Matt Krebs recently posted another entry to his detailed and entertaining catalog of skimming devices, available at Krebs on Security. The device in question was found inside the credit card terminals of a yet-to-be-named U.S. retailer, and is presently being evaluated by Trustwave Spiderlabs. By itself, this is not particularly newsworthy, since there have been many similar cases involving devices attached PIN pads at retailers like Barnes and Noble, as well skimmers on/inside gas pumps and ATMs. So what makes this one interesting? The engineering and installation are worth a closer look:
- The stolen data is encrypted using AES before being stored/transmitted
- Card numbers and PINs can be retrieved by Bluetooth, and optionally, via cellular
- The microprocessor was secured against tampering (lock bit set)
- The PCB appears to have been produced professionally
- There was delicate soldering work required to attach the device inside the credit card terminal
There is [very reasonable] speculation that the skimming devices were installed either early in the card terminal supply chain, prior to installation, or that the terminals were swapped out at some point with modified versions. Given the complexity of the connections, it is highly unlikely that the devices could have been modified on-site, even by a dishonest service technician.
The quality of these devices is increasingly impressive, and it seems plausible that future versions will be integrated into replacement system boards or peripherals, making their identification even more difficult.
Here are some photos of the Bluetooth skimming module: