
Nordstrom Finds Cash Register Skimmers - artas_bartas
http://krebsonsecurity.com/2013/10/nordstrom-finds-cash-register-skimmers/
======
300bps
There is very little true security in retail establishments.

This lady simply swapped bar codes on expensive items for bar codes of
inexpensive items. Got away with it for over a year and made as much as
$30,000 per month in some months:

[http://miami.cbslocal.com/latest-
videos/?autoStart=true&topV...](http://miami.cbslocal.com/latest-
videos/?autoStart=true&topVideoCatNo=default&clipId=7535659)

~~~
triton
I'll admit to doing similar at the self checkouts at my local supermarket.
Quite happily put pink lady apples through as cheap ones.

I started doing this after I watched a whole tray of pink lady apples go in a
skip because they brought new produce out.

The same is true of a lt of retail establishments. Old stock is destroyed to
keep prices up.

~~~
nabeards
I'll admit to being amazed that people like you exist. No sense of integrity
or honor? Just selfish I guess?

~~~
triton
Hardly. Here's my perspective which will hopefully make you understand.

I live in a poverty stricken area. The supermarkets shove the following
distribution of fruit out (I know this because my wife works in one as well):

\- 20 bags of 5x apples for £1.89 each. 20% go in the bin.

\- 100 pink lady apple at £0.75 each. 80% go in the bin.

\- 20 cheap apples (one tray) at around £0.12 each. 0% go in the bin.

Now, why should I take the last single cheap apple which instantly prices out
the poorer people which is clearly the intention of the supermarket which is
to upsell to the pink ladies or bags of apples?

Fuck 'em to hell. There is no honour or integrity in capitalism. Trample over
everyone to make profit.

I'm not selfish.

I'm not lacking integrity.

I'm not lacking honour.

Perhaps lacking in faith and respect for rules but that is my only crime.

~~~
DougN7
Stealing is stealing despite your best attempt to rationalize it. If you don't
like their offerings, don't shop there. THAT would be integrity.

~~~
nabeards
Agreed. Shop/move elsewhere, especially if you are not a fan of capitalism. I,
too, am not a fan of capitalism so it is my plan to remove myself from its
constraints. But I don't steal and then try to justify the action because I'm
against what they stand for.

------
ChuckMcM
This is another interesting case because it points out how vulnerable this
part of the financial transaction chain is. Of course even after they catch
the guys who were installing the skimmers they don't get the 'top' guys who
make the fake cards and then withdraw funds in Serbia.

I did see a talk where the folks noted (but did not remove) such devices and
then began tracking every account that went through the modified device. This
was to figure out who the bad guys were. By watching the fraudulent
transactions that happened later they were able to roll up a carding group in
the Baltics. But it does take a more proactive approach.

From a future products prospective the use of cards with embedded processors
seems better and better.

------
dguido
Compelling argument to switch to iPad cash registers? har har

Btw, if anyone wants to buy one, you can here:
[http://www.keelog.com/wifi_hardware_keylogger.html](http://www.keelog.com/wifi_hardware_keylogger.html)

~~~
fit2rule
There are already scanhacks for iPad cash registers. Mostly consisting of a
touchscreen overlay wired to look like its part of the protective case. So,
forget that iSense of iSecurity, its not there ..

------
joenathan
These are keyloggers and not skimmers, a skimmer looks something like this
[http://scams.wikispaces.com/file/view/camera02.jpg/30681221/...](http://scams.wikispaces.com/file/view/camera02.jpg/30681221/camera02.jpg)

~~~
eps
Look up the guy whose blog this is. Also, it might help to read the article in
full before blurting out trivialities.

~~~
joenathan
I did read the article in full, also what does it matter who wrote it?

A skimmer and a keylogger are two very distinct things. When I read the title
I was interested to find out how the skimmers were placed, placing a keylogger
takes much less skill and craft, it's a piece you can buy in bulk, whereas
placing a skimmer usually requires a different class of criminal, skimmers
often have to be fabricated for each location.

~~~
cynwoody
It's a matter of semantics. What does "to skim" mean?

I read the article to mean that the bad guys were using key loggers to skim
mag stripe images out of the keyboard data stream (from mag stripe readers
attached via "wedges"). That's one level of threat.

Your link, however, calls to mind a higher level threat that happened in Rhode
Island a while back. Bank customers were disavowing ATM withdrawals. Bank
security noticed that the complaining customers had all used their debit cards
at the same all-night Stop & Shop. A review of the store's security video
showed a gang of four guys coming in during third shift and installing hacked
PIN pads at the registers while keeping the thin staff distracted. They were
busted when they returned to harvest their next haul of debit card details.

How they compromised the PIN pads I do not know. PIN pads are supposed to be
sealed and tamper-proof. Your PIN is supposed to be encrypted before it leaves
the keypad and decrypted only when it reaches the payment processor. The
encryption key is supposed to be erased if someone tampers with the device. In
order for the hack to work, they would need to be recording the mag stripe
data along with cleartext PINs.

I see it happened to Barnes & Noble more recently and on a larger scale:

[http://www.esecurityplanet.com/hackers/hackers-compromise-
ba...](http://www.esecurityplanet.com/hackers/hackers-compromise-barnes-and-
noble-pin-pads.html)

~~~
joenathan
To skim means to remove "something" from the top(usually referring to
liquids). Which makes sense to use to refer to a device that sits atop a card
reader.

[https://www.google.com/search?q=card+skimmer&safe=off&source...](https://www.google.com/search?q=card+skimmer&safe=off&source=lnms&tbm=isch)

One thing to remember is that keyloggers have been around much longer than
card skimmers, keylogger is a well known and well defined term.

[http://en.wikipedia.org/wiki/Hardware_keylogger](http://en.wikipedia.org/wiki/Hardware_keylogger)

[https://www.google.com/search?q=hardware+keylogger&safe=off&...](https://www.google.com/search?q=hardware+keylogger&safe=off&source=lnms&tbm=isch)

It's all very interesting to watch as criminals become more sophisticated.

------
cardamomo
It occurred to me once upon a time that I could use just such a keylogger to
capture my classmates' student ID card swipes when they went to release print
jobs at any of the print stations on my university campus. I recognized this
as a security flaw that (probably) didn't have many lucrative uses, but I
never imagined such a technique might work for credit cards. I wrongly assumed
that credit card readers would employ greater physical security.

~~~
artas_bartas
hardware security aside, if credit card readers employ proper encryption, that
in itself would probably be an effective deterrent against such leaks, but
only IF such encryption is implemented.

------
zhamilton89
I think a large factor in the lack of change in payment security (In the US
anyway, I can't speak for anywhere else) is the rise of the "protected" card.
I have no incentive to protect anything about my Amex.

Card got skimmed a few years ago somehow, Amex called, asked if I was in
Nicaragua (I wasn't) they apologized, removed the $200 or so in charges and
next-day aired me a new card. Almost zero hassle.

I'd hate to have my debit card skimmed but as far as a credit card... I'm not
too worried. The risk isn't mine.

~~~
rwmj
Erm, how is the end user supposed to protect against keyloggers installed in
reputable stores?

It's much better for the banks to carry the can here, so they implement more
secure devices.

~~~
tazzy531
Visa/MasterCard is pushing for EMV/Chip & Pin technology. Previously, the
liability of fraud is on the payment network. Visa/MasterCard have announced a
liability shift from the payment network to the merchant for fraud if the
merchant doesn't adopt chip & pin.

The rollout date is supposed to be Oct 2013.

As an end user, you are not able to protect from this type of fraud. That's
why the liability doesn't reside with you.

------
ohazi
chip and fucking pin. _sigh_ This problem is solved, yet practically nobody in
the US is demanding the established solution. Until we do, this is only going
to continue.

~~~
yajoe
I work in the industry. Chip and pin is not statistically safer (fraud rates
in Spain, UK, and US are all the same despite having very different payment
landscapes). The fundamental problem is that in traditional chip-and-pin
setups you also type the pin into the same machine... so adding a skimmer +
video camera OR adding a skimmer that records pin is marginally possible and
not that hard.

The real security would come with a second factor that the user controls,
either by approving on your phone or by using one-time-numbers for each
transaction. The reason why these do not exist yet is because they would
impede transaction flow, and the basic math with these companies is if fraud
rate > rate loss of transaction volume from security feature then use security
feature. Otherwise, don't.

~~~
raverbashing
"fraud rates in Spain, UK," for what? Credit cards? Debit? There's always
going to be fraud one way or another.

"you also type the pin into the same machine... so adding a skimmer..."

There's no copying of SIM Cards.

Yes, you can still copy the magnetic stripe that's there for backwards
compatibility. So, yes, it's not going to be safer while there's support for
old technology.

My (European) bank issued me a chip-and-pin card without the mag stripe, good
for travels, where I won't risk getting my card skimmed again.

~~~
qwerta
>There's no copying of SIM Cards.

I would be careful with such statement :-) Security usually maters on type of
card, but top range is pretty expensive. There are number of ways howto
'debug' chip using power consumption, xrays etc...

It is easy to copy GSM SIM card. Also operators usually give replacement SIM (
if original gets lost) to anyone with photo id. There were number of frauds in
Europe.

~~~
raverbashing
"There are number of ways howto 'debug' chip using power consumption, xrays
etc..."

The circuit on the chip is known, that's not important. The important thing is
the information in rom. Difficult, but certainly not readable through x-ray.

"It is easy to copy GSM SIM card. Also operators usually give replacement SIM"

Of course they can give you a replacement SIM, they can reconfigure their
systems to point the customer to the new SIM. That's not copying.

Actual copying would be more difficult.

------
callmeed
My debit card got skimmed at a gas station this past week. It was used that
same day to make purchases in LA (about 3 hours south of me).

Now that this is happening in other types of retail stores, maybe it will spur
the use of more secure options (chip and pin?).

~~~
Sami_Lehtinen
Nobody is using MSR anymore, Chip & PIN + PCI stuff has been the norm for
several payment terminal and card generations already. So like 10+ years.

~~~
dangrossman
> Nobody is using MSR anymore

The entire US still is, and that represents more transactions per day than
happen in all of Europe.

~~~
rwmj
The population of the EU is twice the US.

~~~
dangrossman
But they do not use Visa cards at the same rate as the US. I didn't pull that
out of thin air. EU only makes up about 40M of the 200M+ daily transactions
VisaNet handles.

~~~
becauseICan
Visa's corporate website [http://corporate.visa.com/about-
visa/technology/transaction-...](http://corporate.visa.com/about-
visa/technology/transaction-processing.shtml) suggests that the quoted
numbers, "40M of the 200M+", numbers are wrong or misleading. Possibly they
are based on the highest volume day?

 _" VisaNet authorizes, clears and settles an average of 150 million
transactions per day in 200 countries and territories."_

Either way, the best way to prove an assertion based on numbers is to source
it.

------
eksith
I once worked for a retailer which was connected via Megapath (they outsourced
to whatever local ISP is available at the store location). The internet setup
was so abysmal in security, in some cases the stores used wifi to connect to
the front registers with the password being (not kidding)
[storename:storenumber]. That's it.

These fools are getting caught doing elaborate plants. That's not how real
criminals key log (btw, this is not a skimmer, but is a 'keylogger' as
joenathan points out). Real criminals sit in the comfort of their car or
nearby coffee shop and scan for open connections and insecure use of
credentials.

------
dietrichepp
And the question is... why not just use secure card swipe devices? You load an
encryption key onto the hardware, and then key loggers don't work any more.
Sure, it won't solve all your problems, but nothing does.

~~~
Sami_Lehtinen
Doesn't help, like I mentioned above. There's no such thing as 'secure
device'. Someone is always able to tamper with those.

~~~
dietrichepp
There's a difference between "doesn't help" and "not a perfect solution".
Secure readers eliminate the ability for non-savvy criminals to drop a
keystroke logger in the terminal.

------
Theodores
The Cherry PS/2 keyboard with built in card reader is designed for retail and
used in places where there is no C+P:

[http://www.cherrycorp.com/english/keyboards/pos/8000/](http://www.cherrycorp.com/english/keyboards/pos/8000/)

This explains the 'attack vector'. Presumably the scammers have USB dongles
too.

~~~
PeterisP
I may be mistaken, but I thought that the PCI/DSS forbids using such devices
(unencrypted transmission from the keypad), and if a merchant uses them then
they're automatically liable in full for all such fraud; i.e., banks just
refund all cardholders for their losses and bill that+card replacements to
that merchant.

You save some $$ in hardware but take on risk.

~~~
dangrossman
There's no such rule. Virtually every internet gateway and mobile payment app
lets you key in card numbers to make a charge. There is no encryption in your
computer's keyboard. The first versions of the headphone jack swipers for
phones (i.e. Square) didn't have any kind of encryption either.

------
peterwwillis
The main reason I find this interesting is the hacker scene in South Florida
is so small. I bet if they caught one of these guys, they could track it down
to the mastermind faster than somewhere like NY or SF.

------
Sami_Lehtinen
From technical standpoint very lame attack. There's no hacking involved at
all. There has been technically much more sophisticated attacks modifying
terminal hardware & firmware , off loading data completely out of band using
3g networks, etc. That's something that could be called hacking and proper
(malhardware) engineering.

