PCIBlog.org will occasionally send its subscribers Security Alerts regarding PCI SSC and payments industry critical updates via email.
With the heavy push for EMV migration in the U.S., many merchants understood EMV to be the “end all be all” of payments security. As we’ve discussed in several of our posts, specifically “P2PE, EMV, Tokenization, Oh My!” and “PCI Validated P2PE Explained,” EMV is only one piece of the payments security puzzle. The purpose of EMV is to prevent credit card fraud, not to protect sensitive data in transit through encryption or other means (that’s what P2PE/E2EE and tokenization are for!).
Unfortunately, criminals have already learned how to create sophisticated overlay skimmers for magnetic stripe devices, and now we’re learning that EMV skimmers are officially being sold on both the public internet and the dark web. A website for this “quick install” EMV skimmer is now live, encouraging fellow criminals to contact the author to purchase the new device. The EMV skimmer claims to collect track 1, 2 and 3 data, including PIN for chip cards that utilize PIN as a card verification method. Despite the author’s terrible grammar, he/she claims that this skimmer can fit within any Ingenico, Verifone or other POI device. With the added ability to store up to 5,000 credit card records in a single instance, this new skimmer technology highlights the importance of regular inspections of your payment terminals. According to the website, purchase of the device is made through bitcoin, and the cost is $2500 USD.
They’re even so kind as to let you know what you’ll get in the package:
What you will get
x1 – EmvSkimmer FOIL
x1 – Special Smart Card to collect the data from the EmvSkimmer
x1 – Cable to Connect your Special Smart card to your Pc to download the data and Charge the Special Smart card Battery
x1 – Software to download the data From The Special Smart Card to your pc
x1 – Software to convert the data from Encryption format to Plain .Tx
…and some helpful instructions:
How is Working?
-1 Put a Little bit Super Glue in the 4 Corners on the Foil.
-2 Insert the EmvSkimmer in the pos
-3 The skimmer will automaticly start to collect data and store them in the same time the POS will act Normaly,the skimmer inside will be invisible.
-4 Insert the Special card in the Pos waith for 5 sec and all the data will be transfered to the Special smart card (once is done the data from the foil will be Deleted).
-5 Connect the Special Card to your PC with the cable.
-6 Open the Software and Transfer the data from the card to your pc.
-7 Open the Decryption Software and Copy the encrypted data and Paste inside the decryption software.
-8 The foil can be cut as your need
-9 The foil Can store max 5000 card