VIDEO: Invisible hacker 'condoms' appearing at checkout lines across country, skimming card data and PINs
Talking about 'overlay' skimmers on CBS Evening News. Click to watch video.
Those new chip-enabled credit cards are working, says Visa: counterfeit card fraud dropped 26 percent in a year at merchants set up to accept the cards, Visa told me this week.
You didn't think criminals would stand still, did you?
In a mad dash to squeeze every last dollar out of the dying magnetic stripe data theft scheme, card hackers are really pushing the envelope. And taking big risks. Card skimming devices that once were snuck onto unmanned machines like ATMs or gas pumps are popping up in all kinds of places -- brazenly placed at self-checkout lines at Walmart stores in Kentucky and Virgina, for example, or Safeway supermarkets in Colorado and Maryland.
The skimmers are novel, and a bit alarming, because they are built to fit perfectly over the real thing, intercepting mag stripe data and critical PIN codes from unknowing consumers while not disrupting the transaction taking place. Criminals slip them over a point of sale terminal, then collect them later or suck out the data wirelessly. The devices are called "overlay" skimmers because of the design; one criminal calls the gadget a "Verifone condom," after the brand name of a point of sale terminal it slips over.
The crime is brazen, because someone (often a team of two) has to physically walk into a store and install the device while (likely) being caught on camera.
The trend got some national media attention last week, and I appeared (for the first time in a while) on CBS Evening News with Scott Pelley to talk about it. You can click above to watch the video, which includes caught-on-camera footage of card thieves installing a device.
"The folks who do the credit card skimming -- they're basically magicians," I told CBS."They use slight of hand and in an instant, they can plop one of these things onto another terminal almost invisibly." (Yes, it's remarkably strange that I just quoted myself. But it might save you a click.)
Brian Krebs of Krebs on Security began issuing warnings about these kinds of skimmers several months ago, and posted a video of a point of sale "condom" on his YouTube account.
"My local Safeway in Northern Virginia uses this exact model of Verifone terminals, and after seeing this picture for the first time I couldn’t help but pull on the terminal facing me in the self-checkout line on a recent store visit, just to be sure," Krebs wrote. That's not a bad idea if this news concerns you.
Krebs had actually posted video of a similar device back in 2013, proving once again that most hacks you hear about aren't really new.
It's reasonable to assume that overlay skimmers are popping up in more places as the business of card skimming faces down its mortal threat. Recall that "card cloning" -- stealing card data and placing it onto new plastic for use by a criminal -- was a favorite scam for U.S. card thieves. EMV credit and debit cards all but eliminate this one kind of fraud, because criminals can't really manufacture their own EMV cards, at least not now. Plenty of other card fraud is still available to bad guys, but card data theft and cloning is getting harder.
To be sure, there's still plenty of stores that don't use the EMV chip yet, and as long as they exist, card cloning will indeed continue. Earlier this year, I explained why four out of five stores that have chip hardware still can't turn EMV on. Some merchants are getting big fraud bills because of this delay, and are suing. Meanwhile, chip-enabled ATMs are even farther away, thanks to a delay in issuing standards for chip debit cards. And gas stations still have until October 2017 to make the shift.
So old-fashioned magnetic stripe fraud, and PIN code theft, will be with us for a while. In the meantime, it's sensible to take one moment before you swipe a credit card to see if the point-of-sale terminal you are about to use shows any signs of tampering. You might miss a well-designed condom, but at least you'll show the store you care about security.
Here's video of an alleged "Verifone condom" obtained by and posted by Krebs on YouTube earlier this year.
If you've read this far, perhaps you'd like to support what I do. That's easy. Sign up for my free email list or click on an advertisement.