Skimmer gangs are reportedly targeting POS terminals across the United States.
Indeed, Michaels Stores was recently forced to replace more than 7,200 credit card terminals nationwide after confirming thieves had modded or replaced machines to grab customer payment card data and PINs.
Although the specific device used to siphon the data has not been made public, security analyst Brian Krebs notes many components and services are routinely sold on the "criminal underground" to facilitate such fraud.
"I spoke at length to a POS skimmer seller who has been peddling POS modification devices on an exclusive underground fraud forum for more than a year," explained Krebs.
"From the feedback left on his profile it is clear he had many satisfied customers. Buyers specify the make and model of the POS equipment they want to compromise - [and] this guy specializes in hacking VeriFone devices, but he also advertises kits for devices manufactured by POS makers Ingenico, Xyrun, TechTrex."
So, how do the POS devices work?
Well, the above-mentioned seller offers a DIY kit that includes a PIN pad skimmer and two small circuit boards. One is a programmable board with software designed to interact with the real card reader and store stolen data, while the other is a Bluetooth-enabled board that allows thieves to wirelessly download stolen card info from hacked devices using a laptop or smartphone.
As you can see, the PIN pad skimmer is an ultra-thin membrane that is inserted underneath the original silicon PIN pad.
Once installed, it records every button pressed with a date and time stamp. The compromised data is subsequently exploited to create counterfeit cards which can be used in combination with the victim's PIN to withdraw cash from ATMs.
This particular skimmer model weighs in at $3,000, although customers who purchase 10 or more kits are offered a reduced price of $2,000 per unit.