Have you ever wondered how a retailer can leave a Bluetooth skimmer on a payment card terminal in its stores for weeks at a time? It’s harder to detect the devices than you might think, because crooks have their own places to shop for spare parts that snap right on a payment terminal and are hard to spot if you aren’t looking for them.
A security technician at an unnamed U.S. retailer sent photos of the outside and inside of the device to Krebs on Security for educational purposes after three of the devices were found in a store.
The skimmer uses Bluetooth to zap customers’ payment data in real time to either a second device hidden nearby or even someone sitting in a car in the store’s parking lot with a phone, computer, or tablet.
The way that store employees found the skimmer was pretty low-tech: They noticed that the buttons on the PIN pad were more difficult to press than usual. When they discovered the reason why, a sweep of the rest of the registers turned up two more.
There’s one detail that the crooks missed and customers passing by did, too: The plus and minus signs are swapped on the PIN pad overlay. To be clear, the skimmer is the device on the right.
The name of the retailer is censored, but you’ve probably seen these Ingenico terminals in use in dozens of stores. Worse, the retailer didn’t have EMV cards enabled at the time of the skimming incident.
We’d say that they show you what to look for, but as you can see there isn’t much that stands out as a way to tell the real terminal and the overlay apart.
If a device doesn’t quite feel right, as people at this store noticed, let someone know. It could be a defective unit, or someone may have snapped a device over it to scoop up your payment data.