie with the crooks), but Aldi has the ability to prevent this from happening again by switching to taking chip cards only.
Many of these retailers are trying to upgrade to CHIP technology, but are put on a years’ long waiting list.
Good for you. I’m not quite there yet. My dentist has a portable reader but it still had the chip reader included.
Now if we can get restaurants to bring a chip reader to the table, we would be in better shape.
Probably won’t happen unless the CC companies require a PIN instead of a signature. VISA has now started accepting transactions without even the signature. Europe is SO far ahead of the US on this……. ;-(
I was in an Olive Garden the other day that had that little pay at your table thing, and it did have a chip reader that I was forced to use. I was suitably impressed.
EMV wasn’t built to keep data from being stolen in the first place, EMV was built to combat stolen card numbers being used in card present transactions.
EMV dip readers are also vulnerable. Bad guys use shimming devices, these shims fit inside the dip reader and are capable of reading the mag strip and in some cases the EMV chip data.
While its more difficult for a bad guy to go after data via the EMV slot, it’s still doable.
Wrong. EMV isn’t compromised — show me one source; that would indicate the keys have been popped and chip cards could be recreated. You can’t because it doesn’t exist. Currently EMV is the safest method of protecting from fraud — only if the terminal requires it.
No, you have it wrong. You should have said prove it to us, that the card is secure. Any system can be hacked. Any system that has a monetary value, will be hacked. Underline, capitalize, but note, the word . “Will .” . Remember, your money may be the only way they can survive. Especially, when it’s a hard to prosecute crime,
FUD, glorious FUD.
I’ve said all this before, but here we go again:
– transactions are transmitted as cryptograms. These include a transaction counter, and are partially encrypted by the computer on the card using its own private key.
– the private key on the card cannot be read out. Like any cryptographic key, it could be inferred – but this would require millions of time-consuming and easily-detectable test transactions (which can only be performed on the genuine card), and
– any discrepancy in the transaction counter results in the card being shut down anyway, ie even a perfect copy can be detected and shut down in short order, rendering the entire counterfeiting endevour pointless.
Yes the crooks have to eat (and post selfies with sports cars apparently) – the success of EMV is why there’s been an increase in CNP fraud, ATM jackpotting, bamraiding, etc. When the stream encounters a stone it flows around it.
As No stated, this system has not been compromised (what was it – underline, capitalize, but note the word *not*). It was designed from the ground up to be secure, and has already been in the wild for 30 years without counterfeit (there were a couple of processing hiccups due to boneheaded implementation along the way, but those lessons have been learned). All evidence supports that EMV is secure.
emv is not great in part because it has backward compatibility features, which are needed for the third-world countries which still insist on using magstripes, signatures etc
you can still get track-2 data from the emv transaction, and use that to make a magstripe-only card
you can use the “chip&signature mode”, which is another feature which should be disabled.
etc…
read this:
https://en.wikipedia.org/wiki/EMV#Vulnerabilities
https://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf
Can you tell me which third-world countries still insist on using mag stripe?
Only in the the United States magnetic stripe readers are still the norm.
Whoosh
Bingo
EMV doesn’t address old security vulnerabilities – it’s designed to replace them. So yes, mag stripes are still vulnerable; and yes, chip & signature is less than ideal. Both need to be phased out asap.
You can obtain track-2 data from the EMV chip and make a card, true – but that data will include a flag that specifies the card is a chip card. A payment terminal encountering such a card should ask for the chip (which won’t work), and decline fallback to the mag stripe. Unfortunately this is not always the case, but that’s down to merchant/acquirer implementation and not a failure of EMV itself.
Chip & signature is a vulnerability for lost and stolen cards – but lost and stolen cards have always been vulnerable. The weak point here is cardholders keeping track of cards, and again not a failure of EMV.
I’m not sure I see the relevance of the links you included – the first relates mainly to attacks on the mag stripe, and the second to a known implementation vulnerability from 2010/11 that’s been patched for years.
Then, how are computers compromised? They are securely designed items? Or phones? And they do not have an incentive to be broken into. So, how and why are they broken into? Ah, business got ahold of them, and lowest common denominator, caused an expense. That limited the profit line, now explain to me how safe is safe? How much should safety cost? How much of a product should be safe? Remind me of Intel? Of Ms, appl, and Cyrus. Each had and has undiscovered flaws. Flaws that are not part of the usual operating system. And how much computing power has changed in five years. Single core, to sixty four cores operating on a motherboard. Now tell me how long till someone reports an intrusion into the atmosphere network, and some customer crying foul!
So hide your money in your mattress, burn your computer, and move into a cave. Please research EMV and how it works before posting such dribble. Yes technology can be broken. Yes the cryptographic algorithms will be broken sometime before 2035, but until then EMV is secure. (Until it is not).
Computers and phones aren’t designed to be locked-down secure like cards are – they’re designed to be connective and configurable and user-friendly too, and that’s where most of the vulnerabilities lie. Payment systems are relatively simple, so a buttoned-down, one-way crptographic system is practical (and you understand the point about the transaction counter, right?) Computer systems are enormously complex by comparison, so the balance between security and usability is less clear – not to mention the issues caused by the multitude of device configurations, version control, developers, user setup, software installations etc.
And no incentive to break into them? You seen the rest of this website?
“Local police released the following video footage…” Uh, where? Do I have so much antispam and other software running that it doen’t even show it’s there?
It’s an embedded video in the original article:
https://youtu.be/fdKrSQUV5qU
which translates to this:
https://www.youtube.com/watch?v=fdKrSQUV5qU
Thanks for the links. They don’t show up anywhere else in the articlepresented to me.
The police video worked fine for me. Amazing how fast and easy these devices can be installed. As always, thanks Brian for helping to expose these scams.
The video is embedded in the article. If you’re still having trouble seeing it, you can view it here: https://youtu.be/fdKrSQUV5qU
Thanks for the link. It doesn’t show up anywhere else in the article presented to me.
This is one of the many reasons I use my credit card for all transactions. Credit card gets compromised, hassle but no big deal. Debit card/bank account gets compromised, major PITA. I only use my debit card at ATMs to get cash and I have lowered the signature and PIN limits to very low amounts.
It is sort of ironic the video is of an Aldi.
The Aldi stores near me got chip readers early last year with Apple Pay and everything enabled. After ~5 months they taped over the card insertion slot and now require customers to swipe again.
I asked one of the managers and he said corporate required them to switch back because “swipes are faster”.
I normally have a lot of respect for Aldi (disrupting the grocery industry and all that), but disabling chip readers is just madness.
I would agree the older readers were pretty slow, but why not get newer readers rather than disable it? Some of the other merchants near me have been upgrading and they are able to process chips in less than a few seconds now.
Using NFC (contactless) payment is even faster.
In both cases of swipe and dip most time is taken entering PIN, so what’s the difference?
you’re probably writing about your experience with credit cards in Poland, where the credit card processors are fast, and the whole infrastructure is very modern. unfortunately it doesn’t work like this everywhere.
there are countries with stone-age infrastructure: no contactless, almost no chip, large volume of magstripe-only cards, processors take a over a minute to authorize a transaction etc. some even have the copy card onto a paper slip thingie 🙂
It is a little strange. The Aldi terminals will take contactless cards as well as NFC apps, but not chip cards.
It is my impression that the contactless handshake is pretty much the same as the EMV handshake, so I don’t understand why it’s faster.
I try to never use my debit card. Don’t want the hassle of account being cleaned out. Use my 2 o/o back CC
I don’ understand how employees or management don’t detect the changes to the physical appearance of their equipment.
The employees and management are not being taught to check the devices. Even when the employees are being taught they look at how small their paychecks are and they have concluded that they are not being paid enough to care.
When i am standing at checkout, i say very loudly “you don’t mind that i am pulling on this scanner to make sure there is not a skimmer attached?” The employee often looks at me with puzzlement as well as the customers behind me. In your face education is the only way the masses will learn unless its in the facebook feed.
I have to contend with local grocery store employees and managers that don’t care enough tell shoppers that pets are not allowed in grocery stores (there is a difference between pets and trained service dogs.)
+1
You wrote perfectly.
It’s an education and apathy issue. I’ll turn it to the cashier and say, “If a customer’s credit card got stolen because your machine was defective, who do you think would lose their job? You or your boss?”
Actually, they do tell them on the bulletin board in the break room. Most of the employees are not tech savvy to understand it compared to me (I used to work in Stop & Shop in the past). I constantly tell the customer your card has a mag strip that has static information for anyone to clone it hence the reason why I use my phone to pay for it.
Some companies take this more seriously than others. I was in a Sam’s club recently and watched a manager go to each register and physically check the equipment. She looked it over top and bottom and then physically ran her fingers around the edges looking for anything out of the norm.
I feel like the guy in this video could start a new trend called the SKIMMER DANCE. His dancing build before popping on the skimmer was amazing.
Made it look like he really needed to pee
I was thinking he was probably a tweeker.
I bet the people get local young people to go in and install. They probably offer a quick tutorial as to how easy it is, and X amount for coming out with mission accomplished.
Druggee isn’t going to ask questions – sees the easy and needs their drugs. Criminals probably are well versed in noticing a “problem” about to occur when the person comes out the store, and may even have some sort of alert set up, like “Wipe the top of your head when you come out the door if you’ve been detected or something. Or just tell them to bolt fast if the get noticed. Seeing your (wo)man racing out the doorway would probably be a clue the device install is compromised.
To me it looked like the “pee pee” dance.
Retailers are too quick to say , oh well, could happen to any retailer. No. How about instituting technology and process where the payment system is not accessible until the clerk is done scanning. The clerk can then concentrate on what is happening at the terminal.
Everywhere we go, the payment terminals are easily accessible out of convenience. How convenient is it to deal with credit card theft? The costs paid by the card manufacturers to rectify these thefts will one day truly be realized by consumers. Today, they pretty much eat most of the costs. That won’t last much longer. Once the costs are felt by consumers, then the convenient accessibility of the payment systems won’t be an issue.
amazing,
thank you, i’m learning a lot off of you.
regards
diego
I regularly shop at Aldi. In the checkout, they are focused on speed. There are no coupons and no sale prices. So checkers can scan as fast as possible. They encourage customers to swipe their cards while they are scanning the purchases. When done in sync, the card authorization is nearly instantaneous.
That is a big difference from chip readers that display “Please do not remove your card” for many, many seconds.
How does this skimmer communicate the data to the thieves? Wifi, Bluetooth, or memory card? Do they need to retrieve the device?
I feel like many retailers now have gotten around the extra long chip verification times by doing exactly what you described – encouraging the chip to be inserted while scanning is still going. Not sure if this was a change to the system setup to allow the insertion to be started earlier in the process* or just a change to shopper habits but making the verification a parallel process instead of serial means chip effectively doesn’t take any longer than swiping.
*state liquor stores in UT are an exception which makes me think that other retailers may have had to adjust something behind the scenes. At the liquor store, if you swipe or insert the chip too soon, it doesn’t work and they get all irritated with you. You can only start once scanning your purchase is finished.
I will not put my card into a reader until all the purchases are scanned and totaled. This allows me to deal with any problems that i might have seen during the scan before the transaction is completed.
What “john clark” said. BEFORE they have your money, you have at least some leverage. You can, after all, just walk away. AFTER they have your money, you might as well go whistle for all that most of them care.
Wow, you and John must shop at some pretty lousy grocery stores. Where I shop, if there is ever a problem with a transaction, the cashier sends me over to customer service with the receipt and they take care of it right away, no questions asked.
On a related note to your comment, there are some grocery stores around me where you can swipe or dip the card before the cashier is done and some where you can’t. I’ve never found the wait for the chip processing to be more than 5-10 seconds.
I imagine with the expansion of 3D printing technology, it is easier now – even for a relatively newcomer to the technology – to print these faux covers completely accurately and with a perfect fit, and even with plastic button springs included in the build! This kind of thing will get worse, until retailers insist on the chip dip method.
Something that just occurred to me, is as long as your favorite retailers have the chip service – why not destroy the magnetic strip on all of your cards? That way there will be no way to steal EMV information if somebody pops some new kind of reader device in a dip reader? Seems worth it to me – you can always replace the card if things end up being too inconvenient. I don’t know why that would be the case though, as I’ve been to plenty of retailers whose magnetic readers are shot, so they enter the information manually, and don’t seem to mind doing that at all. What’s not to like about that idea? Before I shred an old card I always scratch the mag strip thoroughly with a knife – why not do it now with the new cards?
Consider this: You leave your cozy burg and personal cache of dip-friendly merchants and strike out to [wherever], and once there you discover that the hotel/restaurant/ATM/boutique/gas station is not dip-friendly. How much of your business trip or vacation would you be comfortable spending to find “replacement” merchants, ones that are dip-friendly.
Another thing to consider is whether the ATM(s) you use require the mag strip. My local ATM has been strip-only forever. I don’t have an ATM card – my bank does not issue them – so I can access the ATM only with the credit card that my bank issued. If I (or others in this situation) merrily slice and dice cards’ mag strips,
Bank of America has instituted the cardless ATM where you can use the AP and Android Pay to make deposits and withdrawals whatever transactions you want. I have been using them far frequently instead of the card. It is much faster in term of getting things done.
I heard three of the big banks are using cardless ATM (BOA, Chase, and WF).
When I first started reading that article and some of the comments I thought it must be really old. ATM skimmers have been around for years – I can remember examining one back in about 2008. And who swipes cards these days? Chip and PIN must have been around for about a decade so why would you allow someone to swipe your card?
In the United States, magnetic strip readers are still the norm.
I would say at this point most US shops have (although some only relatively recently) shifted to chip readers by now (the big exception are self service fuel pump dispensers who keep getting extensions from the banks). The few stragglers still insisting on swipe transactions are seeing a significant amount of fraud.
As mentioned in the article, the chip readers have been disabled in these terminals by the Aldi, although you can use NFC (which is what I use there – through Samsung Pay).
Take you card inside to the chip reader. Go elsewhere if the station doesn’t have one. Inconvenience is the price of safety. Or buy and drive a Leaf or other EV or hybrid.
+1
“You have to swipe” merchants are effectively telling you to blithely by-pass a non-trivial security device and cross your fingers that you don’t take a bullet (so to speak). I don’t play that game. I make a slow show of surprise and deep disappointment, explaining that swiping is exceedingly bad form and that I hope the cashier relays this to the boss, and then I silently bow out. Store gets no $$ and has to re-shelve the abandoned merch. Think of it as tough love (and doing what you can for your security).
You can use Samsung Pay at gas stations, just insert a plastic card (like your driver’s license) to activate the reader, then hold the phone over.
So “Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM.” how does this skimmer get the debit card data? I’m not seeing magnetic anything (although I haven’t had coffee and my admittedly thick glasses could probably use a cleaning).
(hit submit to fast, sorry) also, if you’re in a store where someone scans that fast for gosh sake ask the manager what kinda slave shop they’re running! I’m getting RSI just watching her.
They have special packaging with extra large barcodes to speed scanning. In addition, they’re paid quite well (for a cashier) to be that fast. The whole chain is based on speed, not polish.
Would I have spotted this skimmer? Most likely no. I fell victim to a skimmer at the drive thorough ATM at the local credit union. the skimmers did a very good job matching the ATM components. The CU covered the losses from the thefts. What I am concerned about is how the criminals acquire the parts to produce the skimmers. In previous articles you have reported shown skimming products that look as if someone assembled components in their garage. From the images in the article of the skimming overlay most people lack the skillset to produce such professional quality devices. Is there collusion with the organized crime rings and people within the ATM industry (examples: manufacturing, repair shops) to produce such high quality skimmers? Or is there some other explanation?
Some gangs use 3D printers. Others buy at the underground retail market.
Krebs covered it in a few of his past articles on skimmers.
Here’s an example
https://krebsonsecurity.com/2016/06/atm-insert-skimmers-in-action/
One of the credit unions I use has installed ATMs where the card has to be inserted along its long edge. It extremely difficult to create skimmers that can handle that type of insertion.
Hey i used the exact one in the picture here in idaho .
Any CC/DC end-point should have some form of anti-skimming technology installed, such as a tamper-evident serialized labels up to the edges of where the card is inserted.
No, this won’t eliminate the problem. But a daily check of all terminals would limit the problem to only a portion of a day. Costco Gas pumps use this solution.
Using a bar code on the label would make for fast scanning to make sure that no fraudulent stickers were put in place and that they matched the serial numbers of the ones last installed.
https://www.consumer.ftc.gov/blog/2017/06/avoid-skimmers-pump
http://www.idplate.com/product/tamper-evident-labels/asset-id-tags-with-bar-code-labels
> “compromise an ATM or credit card terminal with skimming devices”
but note, of course it’s the card that’s being compromised. Its the card that’s being skimmed.
Dang, that guy must do magic tricks on the side!
Personally, I always use NFC through my phone for purchases at Aldi.
Good grief; I didn’t know that it was that easy! I like the way that the skimmer thoughtfully provides a privacy screen, too. Oh, and I won’t insert my card until all the goods have been totalled either; a couple of times the “checkout chick” (yes, invariably a young female) has grabbed some of the next customer’s goods for my pile as well. The sooner that the merchants understand that the customer is in charge of the transaction the better.
Wow! A retailer that actually lets the cashier SIT to work the register. Like at a real desk job. What a revolutionary idea!
It is all part of the accommodation provided to employees. Most of the employees they hire tends not to be able to stand for hours. In this case, they made it easier by lowering the belt and register to allow an employee to scan the transactions.
That’s how they do it in Europe (where Aldi’s from).
Interesting posts, just resently we have launched a Bluetooth skimmer detector, which enables you to find these types of skimmers in e.g. ATM’s, gas pumps etc.
Brian said he pays for everything with cash or a credit card.
Can someone tell me if using a debit card(I don’t have a credit card) but choosing the credit option on the terminal screen is the same(security & liability wise) as using an actual credit card?
Yes, it works the same way, BUT the fraud protection from your bank does not. If you dispute the CC transaction, it is nearly painless, while debit card disputes take forever and can result in overdraft fees and other charges while you are waiting to clear it up.
Just pay cash if they don’t have a chip reader. End of story. Just make sure you don’t take your cash from a swipe ATM. They can have skimmers too.
Larry, as smart as the people who read this blog are, that’s really a question for your bank. What Dave says may be true in general, but it may not be true FOR YOU.
Check with your bank for a definitive answer.
Recently, on a weekend night, I went to the ATM built into the outside of my CU building. It was very difficult to put my card into the reader and it only went part way in. I looked at the terminal and it didn’t say it was out of service. However, I removed my partially inserted card and pulled very hard on the card insertion area. Nothing seemed to be loose, but decided to go to another ATM at another of my CU’s locations. No problems there getting my weekly cash. No unusual transactions have shown up on my account, but I wonder what would have happened if I had actually used that ATM.
I may have missed reading a similar comment but is there by chance a movement for store owners or gas station owners to make part of their daily maintenance to check for skimming devices? The vendors selling the card readers could publish a method for verifying integrity.
Thanks for this very informative site!
The problem is there isn’t much incentive for the retailer to check for skimmers. If the transaction goes through, there is no fraud and the retailer and the customer are happy. The fraud comes later when the thieves use the information to create fake cards or whatever. That may or may not be fraud against the same retailer.
The only incentive the retailer has to check for skimmers is if customers stop shopping there due to the lack of security or the constant fraud on their accounts, but how would a customer even know it came from a specific retailer? My credit card information was stolen twice in the past 9 months and I have no idea where they got it from.
Thanks Peter, good insight. That could be a good marketing campaign by brick and mortar stores saying they check for skimmers daily. They need something to compete against online retailers… I haven’t had my card skimmed from shopping at Amazon.
Some day when cards are safe to use (lol)
I can’t really see the guy installing the skimmer in the video – really the only thing that gives him away is the nervous dance he’s doing.
No kidding! I had to full-screen it myself to see, and even then it was hard to tell. Despite the obvious reach inside his hoodie jacket, the actual placement of it was subtle. I’ve slapped Post-It notes on my monitor with more movement.
These skimmers are ridiculously easy to emplace. No wonder there’s a cottage industry around it. And it makes you think about the fact that theft of this kind is profitable enough to have commoditized components (well, practically commoditized). Payment card theft really is a business nowadays, isn’t it?
Two things, since I use Aldi: first, looking at the pic here, is it the case that the enter key is *blue*, and not green?
Secondly, Aldi people tell me that enabling the chip reader costs them more money, apparently a significant increase over just accepting cards. Given their prices, that could hurt.
This happened near where I live. The local paper had a story today about it http://www.philly.com/philly/business/card-skimmers-at-aldi-trigger-search-for-suspects-20180206.html with a link back to a story on this blog about the same thing happening at Walmart last summer.
Does the police have the rest of the video? You cannot help identify these crooks by looking at the backs only!