Point of Sale Skimmer Fraud

A couple of years ago thieves descended in large numbers on Chile to replace debit card readers in ATM machines with their own recording device to vacuum up stolen data. This type of crime is called skimming.

They also installed tiny cameras in the ATMs to record the pin as users typed those in.

That crime has fallen off there as banks have incorporated some hardening tactics. After bank hardening in one area, criminals then moved onto other markets where such protections were found to be weak. Such crime is still found, even in developed countries, but it is much less common than before.

Thieves also have another target: POS terminals.

Hackers fit Skimming Device Right on top of POS Card Reader
A POS (point-of-sale) terminal is where you swipe your debit or credit card to make a payment at the cash register. To hijack the terminal, the thief pries it open and then plugs into the plastic casing their own card reader and pin pad, overlaying what is already there.

atm skimming

They do that very fast, so as not to be spotted. Then they start recording pin and debit card and credit information. They sell that data on hacker black markets.

The skimmers do not usually connect to the internet, while some ATM skimmers have done so.  So the thief has to return to the store to manually retrieve the recorded card data.

It is hard to see the difference when you look at the compromised and uncompromised Ingenico device. The only difference is the compromised device appears larger. So only someone who works with those or maybe an observant store employee would notice that. It also blocks the light that you would normally see when you type in a pin.

Walmart and others Under Attack
One target of this attack has been Walmart stores in rural Virginia and Kentucky. There the merchant was using card readers built by Ingenico.

The hackers attacked the self-service registers, presumably because it would be easier to tamper with those machines, since no cashier is standing there watching those.

Criminals have also used this approach at other stores. Shoppers at Michaels craft store started reporting unauthorized charges on their debit cards. The retailer reacted by removing all pin pads at all of its 964 stores. Bank Info Security reports that the same thing happened at Hancock Fabrics. Thieves attacking that retailer went on the road, as customers reported heists in California, Wisconsin, and Missouri. It must be that they are looking for retailers all using the same type of POS equipment for which they have built or bought parts that can be fit onto or replaced in the machine.

The bank security website said that criminals come up with different ways to distract cashiers and other store employees to buy time to install these devices. For example, one pretends to be sick while another tampers with the POS terminal.

pos skimming

Protecting Against this Attack with Chip-based Cards
This kind of hack would not work if the user was using a credit card with a chip. Because of the massive data breach at the retailer Target a few years ago banks and merchants in the USA finally started to refit their payment systems and POS hardware to accommodate those.

But as of February this year, only 17% of merchants have done that in the USA and only 60% of credit cards have been updated to have chips.  America is far behind the rest of the developed world regarding chip card adoption.

Retailers cite lots of different reasons for not adopting this common sense security change not been adopted are business reasons. Most of them seem ridiculous or not grounded in common sense. It would appear that the cost of making this change is still less than the cost of data theft, so there is not much reason to change, or to change quickly. To try to encourage change Mastercard and Visa shifted liability for fraud onto the merchants in 2015. Prior to that the card issuer incurred the loss for any fraudulent charges.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal