A new skimming device has been discovered in a number of US retail chain stores designed to collect data from bank cards and PIN codes entered at point-of-sale terminals. The skimmer transmits the stolen information to its owners via Bluetooth. It is noteworthy that one of its components blocks the recognition of chips embedded in the cards, forcing buyers to provide a magnetic stripe for reading. The interception of PIN codes, as Brian Krebs found out, is carried out using a plastic tweak on the keyboard of a PoS terminal. The cybercriminals hide the module for reading data from the magnetic stripe of cards under a Bluetooth card. All components of the skimmer are powered by a small battery, also hidden in the terminal housing.
According to a representative of the information security service of the affected retailer, foreign objects in the terminals were found only a few weeks after their installation. Apparently, such a skimmer can be easily implemented in any payment terminal, regardless of production. The data stolen in this way can be used by cybercriminals to clone payment cards in order to withdraw funds from victims' accounts through ATMs. Counterfeiting chip cards is more expensive and more difficult to do. However, almost all smart cards also have a magnetic stripe - in case the PoS terminal is unable to read information from the chip due to a malfunction or lack of a corresponding module. Unfortunately, the massive adoption of smart cards in the United States has yet to bring regulatory restrictions on traditional magnetic stripe transactions.
Not all banks and ATMs are ready to prevent the forced rollback, which is demonstrated by the new skimmer model. Ideally, banks and payment card issuers should record such cases as potential fraud, and the fleet of ATMs and POS terminals should be updated to ensure that chips are not reading failures. This, in turn, will allow such equipment to be configured to block rollback to the magnetic stripe in the presence of a built-in chip.
