A Russian-speaking man casually shows on camera how he can download a punter's bank-card details and PIN from a special card reader.
In a video demonstrating a tampered sales terminal, a card is swiped through the handheld device and a PIN entered - just as any customer would in a restaurant or shop. Later, after a series of key-presses, the data is transferred to a laptop via a serial cable.
Account numbers and other sensitive information appear on the computer screen, ready to be exploited. And the data can be texted to a phone, if a SIM card is fitted to the handheld.
The footage, apparently shown on an underworld bazaar, is used to flog the compromised but otherwise working kit for $3,000 apiece - or a mere $2,000 if you're willing to share 20 per cent of the ill-gotten gains with the sellers under a form of hired-purchase agreement.
The gang selling this device offers a money-laundering service to drain victims' bank accounts for newbie fraudsters: a network of corrupt merchants are given the harvested card data and extract the money typically by buying fake goods and then cashing out refunds. The loot eventually works its way back to the owner of the hacked card reader.
The modified Verifone VX670 point-of-sale terminal, shown below, retains in memory data hoovered from tracks 1 and 2 of the magnetic stripe on the back of swiped bank cards, as well as the PIN entered on the keypad - enough information to ATM withdrawal.
The setup suggests the sellers are based in Russia. In the video, a credit card from Sberbank, the country's largest bank and the third largest in Europe, is used to demonstrate the modified terminal's capabilities.
If a SIM card for a GSM mobile phone network is fitted to the doctored device, the information can be sent by SMS rather than transferred over a serial cable. The bundling of money-stealing support services, allowing fraud to be carried out more easily, is a new development in the digital underground.
Some Ukrainian groups sells this modified model of POS terminals and provides services for illegal cash-outs of dumped PINs through their own 'grey' merchants: it seems they buy fake stuff, and then cash-out the money. It takes less than three hours.
The emergence of hacked card readers is due to banks improving their security against criminals' card-skimming hardware hidden in cash machines and similar scams. Planting data-swiping malware in POS handhelds out in the field is possible, but it is fairly tricky to find vulnerable terminals and infiltrate them reliably without being caught.
It's a touch easier to buy a tampered device and get it installed in a shop or restaurant with the help of staff or bosses on the take. This creates a huge potential market for money mules.
Banking giant Visa has issued several alerts about this kind of fraud along with occasional warnings about device vulnerabilities - such as this warning [PDF] from 2009. And social-engineering tricks [PDF] in which fraudsters pose as Visa employees carrying out adjustments to terminals - while actually compromising them - has been going on for years.
One alert [PDF] from Visa, dating from 2010, explains how carders worked in the past and the steps merchants can take to defend against the fraud: anti-tampering advice from this year can be found here [PDF], an extract of which is below:
Worldwide gungs are illegally accessing active POS terminals and modifying them by inserting an undetectable electronic “bug” that captures cardholder data and PINs during normal transaction processing.
The impact of this type of business can be significant to all key parties involved in card acceptance. An attack can not only undermine the integrity of the payment system, but diminish consumer trust in a merchant’s business. In response to this emerging threat, acquirers, merchants and their processors need to proactively secure their POS terminals and make them less vulnerable to tampering.
A more recent advisory on combating this type of fraud, issued earlier this year by Visa, can be found here [PDF].
A copy of the web video is embedded below.
Tampering with card readers has been going on for years, since banks are investing more in securing cashpoints, penetrating point-of-sale terminals can be an easier way to make money for carders.
The worldwide gangs will go after anything they can, but it can be easier to find dishonest merchants to cooperate in running tampered terminals [to skimm DUMP + PIN bank details] than going after ATMs, this kind of business was rife in South America, particularly in countries such as Brazil.
The Russian-speaking carders behind the black-market sale of hacked sales terminals are targeting the international market as well as carders in the motherland. The example showen for Sberbank on video was just because it also used against banks of other Russian-speaking countries well.