Recent local news stories about credit card skimmers found in self-checkout lanes at some Walmart locations reminds me of a criminal sales pitch I saw recently for overlay skimmers made specifically for the very same card terminals.
Much like the skimmers found at some Safeway locations earlier this year, the skimming device pictured below was designed to be installed in the blink of an eye at self-checkout lanes — as in recent incidents at Walmart stores in Fredericksburg, Va. and Fort Wright, Ky. In these attacks, the skimmers were made to piggyback on card readers sold by payment solutions company Ingenico.
This Ingenico “overlay” skimmer has a PIN pad overlay to capture the user’s PIN, and a mechanism for recording the data stored on a card’s magnetic stripe when customers swipe their cards at self-checkout aisles. The wire pictured at the bottom is for offloading the data from the card skimmers once thieves have retrieved the devices from compromised checkout lanes.
This particular skimmer retails for between $200 to $300, but that price doesn’t include the electronics that power the device and store the stolen card data.
Here’s how this skimmer looks when it’s attached. Think you’d be able to spot it?
Walmart last year began asking customers with more secure chip-enabled cards to dip the chip instead of swipe the stripe. Chip-based cards are more expensive and difficult for thieves to counterfeit, and they can help mitigate the threat from most modern card-skimming methods that read the cardholder data in plain text from the card’s magnetic stripe. Those include malicious software at the point-of-sale terminal, as well as physical skimmers placed over card readers at self-checkout lanes.
In a recent column – The Great EMV Fake-Out: No Chip for You! – I explored why so few retailers currently allow or require chip transactions, even though many of them already have all the hardware in place to accept chip transactions.
For its part, Walmart has deployed chip-enabled readers, and last year began requiring customers with chip cards to use them as such. Indeed, it’s interesting to note that the Ingenico overlay skimmer pictured above also includes the slot at the bottom center of the device where customers can insert a chip card, although in these recent skimming incidents at Walmart the thieves were no doubt hoping more customers would simply swipe.
The Mercator Advisory Group notes that only 60 percent of all credit cards in the United States have been updated with chip cards, with debit cards lagging further behind. Even so, only 20 percent of card terminals in the U.S. have been activated for chip use as of April 2016, Mercator found.
The United States is the last of the G20 nations to move to chip-based cards — much to the delight of fraudsters and organized cybercrime gangs that have siphoned tens of millions of credit and debit cards in major data breaches at retailers these past few years. Financial industry consultant Aite Group predicts that credit card fraud stemming from hacking will reach a record level in 2016 — $4 billion. Aite Group says fraudsters are busy milking this cash cow for all it’s worth as U.S. merchants start to pivot toward chip-card transactions.
Update, 12:41 p.m. ET: Corrected location of Kentucky Walmart.
Source: Krebs