This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Skimming made easier with hacked portable card payment machines

Share this article:

For years electronic skimming devices have been stealing credit and debit card information with varied success, but the researchers at global cyber security company Group-IB have noticed an increasing amount of modified point-of-sale (POS) devices circulating in underground markets.

It is possible that other models may be in use, but Group-IB focused on one in particular: the VeriFone VX670.

VeriFone's wireless point-of-sale (POS) machine has been completing portable business transactions for nearly 10 years, but now at least one cyber crook is selling a modified version of the device that will capture card numbers and send the data to scammers via cable or wireless connection. It is easy to use and pretty seamless, too.

Andrey Komarov, CTO and head of international projects with Group-IB, told on Tuesday that one reason the modified device is attractive to skimmers is that it can send data through general packet radio service (GPRS), Bluetooth, or WiFi, so all a user has to do is sit nearby and collect card data as it is processed.

Other reasons these devices are popular is their ability to store a lot of information, read track one and track two of a card's magnetic strip, detect PIN codes and alter what is printed on a receipt, according to Komarov.

“It is hard to detect on the bank side,” he said. “[The banks] need to analyse the possible location of the fraud. It is hard because you need to analyse the merchants where the card was used and interview the victim.” At that point the crook would have likely recovered the device, Komarov added.

Komarov said he first heard of the devices being used in Moscow restaurants where $30,000 was being taken every month. Since then he has seen it pop up across the globe in retail locations and hotels.

“The key area is resort locations,” Komarov said, pointing to Asian countries, such as Thailand, where he said card security is not as high a priority.

The modified VeriFone device can be purchased for $3,000 on various underground websites, Komarov said, but “it is also possible to rent it [for] $2,000,” plus an additional 20 per cent of the material theft.

The device's creator is suspected of having “Russian-speaking roots”, Komarov said, referencing a Sberbank card that was used in a vendor video to demonstrate the modified VeriFone device. Sberbank is the largest bank in Russia and Eastern Europe.

“Tampered devices are well-known since 2007,” Komarov said, explaining this type of campaign may be a game changer because $5,000 to $10,000 ATM skimmers are becoming increasingly harder to hide and POS malware is difficult to install due to a lack of vulnerable machines and the need of insider help.

Financial services corporation Visa offers tips to businesses on how to protect against tampering of POS devices, including conducting frequent investigations for simple abnormalities, such as missing screws, extra holes or excess wiring.

From a customer perspective, Komarov suggested people use an EMV card – which contains a microprocessor chip that prevents card information from being accessed by unauthorised parties – and said that cardholders should only use approved POS devices that contain a hologram.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Password recovery made too easy

Password recovery made too easy

A senior malware analyst has slammed the availability of a `password recovery' utility from Freehostia, noting that the software actually uses network admin utilities to take credentials from the users' ...

Belgacom says alleged GCHQ APT attack cost firm £12 million

Belgacom says alleged GCHQ APT attack cost firm ...

One year on from a nation-state APT which infected 26,000 machines across 124 systems at telecom operator Belgacom and the firm has detailed the cost and manpower involved in the ...

CryptoWall compromises 40,000 UK citizens

CryptoWall compromises 40,000 UK citizens

Research just published claims to show that ransomware - in the shape of CryptoWall - is still generating healthy volumes of income for the cyber-criminals behind the code.