Since it's only implied how it works and there seems to be some confusion in the comments. It seems like the technique is to simply create a very form-fitting insert which won't fit properly if some device is overlaid onto the machine. The insert is not left in the device, but is just used for a quick in-and-out check.
> Since it's only implied how it works and there seems to be some confusion in the comments.
Seems like a lot of TLDR; :)
The article says exactly how it works.
> The usage is very simple: Insert the tool into the payment terminal’s chip card slot. If it can insert fully, the terminal is safe. If it gets stopped, there might be a skimmer!
This is only a small part of Target's loss prevention operation. Target is known for being both aggressive and sneaky about loss prevention. They use cameras and face recognition extensively, and they have an in-house forensic lab that can process fingerprints. Sometimes they will let a shoplifter get away with stealing for a while, until the total passes the felony threshold. Then they have them arrested. Sometimes followed, because they want to know where the stolen goods are going and catch the fence.[1]
If they find a skimmer, they will probably go back over the video until they find who put it there. Former Target security guard: "All cameras are functional and can look in any direction. Many are 4K and can zoom."
All this shape-based stuff makes me think of antigen/antibody immune-system analogies.
The skimmer binds to the payment slot, some payment slots change shape to prevent skimmer binding, and now the tester-block binds to check that nothing is already bound...
Could payment terminals be made with built-in physical countermeasures for detection? Ideas:
(1) Terminal has a scale built into its feet/mount. It periodically weighs itself, and if (ignoring fluctuations) it weighs too much, it shuts down. It's hard to build a skimmer that weighs 0 grams.
(2) Proximity sensors in key locations on the housing. My smartphone can disable its touchscreen when I hold it against my face, so a payment terminal should be able to detect when something is covering a part that isn't supposed to be covered.
(3) Light sensors. Put some in an area where skimmers need to cover (near card slot) and other where skimmers probably can't cover (the display), and detect whether they get roughly the same amount of light.
(4) Microphones. Same idea as light sensors but with sound.
Skimming is pretty much a solved problem in Europe already. We got rid of the mag stripe, so trivially cloning a card is no longer possible. Furthermore we don't allow offline transactions, so a skimmer must somehow get in between the connection from the terminal to the card and execute a separate transaction right before or after the genuine one.
It is still not 100% impossible, but the "overlay" type of skimmer this protects against has been eliminated for a few years now.
Of course they can be made that way. The countermeasure built into gambling equipment like slot machines is incredible.
But then it would cost more than their competitors. With much more maintenance for false positives, etc. And the vendor doesn't really pay the price for skimmer fraud..
Alternatively they could just remove the slot and require self-pay terminals to be contactless. It really makes no sense to me why merchants don't already do this proactively; they are well incentivized:
1) Contactless merchant fees are lower than dip or swipe
2) Payment terminals are cheaper
3) Less fraud/shrink
This hunk of plastic from Target is a solution looking for a problem.
Why not publicly distribute the design? Because skimmer-makers might adapt? It seems trivial to acquire one (getting a job at Target or spoofing a corp email account isn't a high barrier).
I would expect that the corporations will be asked to sign an indemnity agreement before they get the design. Target doesn't want to be held liable in case a skimmer is built that defeats this detection and the recipient needs to understand there are no guarantees.
It's nice that someone got this through the default corporate deny policies.
It is, however, added friction, and that's 90% of the security game. Every additional layer helps. (And a corp email account adds a paper trail, at the very least)
How do these skimmers work with chip&pin? I understand how magstripe skimmers work, but my understanding is that chip&pin is an active challenge response protocol. I’d love to hear more.
Even with EMV transactions, they are apparently able to get the card # which is transmitted in clear text by the chip. And the PIN from the keyboard overlay for debit transactions. Later they can clone the card # onto a fake mag stripe card and use the fake card for card-present purchases.
They probably cannot make card-not-present (online) purchases since I don't think they can get the CVV.
> In addition to the track-two data on the magnetic stripe, EMV cards generally have identical data encoded on the chip, which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing construction of a magnetic stripe card, which, while not usable in a Chip and PIN terminal, can be used, for example, in terminal devices that permit fallback to magstripe processing for foreign customers without chip cards, and defective cards.
The US still has a heavy reliance on magstripe, even though we rolled out EMV, and many cards still have it, and you can just take a stripe dump regardless.
The actual user of the stolen card dump will cause the terminal to allow a magstripe fallback (typically with a bad chip on a fake card that won't read) -- "aw jeez my stupid chip isn't reading" is still every much a valid excuse to a cashier to go to magstripe.
We wouldn't even need to worry about this dumb stuff if we had actual cryptographic PKI for payments. Honestly at some point fraud is 100% the card issuer's fault when the tech to prevent it is here and now.
Why I still can't register a public key with my bank and say "do not under any circumstance honor a transaction unless it's signed with my private key" is beyond me.
What you are describing is essentially EMV, except that your bank has gone to the trouble of picking your private key and embedding it in a card you carry around and insert into payment terminals.
Guys i appreciate the comment about EMV, I’m aware but it misses the point. They need to be _my_ keys, and ones _I_ can pick and verify. If you don’t generate the key, it’s not actually secure.
At minimum, EMV would need to be verifiable. Ideally rotatable. Best case: chooseable.
> Why I still can't register a public key with my bank and say "do not under any circumstance honor a transaction unless it's signed with my private key" is beyond me.
This is an interesting and simple physical measurement device to determine if the credit card slot is in a different orientation than expected. It uses the keypad as a reference location.
I think the most obvious circumvention would be for the criminal enterprise to focus on altering the length of the verification devices, since an EasySweep does not appear to have a formal method to verify its own correctness. A shortened card tab on EasySweep would provide feedback that the terminal was ok since the keypad finger support presses against the terminal.
You read it wrong. It's not permanently attached. They stick a very precise 3D object in the chip slot, and if it doesn't fit, that means the slot isn't the exact same as how the reader was made from the manufacturer. So you get a cashier to do that at the start of their shift, and if anything is detected they call out a more trained repair man/security professional to figure out if there is a skimmer.
Yes, you did I'm afraid -- this is a tool which is used to check for skimmers, not a preventative measure which is permanently installed. It only blocks the chip slot when an employee is ensuring a skimmer isn't installed on a particular terminal.
The device is for detection. The employees just insert it into the slot once per day and check to make sure it goes in fully. Then it's immediately removed.
it allows any Target team member to easily
sweep a store for skimmers
I'm unclear on how this is supposed to help - unless the skimmers are being installed by frickin ninjas it seems like they already needed insider cooperation.
If you make sure who is doing the skimming rotates so that there is a constant stream of new people checking it would be really hard to stop detection in a timely manner. It's also insanely fast to install a skimmer (like 2 seconds fast) so you don't necessarily need insider help. Until wireless skimmers with a decent range become available this tool could bring skimming down to effectively zero (and reduce it to just the customer who rang through the till before it was discovered when they are available). It's a pretty epic addition to the retail security landscape
If the target employee cannot see the skimmer detection tool, the terminal has been compromised. Most skimmers fit on top of the terminal which would obstruct sight of this tool/layer. There are videos online of these skimmers being "installed" and it takes about 1 to 2 seconds of work and it seems anyone can do it.
It’s the former more or less - https://youtu.be/Sljmr8m88P8. They could do it on a lane that isn’t open (read no attention) just before a rush hour and hope it gets chosen.
I feel like this would be particularly easy at self checkout stations where there's usually like 1 employee handling a dozen or so stations. You can also get someone else to go "accidently" scan a pack of gum twice and hit the help button to have said employee come over and fix it. That would provide more than enough of a distraction to quickly place a skimmer on a different station.
thetwentyone|2 years ago
cdchn|2 years ago
jeremy_wiebe|2 years ago
Seems like a lot of TLDR; :)
The article says exactly how it works.
> The usage is very simple: Insert the tool into the payment terminal’s chip card slot. If it can insert fully, the terminal is safe. If it gets stopped, there might be a skimmer!
Dah00n|2 years ago
Animats|2 years ago
If they find a skimmer, they will probably go back over the video until they find who put it there. Former Target security guard: "All cameras are functional and can look in any direction. Many are 4K and can zoom."
[1] https://www.paypath.com/Small-Business/why-target-is-the-wor...
throwaway2037|2 years ago
Terr_|2 years ago
The skimmer binds to the payment slot, some payment slots change shape to prevent skimmer binding, and now the tester-block binds to check that nothing is already bound...
adrianmonk|2 years ago
(1) Terminal has a scale built into its feet/mount. It periodically weighs itself, and if (ignoring fluctuations) it weighs too much, it shuts down. It's hard to build a skimmer that weighs 0 grams.
(2) Proximity sensors in key locations on the housing. My smartphone can disable its touchscreen when I hold it against my face, so a payment terminal should be able to detect when something is covering a part that isn't supposed to be covered.
(3) Light sensors. Put some in an area where skimmers need to cover (near card slot) and other where skimmers probably can't cover (the display), and detect whether they get roughly the same amount of light.
(4) Microphones. Same idea as light sensors but with sound.
crote|2 years ago
It is still not 100% impossible, but the "overlay" type of skimmer this protects against has been eliminated for a few years now.
briffle|2 years ago
But then it would cost more than their competitors. With much more maintenance for false positives, etc. And the vendor doesn't really pay the price for skimmer fraud..
gorkish|2 years ago
1) Contactless merchant fees are lower than dip or swipe 2) Payment terminals are cheaper 3) Less fraud/shrink
This hunk of plastic from Target is a solution looking for a problem.
starkparker|2 years ago
jerf|2 years ago
It's nice that someone got this through the default corporate deny policies.
groby_b|2 years ago
kyleyeats|2 years ago
> Based on the success we saw with EasySweep, we decided to offer the design, for free, to other retailers.
noodlesUK|2 years ago
js2|2 years ago
They probably cannot make card-not-present (online) purchases since I don't think they can get the CVV.
https://krebsonsecurity.com/2021/02/checkout-skimmers-powere...
https://security.stackexchange.com/questions/151081/shimmers...
> In addition to the track-two data on the magnetic stripe, EMV cards generally have identical data encoded on the chip, which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing construction of a magnetic stripe card, which, while not usable in a Chip and PIN terminal, can be used, for example, in terminal devices that permit fallback to magstripe processing for foreign customers without chip cards, and defective cards.
https://en.wikipedia.org/wiki/EMV#Opportunities_to_harvest_P...
kotaKat|2 years ago
The actual user of the stolen card dump will cause the terminal to allow a magstripe fallback (typically with a bad chip on a fake card that won't read) -- "aw jeez my stupid chip isn't reading" is still every much a valid excuse to a cashier to go to magstripe.
CharlesW|2 years ago
My understanding is: They don’t. If you stick to contactless payments, you’re not at risk.
hiatus|2 years ago
[1]: https://github.com/sparkfunX/Skimmer_Scanner
whartung|2 years ago
They seem to have the sensor on the pumps, but they never work.
exabrial|2 years ago
Why I still can't register a public key with my bank and say "do not under any circumstance honor a transaction unless it's signed with my private key" is beyond me.
throwaway42968|2 years ago
crote|2 years ago
exabrial|2 years ago
At minimum, EMV would need to be verifiable. Ideally rotatable. Best case: chooseable.
teddyh|2 years ago
thelastparadise|2 years ago
What you are describing is Bitcoin.
bredren|2 years ago
kotaKat|2 years ago
https://www.geminicomputersinc.com/kit177-005-01-a.html
adolph|2 years ago
I think the most obvious circumvention would be for the criminal enterprise to focus on altering the length of the verification devices, since an EasySweep does not appear to have a formal method to verify its own correctness. A shortened card tab on EasySweep would provide feedback that the terminal was ok since the keypad finger support presses against the terminal.
mkmk|2 years ago
impressive.
gumby|2 years ago
nvaofdv3332|2 years ago
[deleted]
unknown|2 years ago
[deleted]
dangerboysteve|2 years ago
HWR_14|2 years ago
AYoung010|2 years ago
jaywalk|2 years ago
unknown|2 years ago
[deleted]
mrguyorama|2 years ago
al2o3cr|2 years ago
snapplebobapple|2 years ago
bastardoperator|2 years ago
tennisflyi|2 years ago
devrand|2 years ago
asadm|2 years ago