This blog has featured several stories about “overlay” card and PIN skimmers made to be placed atop Ingenico-brand card readers at store self-checkout lanes. I’m revisiting the topic again because a security technician at a U.S.-based retailer recently shared a few photos of several of these devices pulled from compromised card terminals, and the images and his story offer a fair bit more detail than in previous articles.
The device featured here is a Bluetooth-based skimmer; it is designed to steal both the card data when a customer swipes and to record the victim’s PIN using a PIN pad overlay.
The Bluetooth component of the skimmer allows the thieves to retrieve stolen data wirelessly via virtually any Bluetooth enabled device — just by being in proximity to the compromised card terminal (~30 meters).
If we look on the backside of this skimmer, we can see the electronics needed to intercept the PIN. The source who shared these pictures said an employee thought the PIN pad buttons were a little too difficult to press down, and soon discovered this plastic overlay and others just like it on two more self-checkout terminals.