KrebsonSecurity revealed in a blog post last month that PIN skimmers were being made to overlay on Ingenico brand card readers at the checkout lanes of retailers.
According the post, a security technician at a U.S.-based retailer shared photos of the PIN skimmer in action, with one photo depicting a Bluetooth-based skimmer that is designed to steal the card data and the victim’s PIN number via a PIN pad overlay. Because the device uses Bluetooth, the bad guys can retrieve the stolen data wirelessly from any Bluetooth-enabled device simply by being close to the compromised card terminal.
“According to my retail source who shared these pictures, the overlay skimmers used parts cannibalized from Samsung smart phones. The source said the devices placed themselves in a mode to transmit stolen card data and PINs as soon as they were turned off and back on again. Investigators also discovered that they could connect via Bluetooth to the skimming devices by entering the PIN ‘2016’ on a Bluetooth-enabled wireless device,” KrebsonSecurity wrote in the post.
The report noted that none of the overlay skimmers found had any data storage capabilities, which implies the scammers planted another wireless device near the compromised payment terminal. In another scenario, the bad guys could be sitting in the parking lot of the store and using a laptop and high-gain antenna to get the PIN and banking information.
The recent blog post wasn’t the first time KrebsonSecurity reported on the PIN skimmer overlays that can be placed on top of Ingenico card readers. The blog has featured several stories about it but chose to do one more after being provided with photo evidence.