The attackers are becoming more ingenious in creating skimmers

Source: krebsonsecurity.com

Skimmers in the form of overlays on terminals are becoming increasingly popular. Since the Ingenico terminals are common in a number of countries, including the USA, the creators of overhead skimmers pay the most attention to just such devices. Despite the fact that information technology specialists are trying to talk about this problem and the danger that it poses, skimmers are not becoming less. The other day, Brian Crabbs showed new photos of these devices. Photos (not of the best quality) were sent to him by representatives of a number of American retailers, in the outlets of which overlays on terminals were installed.

One such model is a skimmer with a Bluetooth wireless module. It is designed to steal user data of the card when it is used in the terminal. The skimmer, in particular, records the PIN and sends it via Bluetooth to the connected device, which must be located within a radius of 30 meters from the compromised terminal.

Found this skimmer by accident. The fact is that the employee of the store where this device was placed, noticed that it became difficult to press the two buttons on the terminal. He decided to investigate the causes of the problem and saw that the terminal cover was an overlay set by the unknown. After that, the employee checked the other terminals and found two more overlays.
')

Cover on the reverse side. Source: krebsonsecurity.com

Carders who steal these bank cards do not necessarily create such devices themselves. This is no longer a handicraft industry, their development has been put on stream, and many models of skimmers can be bought almost openly on the Internet. The video below shows a skimmer for the Ingenico iSC250 terminal model. This is almost the same model, the photos of which were sent to Krebs.


The video does not show the electronic components of the system very well, but it shows in detail the operation of the wireless communication module.

Since the device is wireless, we can expect that the attacker who installed the overlay on the terminal in the store is somewhere nearby (for example, in a nearby parked car) and receives data read by the device in real time. Indeed, the device does not have its own memory, so the option of periodically visiting the reader by its owner is excluded. There is another option: a skimmer transmits data to a device hidden nearby. You can connect to the overlay via Bluetooth using the code "2016".


Source: krebsonsecurity.com

Experts who examined such skimmers claim that many components come from Samsung phones.

How to distinguish the compromised Ingenico terminal from the usual?

In his blog, Krebbs shows how a compromised terminal can be distinguished from a device without a lining. Presumably, the developers lining them quickly modify, changing their design, when it becomes aware of the distinctive features of such devices. But for now this information is relevant.

So, the main difference is in the size of some elements of the terminals and skimmers. No matter how you change the design, there will always be some differences.


On the left - the overlay, on the right - the model of the iSC250 terminal from the company Ingenico

In order for the pad to be placed on the terminal, it must be wider and longer than the body of the original device. A person who knows what a terminal looks like will quickly recognize a fake. But buyers or inexperienced sellers of substitution may not notice. The difference is also in the size of the plastic strip to the right of the slot for the magnetic card.

Another difference is the brightness of the backlight of the keyboard of the original terminal and the lining. The skimmer buttons will be much dimmer as they close the buttons of the terminal itself.


On the left - a terminal keyboard without a skimmer, on the right - with a skimmer

Finally, another distinctive feature is the absence of a green LED on the terminal with a skimmer. The latter simply closes the LED. So during the transaction the light does not light up. True, some lining have a special hole, so that the LED is perfectly visible.


Source: krebsonsecurity.com

There is one more thing. The fact is that some models of terminals are equipped with a stylus. In some situations, customers put an electronic signature using such a stylus, leaving it on the device screen. But the pad blocks the stylus. This is probably the most visible sign of the presence of a skimmer pad.

The skimmer is installed within a few seconds. The camera of one of the stores in Miami Beach recorded the installation of the lining in just three seconds. Fraudsters worked in pairs: one distracted the seller, the second - installed the device.


In addition to mobile terminals, carders install readers on ATMs (a lot of options) and even on the doors of banks with an installed credit card reader. With this reader, you can open the door during non-business hours of the bank to gain access to the ATM. The skimmer reads the data of the magnetic tape, and the camera to monitor the pin-code dialing is installed indoors, near the ATM.

Safety regulations

Experts recommend the following security rules when working with ATMs or terminals:

• You should not use ATMs that are in dark rooms and look weird. It is best, if possible, to withdraw money in proven devices;
• If your inner voice says something is wrong with the ATM, do not work with it. Experts say that victims who suffer from carders often have a bad feeling about looking at an ATM. Everything is explained simply - a person unconsciously grasps some oddities in the structure of ATM, but does not always understand what exactly is wrong;
• Entering a PIN, you should close the keyboard with your hand. This rule applies to both the ATM and the terminal.