You read it wrong. It's not permanently attached. They stick a very precise 3D object in the chip slot, and if it doesn't fit, that means the slot isn't the exact same as how the reader was made from the manufacturer. So you get a cashier to do that at the start of their shift, and if anything is detected they call out a more trained repair man/security professional to figure out if there is a skimmer.
So the skimmer asshole pays some Target employee $100 to replace the very precise 3d object with one that hides the skimmer when no one's looking?
I need a solution that lets me, the card holder, check these. This ain't it.
Hell, some of the internal skimmers just solder jumper wires to pcb pins/testpoints don't they? There's nothing mechanical for a card to touch. Target's got so many telescreen cameras in the store, they could likely get the pin numbers straight from that, no need to intercept that.
> So the skimmer asshole pays some Target employee $100 to replace the very precise 3d object with one that hides the skimmer when no one's looking?
They replace the objects every 6 months. And there are multiples. So, yeah, I guess it's doable.
> I need a solution that lets me, the card holder, check these.
You could just print one and carry it with you.
> some of the internal skimmers just solder jumper wires to pcb pins/testpoints don't they?
At the point, there's no real security. If that's your threat model, you can just substitute the entire reader for a counterfeit one.
> Target's got so many telescreen cameras in the store, they could likely get the pin numbers straight from that
If you are as paranoid as you sound, you should be covering your hand putting the PIN in with your other hand.
You seem to not understand the threat threat models. A skimmer is a 3 second attack that requires no accomplice and can be done with slight of hand while people are watching. Making that scale to a multi-person operation with more physical construction, the need to swap out (and hide) a bunch of red plastic going in and out is a win. In much the same way that locking your jewelry in a small safe isn't going to stop determined thieves, but will make casual thieves abandon it.
> You seem to not understand the threat threat models. A skimmer is a 3 second attack that requires no accomplice and can be done with slight of hand while people are watching. Making that scale to a multi-person operation with more physical construction, the need to swap out (and hide) a bunch of red plastic going in and out is a win. In much the same way that locking your jewelry in a small safe isn't going to stop determined thieves, but will make casual thieves abandon it.
I'm just repeating what I've read elsewhere, seen elsewhere.
The gas pump skimmers are completely internal. None of that bullshit where their plastic fits over the top of the other snugly. They wire just 4 or 5 leads to the pcb... vcc and gnd, obviously... so the rest of it must be 12c or some other serial/2wire protocol I guess.
Someone was saying "well at least they can't get the cvc", but that got me to wondering with cameras so small and cheap, could you hide one where it could see that on the underside? At least on my cards, it's on the same end as the chip itself, so maybe?
How many cards can they skim, before it's detected, and what's the average value of skimming one card? If you multiply those two together, and the answer is in the tens of thousands or hundreds of thousands (or god help us, millions), then it's very much worth it to be a multi-person operation. Especially since such an operation will have more than one card-skimmer going... how many can a small team manage reliably? I guess it's really `a x b x c =` here.
Does Target have free in-store wifi? If so and they pre-configure, they never have to show up on-site again. Fuck, can they get someone hired on for 3 days to do all this, and switch out the skimmer detection tools? Then they just no-show, no-call, and move on to the next.
> If you are as paranoid as you sound, you should be covering your hand putting the PIN in with your other hand.
Have been for the last 20 years. Some woman in a gas station in Virginia once got pissy at me for doing it "it's just you and me in here!"... "Lady, you have a surveillance camera pointed right at me, I can see myself on the monitor behind you".
> Hell, some of the internal skimmers just solder jumper wires to pcb pins/testpoints don't they?
No. Most modern card terminals are tamper-resistant and will erase key material if opened.
(Besides, it's not like you're going to be able to casually crack open a payment terminal, pull out a soldering iron, and modify it while you're standing in the store checkout line.)
Payment terminals inside a retail store do have that tamper magic.
Gas pumps are a little quirkier because they use integration modules, I would imagine they got better with newer ones but earlier ones, even with chips, would basically just be an exposed pcb on the inside
The solution for cardholders is to use tap-to-pay.
Frankly, as a _credit_ cardholder with zero liability, I’m not overly-concerned by skimmers. I won’t lose anything. The card tax is already baked into all prices, so there’s no real benefit for me to solve this problem.
> I need a solution that lets me, the card holder, check these. This ain't it.
No you don't. All you need to do is use a payment method that is actually secure. Demand it. When they tell you tap doesnt work, ask why. Hand your card to the cashier and make them scan it on the register's reader.
Yes, you did I'm afraid -- this is a tool which is used to check for skimmers, not a preventative measure which is permanently installed. It only blocks the chip slot when an employee is ensuring a skimmer isn't installed on a particular terminal.
The device is for detection. The employees just insert it into the slot once per day and check to make sure it goes in fully. Then it's immediately removed.
