Point of Sale skimmer that prints out real-seeming receipts

Brian Krebs reports on a terrifyingly real-seeming Point of Sale skimmer: a device that looks and feels just the thing you normally stick your credit-card into and then enter your pin into, which can print out a real-seeming receipt showing the transaction was approved by your bank. Instead, what this thing does is record your card number, PIN, and other information needed to replicate your card and use it to clean out your account.

This miscreant sells two classes of pre-hacked wireless Verifone POS devices: The Verifone vx670, which he sells for $2,900 plus shipping, and a Verifone vx510, which can be had for $2,500. Below is a video he posted to youtube.com showing a hacked version of the vx510 printing out a fake transaction approval receipt.

From the seller’s pitch: “POS is ‘fake’ and stores D+P [card data and PIN], prints out approved receipt or can be setup for connection error. Software to decrypt the data is provided. It keeps d+p inside memory for manual retrieval via USB cable.”

Point-of-Sale Skimmers: No Charge…Yet

Discuss

13 Responses to “Point of Sale skimmer that prints out real-seeming receipts”

  1. oasisob1 says:

    Next gen will include a cellphone to send data directly home, no worries about getting snarfed up by the police when you access the device for downloading data. Yay, progress!

  2. Martijn Vos says:

    I’ve always wanted to know: how do you copy the chip on the card? I don’t know any place where they still use the magnetic strip, so you might as well wipe that.

    Also: if you’re suspicious, type the wrong pin first. If the payment is approved, you’ll be glad you didn’t type the correct pin.

    • nowimnothing says:

      You must be in one of the more enlightened countries. Over here in the technological backwaters of the U.S. magnetic strip is still king. Sure some of the fancier stores may have the tap to pay option, but it is always alongside a mag stripe reader.

  3. revdj says:

    So, exactly where and how would this be used? Wouldn’t the merchant have to be in on the scam?

    • Terry Fairbrother says:

      Not really, its possible you could have a device switched by a member of staff, or even someone brazen enough to pass themselves off as a member of staff. I imagine its best situation is outdoor cafes etc. watch the waiter/ess deliver the receipt then the fraudster walks over with the pad and does the transaction before the staff member comes back.

      The weakness on this device is its portability, so in my mind the easy test is a fake pin, if it accepts it its a phoney since a real pinpad checks the pin thats held on the card – you get 3 attempts so you can afford one test.

      Counter / fixed pinpads at least are connected to Ethernet / phoneline so there’s some reassurance that its genuine.

      • ZikZak says:

        Have it always reject the first PIN entered, or maybe just randomly.

        Is a false negative less suspicious than a false positive?  You can be sure you entered the wrong PIN, but how sure are you really that you entered the right PIN?  This tendency has been exploited by phishers for a while, where they have you enter all your info on a fake site, then when you submit the page, they give you an authentication error and bounce you to the real site to “try again”.

        Also, why is being connected to ethernet a reassurance?

        • Antinous / Moderator says:

          Is a false negative less suspicious than a false positive?

          Yes. Frequently, when I have a potassium level drawn, it comes back life-threateningly high, presumably due to hemolysis. I go back for a redraw and it comes back normal. The doctor accepts the normal value and rejects the abnormal value. Think about it.

  4. pebird says:

    Martijn:

    The US doesn’t have Chip and PIN implemented yet – everything still on the swipe (except PIN). Good idea to enter an erroneous PIN.

  5. SamSam says:

    It seems to me to be fairly unlikely to encounter one of these. The store owner would have to be the one trying to steal your card information, they would have to be losing out on every store purchase (since this thing doesn’t actually send anything to VISA etc), and they’d have to be hoping that none of the people that whose accounts they clear out will look at their transactions and notice one missing, or remember the last few places in which they used their card.

    A more worrying situation would be a firmware hack on a real POS device (or a router that simply stores the info and some good decryption) that allowed transactions to still go through but recorded the details, allowing the owner to sell the occasional card number at a much later date. My guess is that the encryption on POS devices makes this second senario much less likely, however.

    • Marios P. says:

      couldn’t someone replace one of those without the owner noticing and reaping the “profits” ?

      on a side note I remember hearing in the UK that there was some guys sticking an mp3 player-recorder on the phone line of an ATM and recording pins and card numbers by sound…

    • Chris says:

      I imagine this is something that would be implemented at a non-permanent location.  A farmer’s market, street fair, art show  type event where they are mobile and can disappear easily afterwards.

  6. xzzy says:

    Makes a decent argument for ditching debit cards.  Either pay cash, or use a credit card. Credit card info can still be stolen but at least there’s a process in place to have fraudulent charges reversed. If they get your debit card and clean out your bank account, there’s no recourse available.

    • semiotix says:

      Debit cards may not have precisely the same built-in legal protections as credit cards (I don’t know), but as a practical matter, I know from repeated experience that banks and/or their affiliated finance companies treat them the same way. You report the fraudulent charges, they do a cursory investigation, the money reappears in your account. At least that’s the case in the American context.

      I’m not one to give banks a lot of credit in this or any other regard, but debit card numbers get stolen all the time, just like credit card numbers. Nobody would use debit cards at all if there were no recourse.

Leave a Reply