Nordstrom Finds Cash Register Skimmers (opens in new tab)

(krebsonsecurity.com)

101 pointsartas_bartas12y ago80 comments

80 comments

There is very little true security in retail establishments.

This lady simply swapped bar codes on expensive items for bar codes of inexpensive items. Got away with it for over a year and made as much as $30,000 per month in some months:

http://miami.cbslocal.com/latest-videos/?autoStart=true&topV...

gojomo12y ago

An SAP Vice President was doing the same thing to steal Legos for resale:

http://www.paloaltoonline.com/news/2012/05/21/sap-palo-alto-...

triton12y ago

I'll admit to doing similar at the self checkouts at my local supermarket. Quite happily put pink lady apples through as cheap ones.

I started doing this after I watched a whole tray of pink lady apples go in a skip because they brought new produce out.

The same is true of a lt of retail establishments. Old stock is destroyed to keep prices up.

nabeards12y ago

I'll admit to being amazed that people like you exist. No sense of integrity or honor? Just selfish I guess?

1 more reply

_pmf_12y ago

In some countries, this is fraud as opposed to theft, leading to significantly higher penalties.

1 more reply

Theodores12y ago

I am amazed at how many people do this (or put fruit through as 'onion' on self checkout). It isn't just completely stupid people that do it either, people with jobs to lose, a criminal record that doesn't need to be added to, posh people with a sense of entitlement - all kinds.

On learning of such a trait in someone I ask 'what if you get caught?', but actually it is not them getting caught that matters. Think of the people that work in that shop and the position they get put in having to deal with petty cheats. Also, would you really want to be banned from the store you get your groceries from? That would be a big inconvenience.

1 more reply

ChuckMcM12y ago

This is another interesting case because it points out how vulnerable this part of the financial transaction chain is. Of course even after they catch the guys who were installing the skimmers they don't get the 'top' guys who make the fake cards and then withdraw funds in Serbia.

I did see a talk where the folks noted (but did not remove) such devices and then began tracking every account that went through the modified device. This was to figure out who the bad guys were. By watching the fraudulent transactions that happened later they were able to roll up a carding group in the Baltics. But it does take a more proactive approach.

From a future products prospective the use of cards with embedded processors seems better and better.

dguido12y ago

Compelling argument to switch to iPad cash registers? har har

Btw, if anyone wants to buy one, you can here: http://www.keelog.com/wifi_hardware_keylogger.html

fit2rule12y ago

There are already scanhacks for iPad cash registers. Mostly consisting of a touchscreen overlay wired to look like its part of the protective case. So, forget that iSense of iSecurity, its not there ..

joenathan12y ago

These are keyloggers and not skimmers, a skimmer looks something like this http://scams.wikispaces.com/file/view/camera02.jpg/30681221/...

eps12y ago

Look up the guy whose blog this is. Also, it might help to read the article in full before blurting out trivialities.

joenathan12y ago

I did read the article in full, also what does it matter who wrote it?

A skimmer and a keylogger are two very distinct things. When I read the title I was interested to find out how the skimmers were placed, placing a keylogger takes much less skill and craft, it's a piece you can buy in bulk, whereas placing a skimmer usually requires a different class of criminal, skimmers often have to be fabricated for each location.

1 more reply

anglebracket12y ago

Credit card readers may use PS/2 connectors[1]. There are POS keyboards with integrated card readers that use PS/2 connectors, as well [2].

[1] http://support.quickbooks.intuit.com/opencms/sites/default/I...

[2] http://www.ebay.com/itm/CHERRY-MY8000-BEIGE-PS-2-KEYBOARD-CR...

cardamomo12y ago

It occurred to me once upon a time that I could use just such a keylogger to capture my classmates' student ID card swipes when they went to release print jobs at any of the print stations on my university campus. I recognized this as a security flaw that (probably) didn't have many lucrative uses, but I never imagined such a technique might work for credit cards. I wrongly assumed that credit card readers would employ greater physical security.

artas_bartasOP12y ago

hardware security aside, if credit card readers employ proper encryption, that in itself would probably be an effective deterrent against such leaks, but only IF such encryption is implemented.

zhamilton8912y ago

I think a large factor in the lack of change in payment security (In the US anyway, I can't speak for anywhere else) is the rise of the "protected" card. I have no incentive to protect anything about my Amex.

Card got skimmed a few years ago somehow, Amex called, asked if I was in Nicaragua (I wasn't) they apologized, removed the $200 or so in charges and next-day aired me a new card. Almost zero hassle.

I'd hate to have my debit card skimmed but as far as a credit card... I'm not too worried. The risk isn't mine.

rwmj12y ago

Erm, how is the end user supposed to protect against keyloggers installed in reputable stores?

It's much better for the banks to carry the can here, so they implement more secure devices.

tazzy53112y ago

Visa/MasterCard is pushing for EMV/Chip & Pin technology. Previously, the liability of fraud is on the payment network. Visa/MasterCard have announced a liability shift from the payment network to the merchant for fraud if the merchant doesn't adopt chip & pin.

The rollout date is supposed to be Oct 2013.

As an end user, you are not able to protect from this type of fraud. That's why the liability doesn't reside with you.

ohazi12y ago

chip and fucking pin. sigh This problem is solved, yet practically nobody in the US is demanding the established solution. Until we do, this is only going to continue.

linkregister12y ago

In the UK and EU, chip and pin carry with it some nasty liability problems. That is, the consumer is now de facto liable for all fraud that happens, in spite of the statute.[1] A significant amount of skimming still occurs in the EU.[2] The protocol, just like the traditional charge card method, used is considered insecure.[3]

The U.S. method, where the low-security retailer is liable, is the most fair. The current charge back system works. Retailers that use inventory control, secure systems, and require ID with large purchases receive few legitimate charge backs. [4]

[1] http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf

[2] http://www.telegraph.co.uk/news/uknews/law-and-order/3173346...

[3] http://www.techrepublic.com/blog/it-security/chip-and-pin-th...

[4] http://www.internetretailer.com/2012/10/31/how-karmaloop-cle...

raverbashing12y ago

The n.1 you quoted there is very interesting and explains a little bit about all the types of transactions possible.

Very interesting subject.

yajoe12y ago

I work in the industry. Chip and pin is not statistically safer (fraud rates in Spain, UK, and US are all the same despite having very different payment landscapes). The fundamental problem is that in traditional chip-and-pin setups you also type the pin into the same machine... so adding a skimmer + video camera OR adding a skimmer that records pin is marginally possible and not that hard.

The real security would come with a second factor that the user controls, either by approving on your phone or by using one-time-numbers for each transaction. The reason why these do not exist yet is because they would impede transaction flow, and the basic math with these companies is if fraud rate > rate loss of transaction volume from security feature then use security feature. Otherwise, don't.

raverbashing12y ago

"fraud rates in Spain, UK," for what? Credit cards? Debit? There's always going to be fraud one way or another.

"you also type the pin into the same machine... so adding a skimmer..."

There's no copying of SIM Cards.

Yes, you can still copy the magnetic stripe that's there for backwards compatibility. So, yes, it's not going to be safer while there's support for old technology.

My (European) bank issued me a chip-and-pin card without the mag stripe, good for travels, where I won't risk getting my card skimmed again.

3 more replies

eps12y ago

You don't seem to know what a chip card is.

It is the second factor in a two-factor authentication scheme.

1 more reply

cynwoody12y ago

>and the basic math with these companies is if fraud rate > rate loss of transaction volume from security feature then use security feature. Otherwise, don't.

I seem to recall reading a while back that the overall credit card fraud rate is at the level of single-digit basis points. Is that really true? (I can't seem to find a good link.)

tyoma12y ago

The US is getting chip cards in 2015 [0], although it looks to be chip and signature.

As another poster pointed out, chip and pin is not foolproof and may present a nasty liability shift to consumers when it comes to fraud.

There are also more practical issues with chip cards. First, merchants will be requires to buy new chip capable card readers. They will not be happy about it, but they'll be forced into it by their merchant agreements. Second, chip transactions take noticeably longer to process. From my casual observation a swipe takes 1-3 seconds, but chip readers took at least twice as long. Sounds silly, but it can really add up if there is a long line.

[0] http://www.transactionworld.net/articles/2011/november/innov...

aianus12y ago

The idea is to use chip and pin for high value (>$50) purchases and PayPass/PayWave for amounts under that. That way you can pay for small purchases faster than cash while making large purchases more secure.

Unfortunately, at least in Canada, it seems like merchants were only obligated to buy the chip terminal so a lot of smaller businesses didn't bother with the wireless payments and force you to type in your pin for a $7 pita.

derekp712y ago

I usually swipe my card while items are still being scanned. Most card readers allow this. Would this not be possible with a chip card reader? i.e., does it use a private key on the card to sign the whole transaction (including final dollar amount)?

2 more replies

ufmace12y ago

Sounds like it depends more on how sophisticated the readers are. The current ones are apparently pretty dumb, and just pretend to be a PS2 keyboard and send the info as keypresses, since the guys in the article just used a off-the-shelf keylogger to steal the data. You could easily make a chip and pin pad that did the same thing and was just as easy to compromise.

For real security, you'd need to do something like have the reader internally encrypt the data with the card processor's public key and only send an encrypted blob out of the device. If you're doing that, then anything's secure against this kind of attack. But the readers would have to cost like 10x more, and it probably isn't enough of a problem to bother replacing them all.

raverbashing12y ago

This

It's ridiculous how such an important infrastructure is so vulnerable. Magnetic stripes are easily copiable and without any other "authentication method" it's a done deal.

bsullivan0112y ago

because the damage so far has been very manageable, or a tiny cost of doing business. I am sure they have plans to replace them when /if...

callmeed12y ago

My debit card got skimmed at a gas station this past week. It was used that same day to make purchases in LA (about 3 hours south of me).

Now that this is happening in other types of retail stores, maybe it will spur the use of more secure options (chip and pin?).

Sami_Lehtinen12y ago

Nobody is using MSR anymore, Chip & PIN + PCI stuff has been the norm for several payment terminal and card generations already. So like 10+ years.

dangrossman12y ago

> Nobody is using MSR anymore

The entire US still is, and that represents more transactions per day than happen in all of Europe.

1 more reply

chrissnell12y ago

What? Where is this? I don't think that you're talking about the gas station card readers in the US.

1 more reply

eksith12y ago

I once worked for a retailer which was connected via Megapath (they outsourced to whatever local ISP is available at the store location). The internet setup was so abysmal in security, in some cases the stores used wifi to connect to the front registers with the password being (not kidding) [storename:storenumber]. That's it.

These fools are getting caught doing elaborate plants. That's not how real criminals key log (btw, this is not a skimmer, but is a 'keylogger' as joenathan points out). Real criminals sit in the comfort of their car or nearby coffee shop and scan for open connections and insecure use of credentials.

dietrichepp12y ago

And the question is... why not just use secure card swipe devices? You load an encryption key onto the hardware, and then key loggers don't work any more. Sure, it won't solve all your problems, but nothing does.

Sami_Lehtinen12y ago

Doesn't help, like I mentioned above. There's no such thing as 'secure device'. Someone is always able to tamper with those.

dietrichepp12y ago

There's a difference between "doesn't help" and "not a perfect solution". Secure readers eliminate the ability for non-savvy criminals to drop a keystroke logger in the terminal.

Theodores12y ago

The Cherry PS/2 keyboard with built in card reader is designed for retail and used in places where there is no C+P:

http://www.cherrycorp.com/english/keyboards/pos/8000/

This explains the 'attack vector'. Presumably the scammers have USB dongles too.

PeterisP12y ago

I may be mistaken, but I thought that the PCI/DSS forbids using such devices (unencrypted transmission from the keypad), and if a merchant uses them then they're automatically liable in full for all such fraud; i.e., banks just refund all cardholders for their losses and bill that+card replacements to that merchant.

You save some $$ in hardware but take on risk.

dangrossman12y ago

There's no such rule. Virtually every internet gateway and mobile payment app lets you key in card numbers to make a charge. There is no encryption in your computer's keyboard. The first versions of the headphone jack swipers for phones (i.e. Square) didn't have any kind of encryption either.

peterwwillis12y ago

The main reason I find this interesting is the hacker scene in South Florida is so small. I bet if they caught one of these guys, they could track it down to the mastermind faster than somewhere like NY or SF.

Sami_Lehtinen12y ago

From technical standpoint very lame attack. There's no hacking involved at all. There has been technically much more sophisticated attacks modifying terminal hardware & firmware , off loading data completely out of band using 3g networks, etc. That's something that could be called hacking and proper (malhardware) engineering.

j / k navigate · click thread line to collapse

80 comments

300bps12y ago

There is very little true security in retail establishments.

This lady simply swapped bar codes on expensive items for bar codes of inexpensive items. Got away with it for over a year and made as much as $30,000 per month in some months:

http://miami.cbslocal.com/latest-videos/?autoStart=true&topV...

gojomo12y ago

An SAP Vice President was doing the same thing to steal Legos for resale:

http://www.paloaltoonline.com/news/2012/05/21/sap-palo-alto-...

triton12y ago

I'll admit to doing similar at the self checkouts at my local supermarket. Quite happily put pink lady apples through as cheap ones.

I started doing this after I watched a whole tray of pink lady apples go in a skip because they brought new produce out.

The same is true of a lt of retail establishments. Old stock is destroyed to keep prices up.

nabeards12y ago

I'll admit to being amazed that people like you exist. No sense of integrity or honor? Just selfish I guess?

1 more reply

_pmf_12y ago

In some countries, this is fraud as opposed to theft, leading to significantly higher penalties.

1 more reply

Theodores12y ago

1 more reply

ChuckMcM12y ago

From a future products prospective the use of cards with embedded processors seems better and better.

dguido12y ago

Compelling argument to switch to iPad cash registers? har har

Btw, if anyone wants to buy one, you can here: http://www.keelog.com/wifi_hardware_keylogger.html

fit2rule12y ago

joenathan12y ago

These are keyloggers and not skimmers, a skimmer looks something like this http://scams.wikispaces.com/file/view/camera02.jpg/30681221/...

eps12y ago

Look up the guy whose blog this is. Also, it might help to read the article in full before blurting out trivialities.

joenathan12y ago

I did read the article in full, also what does it matter who wrote it?

1 more reply

anglebracket12y ago

Credit card readers may use PS/2 connectors[1]. There are POS keyboards with integrated card readers that use PS/2 connectors, as well [2].

[1] http://support.quickbooks.intuit.com/opencms/sites/default/I...

[2] http://www.ebay.com/itm/CHERRY-MY8000-BEIGE-PS-2-KEYBOARD-CR...

cardamomo12y ago

artas_bartasOP12y ago

hardware security aside, if credit card readers employ proper encryption, that in itself would probably be an effective deterrent against such leaks, but only IF such encryption is implemented.

zhamilton8912y ago

Card got skimmed a few years ago somehow, Amex called, asked if I was in Nicaragua (I wasn't) they apologized, removed the $200 or so in charges and next-day aired me a new card. Almost zero hassle.

I'd hate to have my debit card skimmed but as far as a credit card... I'm not too worried. The risk isn't mine.

rwmj12y ago

Erm, how is the end user supposed to protect against keyloggers installed in reputable stores?

It's much better for the banks to carry the can here, so they implement more secure devices.

tazzy53112y ago

The rollout date is supposed to be Oct 2013.

As an end user, you are not able to protect from this type of fraud. That's why the liability doesn't reside with you.

ohazi12y ago

chip and fucking pin. sigh This problem is solved, yet practically nobody in the US is demanding the established solution. Until we do, this is only going to continue.

linkregister12y ago

[1] http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf

[2] http://www.telegraph.co.uk/news/uknews/law-and-order/3173346...

[3] http://www.techrepublic.com/blog/it-security/chip-and-pin-th...

[4] http://www.internetretailer.com/2012/10/31/how-karmaloop-cle...

raverbashing12y ago

The n.1 you quoted there is very interesting and explains a little bit about all the types of transactions possible.

Very interesting subject.

yajoe12y ago

raverbashing12y ago

"fraud rates in Spain, UK," for what? Credit cards? Debit? There's always going to be fraud one way or another.

"you also type the pin into the same machine... so adding a skimmer..."

There's no copying of SIM Cards.

Yes, you can still copy the magnetic stripe that's there for backwards compatibility. So, yes, it's not going to be safer while there's support for old technology.

My (European) bank issued me a chip-and-pin card without the mag stripe, good for travels, where I won't risk getting my card skimmed again.

3 more replies

eps12y ago

You don't seem to know what a chip card is.

It is the second factor in a two-factor authentication scheme.

1 more reply

cynwoody12y ago

>and the basic math with these companies is if fraud rate > rate loss of transaction volume from security feature then use security feature. Otherwise, don't.

I seem to recall reading a while back that the overall credit card fraud rate is at the level of single-digit basis points. Is that really true? (I can't seem to find a good link.)

tyoma12y ago

The US is getting chip cards in 2015 [0], although it looks to be chip and signature.

As another poster pointed out, chip and pin is not foolproof and may present a nasty liability shift to consumers when it comes to fraud.

[0] http://www.transactionworld.net/articles/2011/november/innov...

aianus12y ago

derekp712y ago

2 more replies

ufmace12y ago

raverbashing12y ago

This

It's ridiculous how such an important infrastructure is so vulnerable. Magnetic stripes are easily copiable and without any other "authentication method" it's a done deal.

bsullivan0112y ago

because the damage so far has been very manageable, or a tiny cost of doing business. I am sure they have plans to replace them when /if...

callmeed12y ago

My debit card got skimmed at a gas station this past week. It was used that same day to make purchases in LA (about 3 hours south of me).

Now that this is happening in other types of retail stores, maybe it will spur the use of more secure options (chip and pin?).

Sami_Lehtinen12y ago

Nobody is using MSR anymore, Chip & PIN + PCI stuff has been the norm for several payment terminal and card generations already. So like 10+ years.

dangrossman12y ago

> Nobody is using MSR anymore

The entire US still is, and that represents more transactions per day than happen in all of Europe.

1 more reply

chrissnell12y ago

What? Where is this? I don't think that you're talking about the gas station card readers in the US.

1 more reply

eksith12y ago

dietrichepp12y ago

Sami_Lehtinen12y ago

Doesn't help, like I mentioned above. There's no such thing as 'secure device'. Someone is always able to tamper with those.

dietrichepp12y ago

There's a difference between "doesn't help" and "not a perfect solution". Secure readers eliminate the ability for non-savvy criminals to drop a keystroke logger in the terminal.

Theodores12y ago

The Cherry PS/2 keyboard with built in card reader is designed for retail and used in places where there is no C+P:

http://www.cherrycorp.com/english/keyboards/pos/8000/

This explains the 'attack vector'. Presumably the scammers have USB dongles too.

PeterisP12y ago

You save some $$ in hardware but take on risk.

dangrossman12y ago

peterwwillis12y ago

Sami_Lehtinen12y ago

j / k navigate · click thread line to collapse