February 15, 2021

As a total sucker for anything skimming-related, I was interested to hear from a reader working security for a retail chain in the United States who recently found Bluetooth-enabled skimming devices placed over top of payment card terminals at several stores. Interestingly, these skimmers interfered with the terminal’s ability to read chip-based cards, forcing customers to swipe the stripe instead.

The payment card skimmer overlay transmitted stolen data via Bluetooth, physically blocked chip-based transactions, and included a PIN pad overlay.

Here’s a closer look at the electronic gear jammed into these overlay skimmers. It includes a hidden PIN pad overlay that captures, stores and transmits via Bluetooth data from cards swiped through the machine, as well as PINs entered on the device:

The hidden magnetic stripe reader is in the bottom left, just below the Bluetooth circuit board. A PIN pad overlay (center) intercepts any PINs entered by customers; the cell phone battery (right) powers all of the components.

My reader source shared these images on condition that the retailer in question not be named. But it’s worth pointing out these devices can be installed on virtually any customer-facing payment terminal in the blink of eye.

Newer, chip-based payment cards are more costly and difficult for thieves to clone, but virtually all cards still store card data on a magnetic stripe on the back of the cards — mainly for reasons of backwards compatibility. This overlay skimmer included a physical component designed to block the payment terminal from reading the chip, forcing the customer to swipe the stripe instead of dip the chip.

The magnetic stripe reader (top right) worked with a component designed to block the use of chip-based payment cards.

What’s remarkable is that these badboys went undetected for several weeks, particularly given that customers would have been forced to swipe.

“In this COVID19 world, with counter and terminal wipedowns frequent it was surprising that nobody noticed the overlay placements for a number of weeks,” the source said.

I realize a great many people use debit cards for everyday purchases, but I’ve never been interested in assuming the added risk and pay for everything with cash or a credit card. Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

Want to learn more about overlay skimmers? Check out these other posts:

How to Spot Ingenico Self-Checkout Skimmers

Self-Checkout Skimmers Go Bluetooth

More on Bluetooth Ingenico Overlay Skimmers

Safeway Self-Checkout Skimmers Up Close

Skimmers Found at Wal-Mart: A Closer Look


80 thoughts on “Bluetooth Overlay Skimmer That Blocks Chip

  1. Mikey Doesn't Like It

    It’s a shame your source won’t reveal which store(s) these skimmers are at. This allows them to keep on skimming unsuspecting customers.

    Many stores have installed surveillance cameras over both self-service and regular checkout lanes, to capture shoplifting and fraud by both customers and employees. I wonder whether this particular chain has checked their surveillance videos, in the hope of identifying the perps. (Maybe even an inside job by an employee!)

    1. Gary

      My guess would be San Jose for obvious reasons.

      Possibly one of the Bluetooth hacker apps could detect this setup.

    2. timeless

      This isn’t as useful as you think, there’s a falacy that describes it, but basically you’re chasing yesterday’s victim.

      There’s probably nothing particularly special about yesterday’s victim. If one entity can be attacked this way, you can be sure others have and others will be.

      It’s more important to teach people to complain when their chip card is rejected and to instead try another terminal — when that works (and on average it will), force management to take the terminal out of service.

      Saying “I won’t bank at X because it was robbed yesterday” is pointless. If there’s a gang of bank thieves, the odds are they’re going to rob a different bank the next day. If you keep moving away from a bank after it’s been robbed, you’re probably more likely to land at another one that’s about to be robbed.

      Now, should you stop patronizing gas stations that don’t support EMV? Absolutely. But that’s different — that’s taking a collective action to penalize a business that is collectively hurting the entire ecosystem.

  2. Stephanie

    Sigh, just when you thought it was safe to go back in the water. Whenever I am faced with the prospect of my debit card not being accepted when I dip the card into the chip reader, I immediately make the clerk aware of this situation and ask if they have checked the terminal recently. Their usual response is, “Yeah, this terminal has been having issues,” like THAT is comforting. I will then use my credit card to pay for the purchase, with the thought that if any funny business is going on, I will be able to catch it quickly and dispute any fraudulent charges. QUESTION: Would it be unwise to swipe the debit card and select the “credit” option if one does not have their credit card on them at the time? The idea here is that the PIN number is not used/transmitted and cannot be used at an ATM. True, there still is a risk doing that (swipe/credit option/no PIN), but since chip cards are harder for thieves to replicate, would this option minimize some of the risk? Thoughts, anyone? BTW, I only use a credit card when I gas up my car.

    1. TimH

      To support Brian’s “I realize a great many people use debit cards for everyday purchases…” remember that although banks default to issuing debit/ATM cards, they issue ATM-only cards on request without a fuss.

      Since debit pulls straight from the bank, paying cash is only mildly more inconvenient, unlike a CC where’s a delay before payment is required and so a useful benefit.

    2. Ryan MJ

      From a legal perspective in the USA you have FAR more protection from fraud/abuse with a CC than a debit card. In the US the FBCA (Fair Credit Billing Act) limits your liability from fraud to no more than $50 as long as you notify within 60 days of the billing statement with the error. With a debit card you are protected by the ELECTRONIC FUND TRANSFERS ACT. You have to notify within 48 HOURS OF THE TRANSACTION to keep it at 50, 60 days limits you to 500 and more than 60 days is 100% your problem. Banks love you using debit cards, it’s cheaper for them, and you are less protected. Just pay with a credit card and pay it off each week.

      CC reference:
      https://www.consumer.ftc.gov/articles/0219-disputing-credit-card-charges

      Debit card reference:
      https://www.fdic.gov/regulations/laws/rules/6000-1350.html

    1. basreflex

      magnet wire looks like AWG33-36 double build belden. nylon coated, easy to heat strip

      1. Catwhisperer

        Or with your teeth. I’m with Gweezo because few would have the soldering skills, and I tilt to bespoke because of the coding required unless something is already out there on the dark side…

    2. Gweezo

      It’s obvious that somewhere a shop is custom producing these circuit boards, soldering, wiring. question is – are the boards bespoke or generic?

  3. SumiS

    Now that I have both a tap-to-pay credit card and wireless payments via my mobile phone, I never insert or swipe my credit card. Better for security and better for hygiene!

    1. Jim

      Not necessarily so. Make sure the phone is not using bluetooth to communicate. If the device is bluetooth, it may have a record function initiated, that lets it record what is nearby. The tap function activates, a bluetooth transmitter in most phones,

      1. James Edwards

        The tap to pay uses the NFC which is a different form. Secondly, the information only contains a tokenized CC# that is used only for that transaction. If the thieves think that they will get it, it won’t work.

      2. James Edwards

        NFC does not use bluetooth because they are different. The range for NFC is 3cm or less whereas BT is 3m.

      3. timeless

        First, you’re spreading FUD.

        Second, everyone w/ a smart phone should be using a Bluetooth enabled COVID-19 app [1].

        Bluetooth isn’t the enemy, it’s just technology.

        Merchants need to take some responsibility for ensuring their terminals aren’t compromised. And networks need to encourage deployment of current best practices (especially forcing as stations to adopt EMV so we can finally discontinue mag-stripe).

        [1] https://www.google.com/covid19/exposurenotifications/

    2. orson

      Not every retailer takes NFC payments.
      Lowe’s Hardware is one that comes to mind.

      Chip or magstripe only at their point of sale terminals.

  4. Robert.Walter

    (A little late, but as this is my first comment of the year, Happy New Year Brian! All the best to you, yours and KonS!)

    You say blocking Bluetooth, but I think you mean blocking NFC forcing a swipe.

    For those wondering, NFC (used by the RF chips in cards) and Bluetooth are not the same.

    Or are you using Bluetooth generically because the data these overlay devices capture is delivered to the miscreants via Bluetooth (also sometimes cellular.)

    To those looking to reduce their covid contact footprint: if you haven’t set up Apple Pay, or the analogous system of apples competitors, you should do this. Not only are your transactions protected, you don’t touch dirty buttons on, or put your card into, a dirty terminal.

    1. BrianKrebs Post author

      Welcome back, Robert. I said blocking Bluetooth? I wrote that the skimmers physically blocked the chip reader from working, forcing a swipe. Didn’t mean to suggest the chip transaction was somehow Bluetooth based. The BT was used for relaying stolen data wirelessly.

      1. Robert.Walter

        Thanks Brian!

        IDK, I must have misread something skimming first time thru because the article makes sense now. Sorry.

        One thing I left curious about is how these bolt on skimmers interfere with the NFC signal.

        Also, in order to not be discovered, I imagine these things need to pass the payment info into the legitimate terminal. How is this done? I would imagine it’s some kind of take off of Samsung’s Loop Pay tech but I don’t recall ever reading how (or I’ve missed it somehow.)

        1. Bob J

          The skimmer doesn’t physically interfere with the keypad presses or the swipe on the base card reader. You can see in the underside view the keypad has little rubber buttons that allow button pressed to go through to button presses on the bottom. The swipe opening on the skimmer physically matches the swipe opening on the base card reader. So, when you swipe, the card reader detects the swipe, AND the skimmer detects the swipe. The base card reader has no indication of anything being wonky.

  5. Henry Winokur

    It truly amazes me that they can be installed so quickly and that customers don’t notice. If “dipping” worked and then doesn’t, I can’t help but wonder why the customer wouldn’t take pause and ask why the revision to swiping, especially, when swipping was supposed to be have gotten rid of 3 or 4 years ago???

    1. TheFed

      Recently at a grocery store the chip reader didn’t work, and the clerk said I had to swipe. I used a credit card so I don’t worry, but I did take note of it. As I’ve grown old studying these crimes I guess that means it will never end. I wish it would end.

      1. Robert.Walter

        It can nearly be brought to an end.

        Write your government reps and ask them to put legislation in place to sunset magnetic swipe card technology.

        The US is pretty much the outlier nation forcing the old and insecure tech to be added to every card. Funny thing is new cards are doing away from embossed account numbers in the face of the card (my new AMEX had it printed on the back and I scraped it and the CVC off after putting it in my iPhone. Apple Card has absolutely no numbers on either side of it.)

        1. John

          Great idea to force the banks to move away from swipe technology. Unfortunately we are a long way away from that ever happening. The cost to convert cards from swipe tech to some other tech far exceeds the losses from skimming. For the most part, the U.S. is comprised of small local banks and regional credit unions that typically don’t sustain loss amounts that would exceed the cost to convert. The lobbying efforts just seem to be far too strong. And although I agree with you, these banks may be better suited to begin research on the next gen tech such as cryptocurrency or using blockchain technology to host transactional data.

          1. James Edwards

            Actually it is the payment processors who can force retailer to convert to the chip. They can mandate all POS to chip+ PIN only.
            In EU, there is no magnetic strip as it went away because of the problems decades ago and now require Chip+PIN.
            The only reason the banks opposed it is that the customers would have trouble remembering their PINs for each of their cards, based on the fact customers have several cards on hand, and would want an easier solution to use their card.

        2. James Edwards

          Don’t you keep a copy of the CVV to prove you have the card in hand especially online transactions.

  6. Jane Laroussi

    Can you tell us the specific make/model of the device (e.g., Ingenico, Verifone, etc.)

  7. Justin

    I have a door lock that allows me to type my PIN inside of any 40 key presses. That would be a good technique to, at least partially, mitigate these skimmers.

    Example is a PIN of 5678. I could press 14251425678524125428 and it would work because 5678 is contained in that sequence.

    No? Does that increase the chance of guessing the PIN?

    1. Phil

      If a device is intercepting the entire sequence, then I would hesitate on any assumption of safety by obscurity. Lets say you should happen to use the same skimmer more than once before it’s detected & taken out of action. Somebody will have several sequences you entered in which only one set of numbers will stand out

      I like my lock better: BTLE beacon on a keyfob, initiates a TX from a base station which sends a key sequence that must be processed correctly by the keyfob & sent back as a totally different key sequence. Meanwhile, I’m pressing random numbers on a dummy keypad, which in the case of no keyfob present, will set off the alarm system – recording fingerprints off the pad, taking video and turning on the paintball sentry out in the front yard

      1. mealy

        Simple solution : AI

        Just enter any 64 numbers at random~!

        AI will know it’s you based on your whimsy. Don’t ask how,
        just invest now!

        #Most Startups

    2. Richard

      Hello,

      Would it make it harder for the shoulder-surfer?
      No (1): there is a chance he uses a spy-cam in his glasses or anything else, and so has all your keystrokes.
      No (2): I assume Your door does anything after You entered the correct code (p.e. it unlocks), so the keypresses after the correct PIN are distinguishable from the real PIN, because the lock already made a sound.
      No (3): Do You imagine the long PIN beforehand? Otherwise You will enter some garbage numbers, then think at some point that you have to enter the real PIN (a pause to think about, and then the four numbers entered really fast because You know them – thus don’t need to think about) and after the PIN have to switch again Your brain for generating new random numbers (the second pause). Even without googling the manufacturers markings – or just an image search and reading the users manual I think one would hear there is something odd in Your keypresses.
      That’s why I exactly know when my co-worker surfs in his online forum: there is a special rhythm and speed, every time he enters his password – very distinguishable from writing source-code.

      Would it make it harder for ”anyone”?
      No: because one does not have to enter a full pin, but only keystrokes which contains it, which enables to input a De Bruijn sequence in an automatic key-presser, which reduces the time needed for all possible PINs to a quarter.

      Also, if You had to hit ”Enter”, the lock could introduce/enforce a little waiting time, reducing the speed of tries enormously. In Your lock, the key-presser can try PINs as fast at its mechanics allow.

      So I I say from a security perspective it’s not a feature but just cheap development (possibly reusing the circuit from a wireless garage door opener, in which it is a technical necessity to allow for a PIN in a sequence, because in RF there is noise).

      As a software developer on the other hand – I would definitely ask marketing to describe it as a feature because one can enter a 40-digit PIN making others believe he can remember long numbers and so they won’t try to shoulder-surf the PIN :-P.

      Sincerely,
      Richard.

    3. Mahhn

      Increases the chance of guessing it by 10+ times per guess.
      Since you picked 25 digits and only need 4 in a row.
      Have a coffee 🙂

    4. JamminJ

      Sounds like protection against only the most casual of shoulder surfers.
      It’s not going to protect your PIN against someone who has prepared, or has a good memory.

      The only thing it might help against… is this common situation:
      A resident/owner is bringing a visitor into the house. The area around the door lock is wide enough that both the resident and visitor can stand comfortably and casually near the door with both having good visibility with the lock keypad. For instance, an apartment hallway.
      The visitor may not have malicious intent… but simply “notice” a 4 digit PIN. People can “accidentally” remember a 4 digit PIN if they just happen to notice.

      The manufacturer probably thinks the threat of this “casual shoulder surfing”, is the more significant risk compared to the other more sophisticated attacks.

      This protection mechanism does nothing for other attacks like intentional shoulder surfing, recording with cameras or skimmers.

      * Many good locks have keypad/displays that randomize the position of the numbers… in order to protect against low visibility shoulder surfers (can see fingers position, but not read button labels) and latent finger smudges.

      And as mentioned, this type of PIN protection through obscurity will absolutely weaken other protection methods. Brute force protection becomes harder to implement, since the real PIN is somewhere within a larger set of numbers.
      It is not clear if there is an “Enter keypress” needed or not. This would make all the difference as Brute Force protection could still be possible.

      What you really want is VARIABLE PIN LENGTHS UP TO 8 DIGITS… AND the ability to lock out for 30 seconds after 5 wrong attempts. And maybe a secondary lockout for 3 hours if 10 wrong attempts. If you allow substring matching like this… you give a brute force attack a significant opportunity to have several attempts in a single attempt. 4 digits is so short, even 10 tries can include a LOT of possible PINs.

      Richard’s suggestion that this isn’t a security feature, but rather reusing logic from RF transmitters… doesn’t make sense for a keypad.
      It makes more sense for binary single button actions. A garage door remote fob doesn’t send an distinct open and close signals… it sends a single signal. The receiver determines the direction of the motor based on it’s own state sensors. So a single signal from the remote fob will send a rapid number of repeating signal to overcome the noise.
      For a keypad, noise would still interfere with a long string of numbers, because the sequence matters. Noise could equally interfere with the 4 digit PIN.
      Sending 40 numbers doesn’t improve the chances the expected PIN will be received correctly. Noise mitigation would be done by sending the entire sequence multiple times. Repeating a larger set of numbers doesn’t make more likely that the PIN would be received. The number of repetitions is the only factor that would increase the chance.

      I like Phil’s lock better too.
      Similar to the modern automobile keyfobs. They don’t use BTLE (except Tesla’s phone key)… but they do use a low power transceiver keyfob. The car is the base station that transmits a challenge when you press a button on the door handle (challenge is a random nonce encrypted with a key). The keyfob, upon receiving the challenge, responds with the decrypted nonce).

    5. Bob J

      The PIN still has to be contiguous digits of that block, and the most common financial PIN length is 4 digits so you just try blocks of four digits 1425 2451 etc. until you get the right one. I don’t think the bank locks out after one or two wrong tries. Probably none because they don’t care (i.e. they’ll let someone keep guessing forever, maybe). Might spit the card out but hey, just put it back in because that’s hard, right, when money’s on the line.

  8. Pete

    Wait, why should this enable “thieves can clone the card and pull money out of your account at an ATM” – they can clone the magstripe data, but since this is a chip-enabled card, then ATMs should refuse non-chip transactions (and if the issuer bank has not chosen to so, it’s their fault/risk/loss) so the clone should not work.

    Similarly, all the transactions through this skimmer would carry a notification that they are not “normal” swipe transactions but rather forced downgrades of a chip-capable card in a chip-capable (theoretically) terminal – if such downgrades are permitted at all, they should still raise fraud detection flags both for the issuer of cards and the acquirer of that terminal.

    1. BrianKrebs Post author

      Much depends on the bank and ATM where it is used. Not all ATMs will recognize chip cards or insist on treating them as such, and may fall back to reading the magstripe if the chip is not functioning correctly.

      1. Eric D. Burdo

        I think it also puts the onus and liability on the company that had the skimmers installed, and not the bank.

        I believe part of the push to go “dip & chip” instead of swiping, was that it shifted liability to the weakest link, and was no longer the sole responsibility of the banking institution.

      2. Jonathan Rosenne

        The ATM and the POS should indicate to the issuer whether this a magstripe or fallback transaction, and the issuer should reject fallback transactions, they were useful only for the transition period. The terminal knows that it is an EMV capable terminal, and the magstripe indicates that this a chip card, so this is a clear case of fallback.

        1. Gunther

          I would have an issue with the bank blocking magnetic strip fall back because there is a finicky payment terminal at the local gas station that consistently doesn’t like the chip on my card.

      3. James Edwards

        Brian,
        While you’re correct however some of the larger banks, Bank of America, Chase, and Wells Fargo, all have shifted to cardless, NFC and chip for their ATM even though they make it redundant for other bank customers to use their ATMs. It just some of the smaller regional or community banks are still on the magnetic stripes.

  9. orion

    Somewhat impressed with the quality of the plastic overlay and keypad. The rest of the assembly is all hand built and certainly low volume. Its pretty darn expensive to get molded plastic such as this. Doesn’t look 3d printed, still need the keypad.

    How are they sourcing these custom overlays? If there was enough volume to get the overlay, would have thought the rest is a bit more polished than all the hand soldering and hot glue.

    1. John

      Remember.. all these parts INDIVIDUALLY are completely legal to purchase and possess. It’s not until you assemble them into a skimming device does it become illegal.

  10. N/A

    They were places inside BJS Wholesale Club stores. Customers have been notified via postal mail.

  11. Jonathan

    Two years ago, I had my chip based card used fraudulently in Texas while I physically had the card in Spain. I’m from Illinois, so it didn’t even make sense in that respect. I told my credit union that I was going on vacation overseas, so they *shut off all fraud checks*.

    The only way they could have done it was through magnetic stripe since I had the card, yet the store didn’t stop them from making 10 transactions of slightly less than $100.

    Eventually I got the money back, but not without trouble. Anyway, I’m not a customer of that credit union anymore.

    1. JamminJ

      Credit Unions often outsource their fraud departments for they’re accounts and debit cards. For credit cards, I think the bank’s/credit union’s fraud services work mostly with the payment services provider (VISA, Mastercard, etc.) for such things.

      It is tough to do seamless fraud prevention when the customer travels. Do the banks want to ask the customer for a detailed itinerary? Would you, the customer, agree to that? And you’ll need to be specific.

      Otherwise, how does the bank know if you had a layover in Texas? They don’t have exact travel dates and flight information.
      For them, they don’t want to risk turning off your card while your traveling (big complaint and harder to fix when abroad). They simply erred on the side of respecting your notice of travel.

  12. Dave

    Would tugging on the potential overlay before using the payment card terminal help? Or are they firmly affixed?

    1. Phil

      Life is like a box of skimmers, never know what you’ll get until you tug on one!

  13. KC

    When you say Bluetooth, I assume you likely mean they used Bluetooth Low Energy (BLE). If they transmitted the stolen data via BLE, the range is quite small, around 10-100 meters. So, did they find another device in the close vicinity that collected the BLE data from one of more skimmers, and sent it out elsewhere using something like a cellular radio? Seems a pretty complex setup.

  14. Jan

    I’m always wondering, why credit card companies are not forcing the “Hey, you have just paid/withdrawed money” push notifications.
    Yeah, that would not target 100% of the customers, but if 2/3 of all customers would have such a notification, they would probably much more aware of illegal use of their credit card data.

    1. Jzob

      Becouse u dont know your Country.
      Jstash is legit well known business guy in new York.
      That’s Why

    2. Dawinski

      My technique on this is to set my bank “large withdrawal warning” to $15 and I get text and email when that happens –

  15. Tim Cx

    In the UK, many newer cards can be configured via associated apps to not use the magnetic strip (and some do not have a magnetic strip). I assume that the account information is still on the magnetic strip so if someone was duped into using it the account information could be cloned anyway however I further assume that the bank would not accept any transactions from a cloned strip but is this correct?

    I never use the magnetic strip any more and I am suspicious of anyone asking me to use it. But is this safer or not?

    If they could clone the strip info AND obtain the 3 digit CVV (e.g.via a scanner or camera while you swipe the card) then a bad actor could use a cardholder not present process defraud me.

    What would be a sensible approach (other than not using any cards) to protect agains this sort of fraud?

    1. Chris

      The UK has for year publicized information on card fraud. Just google “Fraud the Facts”. The dominating fraud is Card Not Present transactions.
      This is getting more difficult after the EU has introduced the “Strong Cardholder Authentication” directive.

    2. Beeker25

      Actually it is better to use either Apple Pay or Google Pay to scan your tokenized card for transactions. It is much safer than using the card.

    3. Clay_T

      Which is why I memorize the CVV, then scratch it off.

      Much like signatures on the back of cards, way back in yestercentury, I do not understand why CC providers think it is a good idea to supply every piece of information required to use a CC, on the CC.

      Heck, even having the CC number (embossed?!) on the card is silly.
      When was the last time anyone used, or even saw a manual CC imprinter? (Bonus marks if it was using carbon paper.)

    1. Yesbut

      Sure online His dead.
      But in real life as legit business men of crypto instutional investment company.
      Approved by SEC
      This is life we live in the world
      Next time You see some Ferrari on lower Manhattan
      U know from what it comes

  16. Newyork

    If you got frauded go ask your money new york
    There is all the rich fraudsters and scammers.
    Knock the door ask jstash.
    Manhatten sky craper

  17. Womp womp

    Jstash sold garbage credit card numbers that were already cancelled to criminals. No one cares that that owner of jstash stole from other criminals and made money from it.

    1. Fbrick

      Really ? Well to betray criminals its a sin.
      Anyways all carding scam now
      Next thing is crypto but if they sold not real cc then they can sell btc with cheap price also.

  18. Jim

    Remember one hundred meters, is the middle of the parking lot outside the store. Add a little wire to the transmitter/received, you could be dealing with someone who just drives by. Next, most stores are closed overnight to stock and clean. How long between active uses of the interior security system? So, when would be the best time for someone to apply the device? And make sure it works?
    Good write-up, interesting story, bad guys in america again? Nah!.

  19. Jimmyx

    Question is are there any real carding sites ?
    Crdclub seems to be dead
    Whats the next business for carders?
    Times are hard and rippers dont make it easy

  20. Chris

    It is, living in Scandinavia, “interesting to follow this. More that 99% of all transactions here are nowadays chip and more than 70% of all transactions are contactless. It is today mandatory that the terminals support “dip” as well as contactless.
    The introduction of contactless reduced the fraud by 50%. In Europe contactless is up to a certain amount / accumulated amount without PIN. Introducing contactless removed the “shoulder surfing” + stealing the card type of fraud.

  21. vb

    I never use the magnetic strip any more. My fall-back is a second card, not the magnetic strip. If the chip reader fails to read the chip on my credit card, then I try a second credit card. If both cards have failed chip reads (this has never happened), I would probably ask to use another check-out lane or leave without a purchase.

    The skimmer must have been in a self-checkout lane. There is no way a cashier would have not noticed every card getting chip read failures.

    1. KN

      I suppose the device could be programmed to fail, say, on every tenth transaction. That would considerably lower the likelihood of being recognized as a suspicious device.

      1. vb

        I see the article says the chip reader is physically blocked. This means the chip reader won’t work 100% of time.

  22. Steve

    I’m curious as to what happened when a chip card was inserted. Did it spit up the “CHIP MALFUNCTION” message, or simply fail to respond at all, or what?

  23. Shambolic

    Brian I wish you would write about how these skimmers are installed under the noses of employees. What is happening, is someone distracting a cashier, then using adhesives to apply the skimmer? Are tools used? Have any methods or changes defeated these attempts? Have any of these incidents been recorded on video?

  24. BB

    I’ve gotten to the point where I use Apple Pay exclusively whenever a business takes apple pay. if they don’t, I use cash. If they for some reason refuse cash, I will use a temporary card, though I don’t like to do that due to added cost and the plastic waste – detriment to the environment. But that’s where I’m at.

    1. JamminJ

      Privacy folks may not like the same company ecosystem that already knows so much about you… also seeing so much of your purchase history in the real world.

      Same reason why I left Gmail. They were reading emails, scraping Amazon receipt emails to get a very comprehensive purchase history. It’s one thing to make purchases in an online store owned by one of the big 3 tech companies. Yeah, they will know about what you buy. But buying stuff from somewhere else, or especially in the real world. I don’t like them tracking that.

      Using cash as a secondary. Well, depending on how often you need to buy stuff at places without Apple Pay…. cash can be even more problematic.
      If your worried about losing your money with phishing… you should be worried about losing your wallet or getting mugged too. There is ZERO recourse when you lose cash. The bank can’t help you. With credit cards, the chance of really losing money is very low.

      Also, carrying cash is annoying and comes with it’s own security risks beyond getting robbed.
      You have to now visit an ATM regularly to replenish.
      Taking cash out from your account, means there is less available funds for a debit account like Apple Pay.
      And now, you are even MORE reliant on card readers located at ATM locations.

  25. Bruce

    Great article.

    I would really like to know if NFC Smartphone payments are safer than chip and pin (given the merchant gets zero card information eg Apple Pay uses one time tokens)

    And are all NFC smartphone payments as secure as each other…I read that some just emulate and send card swipe data.

    Anybody got a link to a reliable information source? Brian…got a second to reply here mate?

    1. JamminJ

      I believe chip and pin also use one time codes, same as Apple Pay and other NFC payments.

      They may be called different things though. Dynamic CVV2 or something.

      1. Bruce

        Yes there are a few different systems it seems, and they are evolving all the time too. I understand your correct about chip using one time codes.

        There are lots of sites comparing chip and pin to card swipe. And comparing smartphone using nfc to card swipe. What I haven’t been able to find is nfc smartphone compared to chip and pin.

  26. Rick

    “I realize a great many people use debit cards for everyday purchases, but I’ve never been interested in assuming the added risk and pay for everything with cash or a credit card.”

    Me neither, starting from the days debit cards were first introduced. Not only do I not have one, I don’t even have a functional ATM card.

Comments are closed.