New skimmers fit right on top of chip and PIN credit card scanners

As usual Mr. Krebs has some great images of a credit card skimmer found in the wild. This model uses Samsung phone parts and lays right over the Ingenico card scanners you’ve probably seen in stores. The interesting thing is that these scanners also support chip and PIN technology but, as evidenced by the photo, it looks like the retailer disabled it essentially sending the scanner back into the 1970s and allowed the skimmer unfettered access.

Two things are going on here. First, chip and PIN scanners are ostensibly safer and therefore card skimmers have to work harder to get the goods. The particular model is quite realistic and automatically dumps data to a nearby Bluetooth device. It is too thin to have onboard storage but the retailer could not find a target device where the credit card numbers would end up. In short you could slip this on the card machine and no one would be the wiser. There isn’t even a clear record of where the data goes.

Wrote Krebs:

According to my retail source who shared these pictures, the overlay skimmers used parts cannibalized from Samsung smart phones. The source said the devices placed themselves in a mode to transmit stolen card data and PINs as soon as they were turned off and back on again. Investigators also discovered that they could connect via Bluetooth to the skimming devices by entering the PIN “2016” on a Bluetooth-enabled wireless device.

However, the source said none of the overlay skimmers they found appeared to have any on-board data storage, suggesting the thieves had planted a second wireless device somewhere in or near the store and were hoovering up card and PIN data via Bluetooth in real time. Or, perhaps the crooks were simply sitting outside the store in the parking lot, using a laptop and high-gain antenna to pull down card and PIN data.

However this could also mean that the skimmers are getting desperate. At this point to grab credit cards the old fashioned way a few things need to happen but primarily the skimmer can’t allow users to pay with their phones (ostensibly safer) or their chipped card (ostensibly also safer although I’d like to see the technology in a few years). The escalation took a long time – decades, in fact – but it looks like credit card companies might have reached a stalemate with thieves.

For some reason I really like skimmers. I recall a Bruce Sterling video in which he noted that ATMs are like evolved turtles, intentionally designed in every way to avoid human tampering. These skimmers – simple pieces of plastic with a few electronics inside made by industrious if messy electronics experts – can defeat them in an instant. Life, as they say, finds a way.