Since it's only implied how it works and there seems to be some confusion in the comments. It seems like the technique is to simply create a very form-fitting insert which won't fit properly if some device is overlaid onto the machine. The insert is not left in the device, but is just used for a quick in-and-out check.
> Since it's only implied how it works and there seems to be some confusion in the comments.
Seems like a lot of TLDR; :)
The article says exactly how it works.
> The usage is very simple: Insert the tool into the payment terminal’s chip card slot. If it can insert fully, the terminal is safe. If it gets stopped, there might be a skimmer!
Only for large retailers, though. Why not directly offer the CAD file for download right on that page, or make the resulting product available for purchase?
Likely to avoid defeat attempts. The corporate email requirement acts as a first-line defense to at least try to stave-off would be skimmers / scammers grabbing the CAD file and working out the measurements needed to defeat it.
Sure is. Good thing criminals are too dumb to find it, and especially too dumb to replicate it. I'm sure they will never be able to modify their skimmers to circumvent it. They will rue the day they messed with Target's IP lawyers!!! https://patents.google.com/patent/US11507762B2/
This is only a small part of Target's loss prevention operation. Target is known for being both aggressive and sneaky about loss prevention. They use cameras and face recognition extensively, and they have an in-house forensic lab that can process fingerprints. Sometimes they will let a shoplifter get away with stealing for a while, until the total passes the felony threshold. Then they have them arrested. Sometimes followed, because they want to know where the stolen goods are going and catch the fence.[1]
If they find a skimmer, they will probably go back over the video until they find who put it there. Former Target security guard: "All cameras are functional and can look in any direction. Many are 4K and can zoom."
Target has the opportunity to correct an individual whose punishment will be a misdemeanor but instead chooses to -escalate- the individual's behavior in order to punish them with a felony.
Imagine that the misdemeanor — a fine and a few months in prison — would sufficiently deter an individual from ever stealing again, or at least from Target. Target's theft problem is resolved, and the individual goes on with a more abiding life.
In the actual case, Target allows this person to believe the theft is easy and rewarding. When Target preps the legal case, this person serves years in prison.
Target has lost additional inventory meanwhile, Target has paid for the case-building, the individual serves a long sentence, and the individual loses future job candidacy.
Society also pays for the prison time and must support an individual with a difficult-to-employ problem. Everybody is worse off.
I didn't read OP's paragraph and think that they intended to make Target sound bad, but I was able to make the case myself, I think.
Anecdotal counterpoint: there used to be a r/shoplifting sub. Sure, anyone can lie on the internet, but the advice given there was “do not shoplift from Target; you will get caught, and you will suffer.”
No, my counterpoint is that Target’s strategy seems to have worked, and also that there exists the possibility that someone would opt to not shoplift at all due to the harsher penalties set by Target, and being unsure how widespread that practice is.
To be clear, I think the actual problem with shoplifting is systemic suppressed wages coupled with inflation and arbitrary price hikes by corporations.
Imagine that the misdemeanor — a fine and a few months in prison
What kind of place sends people to prison for "a few months" for a misdemeanor? Wait until you or your spouse/child/parent is involved in the criminal justice systems. Everything will change. You will stand face-to-face with the harshness.
Was going to reply with this. Target is commendable for having patience and catching these people when actual punishment will be given. Thieves consider being caught for misdemeanors just a cost of doing business, like large corporations do when profit made from an illegal deal is 10x what the fine is.
All this shape-based stuff makes me think of antigen/antibody immune-system analogies.
The skimmer binds to the payment slot, some payment slots change shape to prevent skimmer binding, and now the tester-block binds to check that nothing is already bound...
Could payment terminals be made with built-in physical countermeasures for detection? Ideas:
(1) Terminal has a scale built into its feet/mount. It periodically weighs itself, and if (ignoring fluctuations) it weighs too much, it shuts down. It's hard to build a skimmer that weighs 0 grams.
(2) Proximity sensors in key locations on the housing. My smartphone can disable its touchscreen when I hold it against my face, so a payment terminal should be able to detect when something is covering a part that isn't supposed to be covered.
(3) Light sensors. Put some in an area where skimmers need to cover (near card slot) and other where skimmers probably can't cover (the display), and detect whether they get roughly the same amount of light.
(4) Microphones. Same idea as light sensors but with sound.
Skimming is pretty much a solved problem in Europe already. We got rid of the mag stripe, so trivially cloning a card is no longer possible. Furthermore we don't allow offline transactions, so a skimmer must somehow get in between the connection from the terminal to the card and execute a separate transaction right before or after the genuine one.
It is still not 100% impossible, but the "overlay" type of skimmer this protects against has been eliminated for a few years now.
You are correct: but I think all these measures are in place because liability is placed on financial institutions rather than individual victims. The owners of the payment infrastructure are correctly motivated to holistically solve the problem, unlike in the US were the person woth the least power and control is burdened with having to contend with "Identity theft" and losing money by default to make up for the fraud.
This is plainly untrue. The US has an absurdly consumer friendly legal environment; you simply say you didn’t do the transaction and your money is immediately refunded; it is up to the payment infra to eat the losses.
The reason mag stripe and associated technologies stuck around is precisely because US banks were good enough at real-time fraud detection that the cost of fraud was << cost of replacing every card and strongaming every merchant into buying new payment terminals. Eventually they relented since the US became the place to cash out non-US cards.
> The US has an absurdly consumer friendly legal environment; you simply say you didn’t do the transaction and your money is immediately refunded;
US consumer laws don't hold a candle to European ones - it's not even close.
Have you ever gone through this process yourself, or are you stating the idealized version of what should happen? I'd like to hear the bank you were dealing with, because mine tried to give me the run around ("It's not fraudulent because your PIN was used"), and I had to fight them over many calls to get a "temporary refund" by threatening to involve a state ombudsman. Later on, I got a letter in the mail that said the investigation was complete, and the refund was now permanent, only to have the refund yanked again months later.
Caping for American banks in this day and age is weird. They are mostly terrible and will rather have their clients take the financial hit before they do - even if they have to lie or frustrated you with long holds & multiple calls unless you show them you mean business.
Most Americans use credit cards rather than debit cards for their regular spending, and the additional protections of a credit card is a big reason why. They're treated differently under American law.
The idea is that if someone steals your debit card and buys a bunch of stuff, they've stolen your money, but if someone steals your credit card and buys a bunch of stuff, they've stolen the bank's money, and the bank is on the hook for it - not you.
IIRC with debit card fraud you've got like 60 days and the bank can put some of the burden of proof on you, but for a credit card you can literally just say "I didn't buy that" 5 months later and the bank basically has to give you your money back. If you abuse this, the worst thing that can happen is the bank closes your card and cancels their relationship with you, but you won't be on the hook for the spending itself. Because of this additional liability, U.S. banks got really good at early detection of fraud and irregular spending, and Americans don't really give a huge shit about keeping their credit cards safe because there aren't really any major consequences.
> Most Americans use credit cards rather than debit cards for their regular spending, and the additional protections of a credit card is a big reason why.
Which was my point exactly: European debit card users are more protected than American debit card users when their money is on the line
Yes for credit transactions and yes for pinless debit and it was as simple as a phonecall. In the credit instance they called me and pre-emptively issued a new card.
I am sorry you had such a terrible experience, but mine has been completely different.
Of course they can be made that way. The countermeasure built into gambling equipment like slot machines is incredible.
But then it would cost more than their competitors. With much more maintenance for false positives, etc. And the vendor doesn't really pay the price for skimmer fraud..
So the reason that gas, in LA area at least, have different prices for cash and card (typically ~$0.25/gal more for card) is not because of additional risk for the gas station, but just classic US exorbitant fees?
The price difference is a way to pass along credit card fees that otherwise would have to be paid by the station operator. It used to be against the credit card networks’ merchant agreements to have separate cash and credit prices — but a good number of LA gas stations rolled the dice and did it anyway. That rule changed a few years ago, and now most stations split their pricing. (I believe that’s also why ARCO gas now takes credit cards, after holding out for decades — they are now allowed to pass along the cost to the customer.)
If someone comes up with an anti-skimmer terminal the payment processors would benefit from having a lower transaction fee for transactions posted from such a terminal. That would in time push the market to use such terminals.
Alternatively they could just remove the slot and require self-pay terminals to be contactless. It really makes no sense to me why merchants don't already do this proactively; they are well incentivized:
1) Contactless merchant fees are lower than dip or swipe
2) Payment terminals are cheaper
3) Less fraud/shrink
This hunk of plastic from Target is a solution looking for a problem.
They’re not looking for a problem. The problem exists.
“Just use contactless” doesn’t work in the US.
Just yesterday a friend was commenting that he got a new credit card (old card expired) and the new one still doesn’t have contactless. Seems his bank decided it wasn’t worth it.
But that’s not all. Target gift cards don’t have contactless. Don’t think Visa/MC/AmEx gift cards do either. I bet EBT cards don’t, I think a rule requiring them to have chips was just passed.
I know other countries are ahead of us, and that major banks have been issuing chip cards for a while. But there are still a lot of people that leaves out.
That’s because Walmart is using Walmart Pay as a vehicle to track you and your shopping purchases. They can’t track your habits the same way with just a card.
Kroger finally gave up on Kroger Pay if only because they realized customers were still entering their alternate ID/phone number during checkout so they could still link your data together.
The funny part is Walmart in Canada fully allows contactless… almost as if they don’t care they aren’t getting that customer data up there.
>The funny part is Walmart in Canada fully allows contactless… almost as if they don’t care they aren’t getting that customer data up there.
No it's because our banking system is dramatically different in Canada and the expectations of the average shopper and the POS options available to them here are all working to force that issue.
Canada had chip and pin and contactless LONG LONG before the US did - and it's easier for us to make these pivots and changes due to fewer banks and pre-defined co-operation agreements.
They still track it a fair bit. For example. Put a card in the walmart app and after a bit of time all your past purchases will show up in your history.
I was suggesting "Just use contactless" for customer accessible payment terminals. Want to use something less secure and more likely to result in fraud? You can hand your card to the cashier or walk inside instead of paying at the pump, just like you do with any non-card payment already.
The EBT, gift card, and lazy small banks would get their act together pretty damn quick, I'd wager.
“Sorry. I know you’re on assistance because you can’t afford food, but for your security we’re not going to let you buy food with your government benefits as you may become a scam victim.
Come back when your state government decides to pay to re-issue every card with better technology.”
That’s cruel. The move to EMV was only recently mandated for EBT (if I remember correctly and it was done at all) because so many people were having their benefits stolen by mag stripe skimmers.
You can’t use a stick against powerless people to affect change. It just makes them suffer.
Even if Target did mandate contactless, the stock would plummet on news of all the lost sales and the CEO would be out. The new one would reverse it immediately.
Where did I suggest this? The customer payment terminal is not the register. Both have card readers; one is fantastically less likely to be tampered with than the other. There is absolutely nothing wrong with putting your cashier in between the customer and a potentially fraudulent payment. What happens when that person gets their EBT account drained by a criminal because of a skimmer? I'm not trying to marginalize anyone; get real.
> This hunk of plastic from Target is a solution looking for a problem
When you're dealing with tens of thousands of terminals that you want to check on a regular basis across thousands of stores, having a device that verifies things quickly is a solution to a real problem.
Ironically, contactless has been the source of new types of skimmer attacks. A skimmer could just add an nfc coil and wouldn't even need to physically touch the card anymore.
Yes by all means, let's use the threat of a possible attack on EMV to continue to prop up the magstrip and completely disregard that pretty much all of the successful attacks against chip or contactless involve legacy magstrip emulation. If it's good enough for Granddad, it's good enough for me!
Welcome to the Internet. If your comment doesn't propose something that is mathematically proven to be perfect under all circumstances and for all people, past, present, future and hypothetical, then it's junk and you're an idiot for mentioning it.
Why not publicly distribute the design? Because skimmer-makers might adapt? It seems trivial to acquire one (getting a job at Target or spoofing a corp email account isn't a high barrier).
I would expect that the corporations will be asked to sign an indemnity agreement before they get the design. Target doesn't want to be held liable in case a skimmer is built that defeats this detection and the recipient needs to understand there are no guarantees.
It's nice that someone got this through the default corporate deny policies.
It’s sad that this is likely the case. In general, an “As is/no warranty” shrinkwrap contract should be sufficient for legal protection but won’t prevent people from filing nuisance lawsuits, which I suspect they wish to avoid altogether.
It is, however, added friction, and that's 90% of the security game. Every additional layer helps. (And a corp email account adds a paper trail, at the very least)
Ah good point. Target's one of the most serious companies in the world about this, with a forensics lab and everything. I'm surprised they're doing this much, even if the skimmers obviously have access to the same measurements.
How do these skimmers work with chip&pin? I understand how magstripe skimmers work, but my understanding is that chip&pin is an active challenge response protocol. I’d love to hear more.
Even with EMV transactions, they are apparently able to get the card # which is transmitted in clear text by the chip. And the PIN from the keyboard overlay for debit transactions. Later they can clone the card # onto a fake mag stripe card and use the fake card for card-present purchases.
They probably cannot make card-not-present (online) purchases since I don't think they can get the CVV.
> In addition to the track-two data on the magnetic stripe, EMV cards generally have identical data encoded on the chip, which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing construction of a magnetic stripe card, which, while not usable in a Chip and PIN terminal, can be used, for example, in terminal devices that permit fallback to magstripe processing for foreign customers without chip cards, and defective cards.
They might not need CVV, if the transaction looks “good” otherwise:
> A payment can still be successful even if the CVC or postal code check fails. This is because card issuers take many signals into account when making a decision about whether to approve or decline a payment. In some cases, a card issuer may still approve a payment they consider legitimate, even if the CVC or postal code verification check fails.
I recently went through the opposite of this. A purchase at denon.com was declined, got a "please verify" email from my issuer which I approved and re-did the purchase. My issuer authorized the payment the second time, but then it got held up by NoFraud who sent me their own "please verify" email which I did. I had used an iCloud Hide My Email address for the purchase so a day later I get another email from NoFraud:
> Thank you for confirming your recent order. We are the fraud solution for the merchants website. We flagged the order for additional review before we notify the merchant to process it. To complete the verification for approval, we require an alternate email address for the cardholder. Please respond with an alternate email address.
At that point I tracked down NoFraud's phone # and called them to finally get the transaction approved.
> I had used an iCloud Hide My Email address for the purchase so a day later I get another email from NoFraud
I got hit by a merchant using "NoFraud" as well. After making an order from the merchant's site, using Apple Pay on the web (which is, allegedly, rather hard to fake), I received an email saying my order was canceled as it "appears that a merchant-specific email address was used" and to "please resubmit the order using your personal contact details".
They were right, because I always use [merchantname]@subdomain.mydomain.com. Whatever it was couldn't have been that important because I didn't bother redoing it if they're going to be that picky.
(I can't find the purchase confirmation and subsequent email in my email, probably because I deleted it out of annoyance, so I'm not naming who I think I remember it being just in case I'm wrong)
This is the thing that got me. Where the heck is NoFraud getting its training data[1] and why is an email address even considered relevant to the safety of the transaction? The item was shipping to my home address which matches my CC billing address.
[1] "NoFraud’s multi-layered solution analyzes thousands of data points fusing machine learning."
EMV doesn’t transmit the full card number in the clear. I don’t know how they’d get it. IIRC the track data is sanitized, but maybe it wasn’t always. I’m not even sure all cards give it in a modern EMV transaction.
The old mag stripe emulation mode of contactless did, but that’s legacy and many places won’t accept it and cards won’t do it.
However the good old “break the slot or chip reader so they have to use mag stripe and scan the card things the old fashioned way” technique still works great.
Googling "EMV sniffer" returns a bunch of sketchy sites that claim they get the card number from the chip, not the mag stripe. That's also what seems to be implied by the submitted link. Here's another post claiming the card # is readable from the chip:
I believe it’s at least stored on the EMV chip: if you tap a credit card to a flipper zero you’re able to read the full card number and expiration date, and contactless is just over-the-air EMV as I understand it.
Oh yeah, it must be in there. If you were to etch down to the chip with acid I’m sure you could see it.
Contactless has two forms. The old one is mag-stripe emulation. It would literally just respond with the information from the mag-stripes. It was exactly as secure as mag-stripe. Probably worse because you didn’t need to physically move the card over a read head.
That’s no longer supported in many (most?) modern cards. I know ApplePay refuses to do it. I think card brands have said to stop using it but I’m not positive.
The other mode (absolutely dominant in contactless) works through encrypted EMV tags the same as you get when using a physical slot. The order of things is a little different but it’s just as secure.
The US still has a heavy reliance on magstripe, even though we rolled out EMV, and many cards still have it, and you can just take a stripe dump regardless.
The actual user of the stolen card dump will cause the terminal to allow a magstripe fallback (typically with a bad chip on a fake card that won't read) -- "aw jeez my stupid chip isn't reading" is still every much a valid excuse to a cashier to go to magstripe.
I think there are also just lots of POS systems in the US that aren't on EMV yet. Major retailers are on EMV but random old rural businesses probably aren't.
Makes me think about intentionally corrupting the magstripe on my cards. I wonder if that’d cause any issues.
I can’t remember having to fall back from the chip to a swipe in ages, and I have a couple of cards, so I could keep one as a backup with a working stripe just in case (long ago I found myself far from home and low on gas, with no cash, a dead cell phone and a “suspicious transaction” blocked credit card, and I’d rather not repeat that experience).
It's only an issue with EMV Fallback, which you'd probably not need if you have a backup card that is good. Basically if the chip or near-field antenna on your card fail, the fallback is to collect a magnetic stripe read. Properly-configured readers don't need the stripe read to complete a transaction.
Properly configured merchants don't even need the payment terminal to complete a transaction. They should be able to key the card number if all else fails. I say corrupt your magstrip if it makes you feel better.
The image shows the skimmer gadget sitting on top of the pin pad and the bottom card insertion slot (the one that takes a chip). On these card readers the magstripe reader is on the right hand side iirc. I’m wondering what you can do having connected to the EMV contacts and recorded the PIN. I suppose you could make a transaction, but it would have to presumably happen at the same time as the legit transaction (which would then immediately get flagged as fraudulent)
Not much. The chip doesn't transmit any credit card numbers. What's really happening in an EMV transaction is the amount due is transmitted along with some identifying information from the host to the card reader. The reader then authenticates with the chip card using asymmetric cryptography. Once this authentication is done, the reader sends an amount due and the chip card checks its authorization rules, and responds with some encrypted data that represents the transaction amount and that depends on a private key embedded in the card. You could replay the transaction at the exact same time as it is happening, but you'd have to use the same amount due. And there are other identifiers for EG the terminal that you'd have to know. If you're curious, EMVco makes the specification available online in documents titled Book 1, Book 2, Book 3, and so on: https://www.emvco.com/specifications/
You'll want an RFID blocking wallet or sleeve to supplement this plan. Thieves will use an RFID skimmer and just wave it near your pocket to grab the info off the card when it responds.
Has anyone ever shown a practical attack for EMV contactless?
I know the old mag stripe emulation was vulnerable, but EMV contactless shouldn’t hand out the card number and uses cryptographic signatures. You’d have to capture and play back a transaction (not randomly scan a card) and there are time stamps and transaction counters that would be wrong and the terminal ID wouldn’t match.
My pet theory is that transitioning to wireless payment also opens up user expectations for the vendor to participate in way more payment networks than just Visa/MC/Discover/AmEx. If you have a wireless reader but no agreement with Apple Pay, or Google Pay, or Samsung Pay, or WePay, or WhateverSomeNewMBACrap users will start putting in reports that the reader is “broken”.
I’ll absolutely admit knowing very little about the nuances of payment networks in the US, particularly with contactless —- but my experience (in Australia) is that payment terminals that support contactless inherently support Apple/Google/etc Pay, even if the payment terminal is unaware of those things, in which case the transaction will work the same as a contactless card transaction (e.g. transactions >$100 require PIN).
You don't have to have an agreement with Apple or Google to accept Apple Pay or Google Pay. If the customer holds a Visa then the phone presents a Visa to the reader. There is no special thing you have to do to accept those payments.
Unfortunately that's not how it works. There is a protocol at the payment processor for Apple Pay (at least) that has to be followed so that the device card number (not the card number on your card and not a "virtual card") is tied to the correct account. It's a whole thing. Most POS systems ship with support for it at this point. And you have to sign some sort of agreement so that you are compliant.
I imagine it is possible to do something wrong at the processor to make this not work, due to the device card number shenanigans you mention. But, are there really still processors who still do it wrong? The device card number is associated at the issuing bank, not at the processor (unless I am missing something).
My preferred gas station got tap to pay during the pandemic and I make it a clear effort to use it every time I get gas to try to bump the numbers up so it doesn't go away or gets fixed if it breaks. Such a great feature.
Preferred gas station here did something to the UI--you can "pay" by waving your phone at it, but then it will prompt for your zip code. When you enter the zip code there's a couple of prompts about ensuring you know you're paying credit price--oops, entering the zip code also answers no to the first question.
I'm sure it's a bug--they're not adequately debouncing the key and it's being taken as an answer to the next question. I've told them but I doubt the people in the store have an adequate way of pushing a bug report like that up the chain.
We wouldn't even need to worry about this dumb stuff if we had actual cryptographic PKI for payments. Honestly at some point fraud is 100% the card issuer's fault when the tech to prevent it is here and now.
Why I still can't register a public key with my bank and say "do not under any circumstance honor a transaction unless it's signed with my private key" is beyond me.
What you are describing is essentially EMV, except that your bank has gone to the trouble of picking your private key and embedding it in a card you carry around and insert into payment terminals.
> still not 100% foolproof because the card itself doesn't have a display and Allow/Deny button.
I'm assuming you are thinking about an attack where a compromised terminal processes an attacker-issued transaction (relayed from elsewhere) instead of the genuine one.
It seems like a solution to this would be for the card to issue a challenge to the reader and only provide a very short timeframe to answer, so that relaying it elsewhere is impossible due to speed of light and all that.
Guys i appreciate the comment about EMV, I’m aware but it misses the point. They need to be _my_ keys, and ones _I_ can pick and verify. If you don’t generate the key, it’s not actually secure.
At minimum, EMV would need to be verifiable. Ideally rotatable. Best case: chooseable.
Until the UX problem is solved making it infallible for noobs to manage PKI, it's probably better for the bank to manage it. Your ideal world at a minimum requires:
- an on-card UI. Yubikey-style one-button-tap is not enough, you actually need to verify the transaction details.
- integration with backend systems to support rotation and recovery because otherwise folks will screw this up and lock themselves out
There's a reason webauthn passkey has obfuscated PKI to oblivion, because they simply can't figure out how to entrust end users with keys.
To be clear, I'm a PKI fan and want all of these things to exist, but we're very far from it. In the interim, a bank-managed PKI is a welcome improvement.
I feel like if you want that, what you have to do is make a social change such that a number of people sufficient to form a marketable niche would even understand what you are talking about.
Like, I understand what you are talking about, most of the readers here understand what you are talking about, but I also understand that almost everyone else doesn't.
> Why I still can't register a public key with my bank and say "do not under any circumstance honor a transaction unless it's signed with my private key" is beyond me.
I would imagine there's something wrong with it if Target isn't just buying it
Though it could just be cost given that Target could just pay for a plastic injection mold overseas and then pay peanuts yearly to make a 60k batch for their yearly renewal they mention, compared to $20*60k each time
This little micro-arms-race to develop and patent a plastic wedge that doesn't need to exist in the first place is ridiculous. The irony is that there is something of a perverse incentive not to solve the actual problem now that such a big industry has emerged to to combat it. If they wanted to build secure card payment terminals they would build them.
This is an interesting and simple physical measurement device to determine if the credit card slot is in a different orientation than expected. It uses the keypad as a reference location.
I think the most obvious circumvention would be for the criminal enterprise to focus on altering the length of the verification devices, since an EasySweep does not appear to have a formal method to verify its own correctness. A shortened card tab on EasySweep would provide feedback that the terminal was ok since the keypad finger support presses against the terminal.
You read it wrong. It's not permanently attached. They stick a very precise 3D object in the chip slot, and if it doesn't fit, that means the slot isn't the exact same as how the reader was made from the manufacturer. So you get a cashier to do that at the start of their shift, and if anything is detected they call out a more trained repair man/security professional to figure out if there is a skimmer.
So the skimmer asshole pays some Target employee $100 to replace the very precise 3d object with one that hides the skimmer when no one's looking?
I need a solution that lets me, the card holder, check these. This ain't it.
Hell, some of the internal skimmers just solder jumper wires to pcb pins/testpoints don't they? There's nothing mechanical for a card to touch. Target's got so many telescreen cameras in the store, they could likely get the pin numbers straight from that, no need to intercept that.
> So the skimmer asshole pays some Target employee $100 to replace the very precise 3d object with one that hides the skimmer when no one's looking?
They replace the objects every 6 months. And there are multiples. So, yeah, I guess it's doable.
> I need a solution that lets me, the card holder, check these.
You could just print one and carry it with you.
> some of the internal skimmers just solder jumper wires to pcb pins/testpoints don't they?
At the point, there's no real security. If that's your threat model, you can just substitute the entire reader for a counterfeit one.
> Target's got so many telescreen cameras in the store, they could likely get the pin numbers straight from that
If you are as paranoid as you sound, you should be covering your hand putting the PIN in with your other hand.
You seem to not understand the threat threat models. A skimmer is a 3 second attack that requires no accomplice and can be done with slight of hand while people are watching. Making that scale to a multi-person operation with more physical construction, the need to swap out (and hide) a bunch of red plastic going in and out is a win. In much the same way that locking your jewelry in a small safe isn't going to stop determined thieves, but will make casual thieves abandon it.
> You seem to not understand the threat threat models. A skimmer is a 3 second attack that requires no accomplice and can be done with slight of hand while people are watching. Making that scale to a multi-person operation with more physical construction, the need to swap out (and hide) a bunch of red plastic going in and out is a win. In much the same way that locking your jewelry in a small safe isn't going to stop determined thieves, but will make casual thieves abandon it.
I'm just repeating what I've read elsewhere, seen elsewhere.
The gas pump skimmers are completely internal. None of that bullshit where their plastic fits over the top of the other snugly. They wire just 4 or 5 leads to the pcb... vcc and gnd, obviously... so the rest of it must be 12c or some other serial/2wire protocol I guess.
Someone was saying "well at least they can't get the cvc", but that got me to wondering with cameras so small and cheap, could you hide one where it could see that on the underside? At least on my cards, it's on the same end as the chip itself, so maybe?
How many cards can they skim, before it's detected, and what's the average value of skimming one card? If you multiply those two together, and the answer is in the tens of thousands or hundreds of thousands (or god help us, millions), then it's very much worth it to be a multi-person operation. Especially since such an operation will have more than one card-skimmer going... how many can a small team manage reliably? I guess it's really `a x b x c =` here.
Does Target have free in-store wifi? If so and they pre-configure, they never have to show up on-site again. Fuck, can they get someone hired on for 3 days to do all this, and switch out the skimmer detection tools? Then they just no-show, no-call, and move on to the next.
> If you are as paranoid as you sound, you should be covering your hand putting the PIN in with your other hand.
Have been for the last 20 years. Some woman in a gas station in Virginia once got pissy at me for doing it "it's just you and me in here!"... "Lady, you have a surveillance camera pointed right at me, I can see myself on the monitor behind you".
> Hell, some of the internal skimmers just solder jumper wires to pcb pins/testpoints don't they?
No. Most modern card terminals are tamper-resistant and will erase key material if opened.
(Besides, it's not like you're going to be able to casually crack open a payment terminal, pull out a soldering iron, and modify it while you're standing in the store checkout line.)
Payment terminals inside a retail store do have that tamper magic.
Gas pumps are a little quirkier because they use integration modules, I would imagine they got better with newer ones but earlier ones, even with chips, would basically just be an exposed pcb on the inside
The solution for cardholders is to use tap-to-pay.
Frankly, as a _credit_ cardholder with zero liability, I’m not overly-concerned by skimmers. I won’t lose anything. The card tax is already baked into all prices, so there’s no real benefit for me to solve this problem.
> I need a solution that lets me, the card holder, check these. This ain't it.
No you don't. All you need to do is use a payment method that is actually secure. Demand it. When they tell you tap doesnt work, ask why. Hand your card to the cashier and make them scan it on the register's reader.
Yes, you did I'm afraid -- this is a tool which is used to check for skimmers, not a preventative measure which is permanently installed. It only blocks the chip slot when an employee is ensuring a skimmer isn't installed on a particular terminal.
The device is for detection. The employees just insert it into the slot once per day and check to make sure it goes in fully. Then it's immediately removed.
it allows any Target team member to easily
sweep a store for skimmers
I'm unclear on how this is supposed to help - unless the skimmers are being installed by frickin ninjas it seems like they already needed insider cooperation.
If you make sure who is doing the skimming rotates so that there is a constant stream of new people checking it would be really hard to stop detection in a timely manner. It's also insanely fast to install a skimmer (like 2 seconds fast) so you don't necessarily need insider help. Until wireless skimmers with a decent range become available this tool could bring skimming down to effectively zero (and reduce it to just the customer who rang through the till before it was discovered when they are available). It's a pretty epic addition to the retail security landscape
If the target employee cannot see the skimmer detection tool, the terminal has been compromised. Most skimmers fit on top of the terminal which would obstruct sight of this tool/layer. There are videos online of these skimmers being "installed" and it takes about 1 to 2 seconds of work and it seems anyone can do it.
It’s the former more or less - https://youtu.be/Sljmr8m88P8. They could do it on a lane that isn’t open (read no attention) just before a rush hour and hope it gets chosen.
I feel like this would be particularly easy at self checkout stations where there's usually like 1 employee handling a dozen or so stations. You can also get someone else to go "accidently" scan a pack of gum twice and hit the help button to have said employee come over and fix it. That would provide more than enough of a distraction to quickly place a skimmer on a different station.
