A KrebsOnSecurity story last month about credit card skimmers found in self-checkout lanes at some Walmart locations got picked up by quite a few publications. Since then I’ve heard from several readers who work at retailers that use hundreds of thousands of these Ingenico credit card terminals across their stores, and all wanted to know the same thing: How could they tell if their self-checkout lanes were compromised? This post provides a few pointers.
Happily, just days before my story point-of-sale vendor Ingenico produced a tutorial on how to spot a skimmer on self checkout lanes powered by Ingenico iSC250 card terminals. Unfortunately, it doesn’t appear that this report was widely disseminated, because I’m still getting questions from readers at retailers that use these devices.
The red calipers in the image above show the size differences in various noticeable areas of the case overlay on the left compared to the actual iSC250 on the right. Source: Ingenico.
“In order for the overlay to fit atop the POS [point-of-sale] terminal, it must be longer and wider than the target device,” reads a May 16, 2016 security bulletin obtained by KrebsOnSecurity. “For this reason, the case overlay will appear noticeably larger than the actual POS terminal. This is the primary identifying characteristic of the skimming device. A skimmer overlay of the iSC250 is over 6 inches wide and 7 inches tall while the iSC250 itself is 5 9/16 inch wide and 6 1⁄2 inches tall.”
In addition, the skimming device that thieves can attach in the blink of an eye on top of the Ingenico self-checkout card reader blocks the backlight from coming through the fake PIN pad overlay.
The backlight can be best seen while shading the keypad from room lights. The image on the left is a powered-on legitimate iSC250 viewed with the keypad shaded. The backlight can be seen in comparison to a powered-off iSC250 in the right image. Source: Ingenico.
What’s more, the skimming overlay devices currently block the green LED light that is illuminated during contactless card reads like Apple Pay.
The green LED light that is lit up during contactless payments is obscured by the overlay skimmer. Source: Ingenico.
The overlay skimming devices pictured here include their own tiny magnetic read heads to snarf card data from the magnetic stripe when customers swipe their cards. Consequently, those tiny readers often interfere with the legitimate magnetic card reader on the underlying device, meaning compromised self-checkout lines may move a bit slower than others.
“The overlay design appears to occasionally interfere with the magnetic stripe reads, leading to greater numbers of read failures,” Ingenico wrote.
Finally, all checkout terminals include a tethered stylus that customers use to sign their names after swiping their cards. According to Ingenico, the skimmers made to fit the iSC250 appear to prevent the ordinary placement of the stylus due to the obtrusive overhang of the skimmer overlay.
The overlay skimmer on the left blocks the stylus tray. The picture on the right is a device that’s not been attacked.
It’s probably true that posting information like this online gives skimmer scammers an opportunity to improve their product and to make the telltale giveaways less noticeable. However, this only goes so far without significantly driving up the cost of these overlay skimmers. Each iSC250 skimmer already retails for a few hundred bucks apiece — and that’s without the electronics needed to gather and store card data. The up-front cost of these fraud devices is important because the fraudsters have no guarantee they will be able to recover their skimmers before the devices are discovered.
On the other hand, as I mentioned earlier there are countless nationwide retailers that have hundreds of thousands of these Ingenico devices installed in self-checkout lanes, and that in turn means millions of employees and customers who are the first lines of defense against skimmers. The more people know about what to look for in these fraud devices, the more likely the fraudsters will lose their up-front investments — and maybe even get busted trying to retrieve them.