Installing a Credit Card Skimmer on a POS Terminal

Watch how someone installs a credit card skimmer in just a couple of seconds. I don't know if the skimmer just records the data and is collected later, or if it transmits the data back to some base station.

Posted on July 17, 2018 at 6:20 AM • 28 Comments

Comments

echoJuly 17, 2018 6:37 AM

Wow. It only takes a moment... Thankfully the chip and pin thingys which are common in UK stores are nothing like this. I'm fairly sure anything out of the ordinary would be spotted but then the human brain has a habit of shaking things off and carrying on so perhaps a reason not to be complacent.

Slow news dayJuly 17, 2018 7:38 AM

Must be a slow news day. This video was originally posted 2.5 years ago. There have even been improvements and simple after market features added to POS terminals due to this video. Ever seen a raised sticker on a POS terminal? They were added because of this video. Thanks for the trip down memory lane to early 2016 Bruce.

Gavin BJuly 17, 2018 7:43 AM

No mention of how they first got control of the security cam feed.
Or how the transactions sync'ed on to the video
Were they added afterwards?
If so - so easy to spoof.

echoJuly 17, 2018 8:00 AM

@Daniel

I read someone saying the reason why the US didn't take chip and pin on board was convenience. Removing friction at the point of sale was something which ultimately led to Target coming unstuck.

Using chip and pin is ok. I have got over the phase I went through when prodded to put my PIN in where I instantly forgot my number. Thankfully till staff no longer pounce on customers like they used to so don't ask unless the customer has clearly forgot and is standing there like a drooling idiot wondering why nothing is happening which I do sometimes.

I don't use contactless because it has too many gotchas.

I have been using cash on and off lately. One reason is I like going old school sometimes plus it's nice to have cash around if the bank network goes down or something else critical barfs.

JoaoJuly 17, 2018 8:35 AM

Chip + PIN isn't all that much more secure, and the magnetic band is still there! At least in Europe... for backward compatibility of course... so now you have one more attack vector... not less one. Better yet! In most Europe almost all cards now also use the RFID inside the banking cards... so now you don't even need to have physical access to them you can just install some big antenna and sweep almost all of them, or a small antenna close to where people need to pass with their wallt's... better yet if you can put that device on the POS or very near.

A better thing would be to provide a wallet/ pocket sized kind of mini-calculator that would store the private keys of the user financial institutions and maybe even common commercial ones and then allow it to digitally signed has valid the transactions appearing in the screen of the device he/ she own's.
Since the display would show all necessary information at the worst case scenario they would be sending that money operation to someone else, but immediately notice the problem since the payment system of the merchant wouldn't show the operation as successfully but the user device would have the confirmation that it was correctly authorized.
It could communicate using some sort of laser and use the base station to provide energy to the device ("wireless electric energy") that should have super-capacitors or hi-quality rechargeable battery's.
To improve security the user could add some merchants has verified (normally the ones he/ she goes frequently).
The user own device could just have a press me to say this operation is ok, or request finger print/ user code/ eye/ blood sample... to allow the operation.

ThunderbirdJuly 17, 2018 10:39 AM

Ever seen a raised sticker on a POS terminal? They were added because of this video. Thanks for the trip down memory lane to early 2016 Bruce.

I haven't seen a "raised sticker on a POS terminal" and I can't figure out what the term means. Google gives only one page of results for '"raised sticker" "POS terminal"', so perhaps you could give us a summary of what you see on that part of memory lane for those of us that aren't in the know?

albertJuly 17, 2018 10:42 AM

@Joao,
The idea of adding technology to solve a technology problem only make matters worse. The banking system holds all the 'cards', so to speak. Their approach to credit card security is much in line with their corporate philosophy: Make as much money with as little expenditure as possible.

I'll leave it as an exercise for others to comment on all of the problems with your system.

No offense intended.
..

@Peter S. Shenkin,
POS indeed!


. .. . .. --- ....

TonyJuly 17, 2018 1:33 PM

Don't use a debit card. Ever.

Attackers get to remove money from your account, and then you have to fight the bank to prove it was fraud. Eventually you'll probably win, but maybe your rent/mortgage was due before you got your money back. Friends that have been victims have described the process taking 2-3 weeks.

At least with a credit card you are not missing the money while you contest the fraudulent activity.

TimHJuly 17, 2018 2:20 PM

@Tony - When I opened a Wells Fargo checking a/c 3 years ago, I asked for an ATM card, not Debit/ATM and it was no problem. I then asked how many people ask for this, and the answer was 'Not many'.

HmmJuly 17, 2018 2:25 PM

"The idea of adding technology to solve a technology problem only make matters worse"

"Technology" is not a uniform commodity.

You can solve these problems with inexpensive technology but there is an inertia against investing at scale in something that doesn't make money all by itself. You would think BANKS would find that securing their operations would benefit the bottom line, but that's only true to a point and that SWIFT has sailed. Them being insured against any loss probably plays a role.

What if you had to have two cards instead of one? What if you could call a phone number ahead of time to authenticate a purchase in the next 30 minutes, something simple like that would maybe make SOME difference. But it costs money. They aren't losing enough in the current situation to justify that.

So until the current system becomes untenable and blackhats are in every other POS, nothing will change without a top-down regulation written by industry lobbyists, because for whatever reason we've allowed that system to defacto govern us in lieu of legislative leadership on any level. Technology is neither a boogeyman nor panacea, and a competent system does not require space lasers or the Manhattan project, just a mandate.

JasonRJuly 17, 2018 5:11 PM

@TimH - I used to always have an "ATM only" card that had no debit function (no Visa or MC logo). Then my credit union automatically issued and mailed me a debit card a few summers ago. I went in and told them I want these cards cancelled and my "ATM only" card back. They said that wasn't allowed any more for checking accounts, something about some new Federal regulations.

So my work-around was to open a Savings-only account to get an "ATM only" card (doesn't cost me anything, just costs the CU one more account to track). My normal Checking/Savings account has the ability to transfer money to the Savings-only account, but not the other way around. I typically keep $44 in the Savings-only account ($40 + 4 ATM fees in case I'm stuck somewhere and have no choice), and whenever I want to get money out I just transfer that much over from my normal Checking account to this Savings-only account first. Now I never worry about using my ATM as the most someone can get is that $44 - I mean, I still do a quick check for a fake front or camera, and I cover my hand when entering a PIN, but I don't mind using the ATM at any ol' sketchy 7-11 (which are always free for my CU).

JamesJuly 17, 2018 5:28 PM

And now he can use GDPR laws to require the store to erase the video of him putting the skimmer in place, right? :)

justinacolmenaJuly 17, 2018 5:33 PM

@Tony

Don't use a debit card. Ever.

Total OPSEC fail. Ain't safe to carry that much cash. People don't take checks anymore, and if they do, they think it's some real estate deal.

Attackers get to remove money from your account, and then you have to fight the bank to prove it was fraud. Eventually you'll probably win, but maybe your rent/mortgage was due before you got your money back. Friends that have been victims have described the process taking 2-3 weeks.

Limit the amount of "available" money in your checking account. Keep most of it in a savings account AT A DIFFERENT BANK. Turn down the overdraft protection.

At least with a credit card you are not missing the money while you contest the fraudulent activity.

Dude, Congress banned guns, and you've just been robbed at gunpoint for a cash advance that maxxed out your credit limit. You're up shit creek.

HmmJuly 17, 2018 6:03 PM

"Total OPSEC fail."

I believe he or she is suggesting you use CREDIT rather than DEBIT, because the "rules" are different.
I believe they are correct on that, YMMV based on location.

"Limit the amount of "available" money in your checking account. Keep most of it in a savings account AT A DIFFERENT BANK. Turn down the overdraft protection."

Good advice.

Congress did not ban guns though, and either way guns don't really help in that situation AFAIK.

RickyJuly 17, 2018 6:33 PM

@James

No, just fine the store 25 million dollars for putting the surveillance video footage online, without disclosing to their customers that that's what would be done with it...

kellyJuly 17, 2018 7:16 PM

@Tony, if you're not going to use debit, explicitly ask your bank to disable that feature of your ATM card. Last time they sent me an "upgraded" card, which they said could be used as a credit card online: just type the number + CVV (printed on the back) when asked for a credit card, and the money's instantly gone from my account! Or I could tap the card in a store, and don't have to enter a PIN for the first hundred dollars a day.

They said they don't provide "alternate" cards, but they can set the limit for any of these features to zero. Check your ATM withdrawal limit while you're at it; IME, they're quite high by default.

meikeJuly 18, 2018 8:47 AM

I believe he or she is suggesting you use CREDIT rather than DEBIT, because the "rules" are different.

HmmJuly 18, 2018 2:28 PM

ATM withdrawal limit is $300 by default right? Is that a standard?

What's the default limit in Europe or Asia, is it different?

CelosJuly 20, 2018 5:46 AM

This is really impressive! Thanks for mentioning it.

@Hmm: I have about $2000 per day and $5000 per week in Europe. No limit besides that on individual withdrawals. I can increase these limits if I want. Other banks have other limits.

ClipperJuly 20, 2018 12:19 PM

@Hmm: Usually you can set it as you like, within reasonable limits. If you have a "golden card", you are up to 20000 european dollars per month.

ClipperJuly 20, 2018 12:23 PM

Re:Pin and Chip

You often see long waiting queues because people want to use their pin. They could pay with cash and be done in seconds, but they prefer to use technology and have people waiting so they can input their pin, which often they forget, and then wait for authorization, which sometimes fails.

Finally someone will come with the idea of substituting the pin with an implant and the nightmare will begin.

Clive RobinsonJuly 20, 2018 4:10 PM

@ Clipper,

They could pay with cash and be done in seconds, but they prefer to use technology and have people waiting so they can input their pin

I know several people who do this and when asked the answers range from "defence against mugging" through to "automaticaly does the expenses".

It's the last one that got me the first time I heard it. Apparently you can get "personal accounts" programs that talk to your bank and credit card accounts and with minimal input from the user it "pretty prints" reports and expense claims... Thus entering a pin for them saves them time...

echoJuly 20, 2018 8:12 PM

@Clipper

From observation chip and pin seems pretty fast and convenient compared to cash. I asked my local shop about their experience with queuing times between chip and pin versus cash and they said "no difference". They also confirmed it's less work for them with counting up and less of a bother security wise. After a few frights with the chip and in terminal going down due to a network fault (or tripping over the router cable before properly routing it) I think they bumped their cash reserves up a little to cope with providing change. They also have a fully serviced cash machine on the premises (so basically fire and forget and somebody else carries the security and cash handling liabilities).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.