Wednesday, June 1, 2016

Credit Card skimmers hit Walmart

A "skimmer" is a device that fits over the card slot and pin pad for checkout card swipers or ATMs.  These are insanely well made:

I keep an eye out for these things, and I don't think I could pick up on that.  The details:
Recent local news stories about credit card skimmers found in self-checkout lanes at some Walmart locations reminds me of a criminal sales pitch I saw recently for overlay skimmers made specifically for the very same card terminals.
Much like the skimmers found at some Safeway locations earlier this year, the skimming device pictured below was designed to be installed in the blink of an eye at self-checkout lanes — as in recent incidents at Walmart stores in Fredericksburg, Va. and Fort Wright, Ky. In these attacks, the skimmers were made to piggyback on card readers sold by payment solutions company Ingenico.
The advice?  Use a card with a chip if at all possible - the skimmer just grabs the magnetic swipe data - if you use the chip, it won't get anything.
Walmart last year began asking customers with more secure chip-enabled cards to dip the chip instead of swipe the stripe. Chip-based cards are more expensive and difficult for thieves to counterfeit, and they can help mitigate the threat from most modern card-skimming methods that read the cardholder data in plain text from the card’s magnetic stripe. Those include malicious software at the point-of-sale terminal, as well as physical skimmers placed over card readers at self-checkout lanes.
Let's be careful out there.


Jake (formerly Riposte3) said...

And this is why I won't use the card readers on the parking meters here. If they can put a skimmer on a checkout in a well lit store within sight of who knows how many people without getting caught, how hard would it be to do it to a parking meter at 3am on an empty street?

matism said...

Just how far away can the card chip be read? By someone who knows what they're doing.

I suspect the chip cards are FAR less secure than the magnetic stripe. To read the stripe, you actually must have the card OUT of your wallet and attempt to use it. If the chips are RF, it never has to leave your wallet.

Jake (formerly Riposte3) said...

The chips do not, AFAIK, have any RF capability. They require physical contact. That funky divided metallic square on the front of the card is the connection point.

Even if it could be read remotely, it would be more secure, since the number it generates is a unique, single-use transaction code, not the actual card number.

More here -

Borepatch said...

Jake is correct - the chips are not RFID, and have to be physically inserted into the reader. The skimmer doesn't have a chip reader, and there's a pass-through slot so the card bypasses the skimmer and is read directly by the real reader (according to the article).

Everything that I hear is that chip cards are MUCH more secure than mag stripe ones.

Old NFO said...

I still prefer to just use cash... sigh

Richard said...

Chips are a PITA that slow the transaction down. How about we actually prosecute people using the skimmers and make retail liable for letting the devices be installed in their facilities. Anybody want to bet what percentage of skimmer users are store employees.

fillyjonk said...

I've seen security camera video showing the crooks installing the scanners. I guess wal-mart has no employee qualified to watch the video in real-time, and no one qualified to do a take-down on the crooks then and there? Or at the very least, remove the scanners immediately they are installed?

This bugs me because wal-mart is about the only grocery option for me short of an hour's round trip drive, and I prefer not to carry wads of cash. And of course, this can happen anywhere: I think I got my number stolen from a gas pump skimmer while traveling. (And neither the visa nor mastercard I happen to have has gone to chip yet).

And I agree: the chip slows stuff down a good bit, and given wal-mart's tendency to have the bare minimum of cash registers open, this will just slow things down more.