Credit Card Skimmers have been a significant threat to card paying users for quite some time now. Skimming has become all the more popular lately, even though the trend is on the decline in Europe. A new type of Bluetooth-Enabled self-checkout skimmer is available, and can easily be placed on top of the existing Ingenico ISC250 card terminal.
In a video posted on Youtube, it is evident to see how this new card skimmer works. The overlay itself has hidden electronics on the back, making them nearly impossible to spot. Although the majority of the video focuses on the Bluetooth connection that is being established, the design of this new malicious tool is something to pay attention.
When the overlay skimmer is connected to a mobile device, the phone can be used to intercept PIN pad presses and card swipe data. This dual-pronged approach makes all types of payment terminals vulnerable, regardless of how they process the card transaction itself. As a result, neither swiping nor EMV technology with a PIN code seem safe from harm.
The average Bluetooth signal has a very limited range, although 100 metres is not too shabby. Anyone who deploys such an overlay skimmer would, in theory, have to be in close proximity to the device at all times in order to receive the stolen car info. That would, however, drain the battery of the skimmer itself. It seems more likely that someone would drive by during certain times (possibly peak hours) to collect payment data. It is also possible that the data is stored internally on the device, waiting to be picked up by the owner at a convenient time.
To make matters even worse, these Ingenico ISC250 card terminals are very common in the US, Canada, and a few other countries. One is likely to encounter this particular brand and model, particularly where self-checkout services are offered. This doesn’t mean, however, that consumers can’t spot the overlay skimmer at all, as it is impossible to complete such a device.
The fact that its so easy to install these skimmers and get away with it goes to show that card payments are inherently insecure–not just the cards themselves (which are easy to steal or use online by just knowing the card number, expiry date, and CVV code), but also any hardware used to make the card payment to begin with. These POS devices are prone to all kinds of interference by criminals, including hacking and malware infections.
In fact, card payment terminals might be the most insecure financial devices we are using all over the world today. The number of malware attacks against these devices has never been higher, mostly due to a lack of security upgrades by the vendor. Device owners have no convenient way to receive firmware upgrades either, which is not helping matters.
If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.