Security researcher Brian Krebs spotlighted the POS skimmer, which he explained was a late-model Verifone point-of-sale device retrofitted with a skimmer overlay. It’s deceptively simple: it’s “little more than a false panel which sits atop the PIN pad and above the area where customers swipe their cards.”
But that simplicity is precisely what makes it so effective, he explained. Fraudsters have only a small window to get in and attach their devices – and the more components and electronics involved, the greater the chance that something could go wrong. All it takes is one malfunction, or a device to lose power, for an entire scheme to be derailed. And, there’s always the danger that a device could be detected too quickly.
“In fact, some of the most elegant skimming attacks I’ve seen to date never even touched the cash machine, and relied on very basic components,” Krebs said.
In this case, the underside of the device includes a tiny battery and flash storage card that allows the fake PIN pad to capture the key presses, and record the data stored on the magnetic stripe of each swiped card, he explained.
“Such a device would be an enticing buy for a crooked employee at a retail store. It might even be installed surreptitiously by thieves posing as customers at a retail establishment,” he noted.
POS scams come in all shapes and sizes. Recently, Infosecurity reported that Nordstrom stores in Florida were hit with a skimmer scheme using cheap key-loggers – which can be bought for as little as $40 at retail stores. The fraud devices are essentially PS2 connectors that are about an inch in length. The tiny data storage devices are usually purple in color to match the color-coded standard for keyboards to avoid detection.
A small gang of three male suspects used a combination of distraction and brazen dismantling of the machines to get photos of the inner workings – presumably to get the right specs for what they needed. Then, hours later, they returned and installed six devices. The subjects then return at a later date to recover the devices and create fake credit cards for fraud.