There is very little true security in retail establishments.<p>This lady simply swapped bar codes on expensive items for bar codes of inexpensive items. Got away with it for over a year and made as much as $30,000 per month in some months:<p><a href="http://miami.cbslocal.com/latest-videos/?autoStart=true&topVideoCatNo=default&clipId=7535659" rel="nofollow">http://miami.cbslocal.com/latest-videos/?autoStart=true&topV...</a>
This is another interesting case because it points out how vulnerable this part of the financial transaction chain is. Of course even after they catch the guys who were installing the skimmers they don't get the 'top' guys who make the fake cards and then withdraw funds in Serbia.<p>I did see a talk where the folks noted (but did not remove) such devices and then began tracking every account that went through the modified device. This was to figure out who the bad guys were. By watching the fraudulent transactions that happened later they were able to roll up a carding group in the Baltics. But it does take a more proactive approach.<p>From a future products prospective the use of cards with embedded processors seems better and better.
Compelling argument to switch to iPad cash registers? har har<p>Btw, if anyone wants to buy one, you can here: <a href="http://www.keelog.com/wifi_hardware_keylogger.html" rel="nofollow">http://www.keelog.com/wifi_hardware_keylogger.html</a>
These are keyloggers and not skimmers, a skimmer looks something like this <a href="http://scams.wikispaces.com/file/view/camera02.jpg/30681221/camera02.jpg" rel="nofollow">http://scams.wikispaces.com/file/view/camera02.jpg/30681221/...</a>
It occurred to me once upon a time that I could use just such a keylogger to capture my classmates' student ID card swipes when they went to release print jobs at any of the print stations on my university campus. I recognized this as a security flaw that (probably) didn't have many lucrative uses, but I never imagined such a technique might work for credit cards. I wrongly assumed that credit card readers would employ greater physical security.
I think a large factor in the lack of change in payment security (In the US anyway, I can't speak for anywhere else) is the rise of the "protected" card. I have no incentive to protect anything about my Amex.<p>Card got skimmed a few years ago somehow, Amex called, asked if I was in Nicaragua (I wasn't) they apologized, removed the $200 or so in charges and next-day aired me a new card. Almost zero hassle.<p>I'd hate to have my debit card skimmed but as far as a credit card... I'm not too worried. The risk isn't mine.
chip and fucking pin. <i>sigh</i> This problem is solved, yet practically nobody in the US is demanding the established solution. Until we do, this is only going to continue.
My debit card got skimmed at a gas station this past week. It was used that same day to make purchases in LA (about 3 hours south of me).<p>Now that this is happening in other types of retail stores, maybe it will spur the use of more secure options (chip and pin?).
I once worked for a retailer which was connected via Megapath (they outsourced to whatever local ISP is available at the store location). The internet setup was so abysmal in security, in some cases the stores used wifi to connect to the front registers with the password being (not kidding) [storename:storenumber]. That's it.<p>These fools are getting caught doing elaborate plants. That's not how real criminals key log (btw, this is not a skimmer, but is a 'keylogger' as joenathan points out). Real criminals sit in the comfort of their car or nearby coffee shop and scan for open connections and insecure use of credentials.
And the question is... why not just use secure card swipe devices? You load an encryption key onto the hardware, and then key loggers don't work any more. Sure, it won't solve all your problems, but nothing does.
The Cherry PS/2 keyboard with built in card reader is designed for retail and used in places where there is no C+P:<p><a href="http://www.cherrycorp.com/english/keyboards/pos/8000/" rel="nofollow">http://www.cherrycorp.com/english/keyboards/pos/8000/</a><p>This explains the 'attack vector'. Presumably the scammers have USB dongles too.
The main reason I find this interesting is the hacker scene in South Florida is so small. I bet if they caught one of these guys, they could track it down to the mastermind faster than somewhere like NY or SF.
From technical standpoint very lame attack. There's no hacking involved at all. There has been technically much more sophisticated attacks modifying terminal hardware & firmware , off loading data completely out of band using 3g networks, etc. That's something that could be called hacking and proper (malhardware) engineering.