Security Alert: Ingenico iSC250 Skimmers Found, Inspect POI Devices

P2PE vs E2EE

PCIBlog.org will occasionally send its subscribers Security Alerts regarding PCI SSC and payments industry critical updates via email.  

Sophisticated overlay skimmers have been found at Walmart on Ingenico iSC250 devices.  The new skimmers are extremely difficult to detect, as they are a full device overlay.  An image of the these new advanced overlay skimmers can be found below:

ingenico device credit card skimmer walmart

Image: Hold Security.

The below is the actual device with the skimmer enclosure attached.  Can you tell the difference?

ingenico device credit card skimmer walmart 2

Image: Hold Security.

The skimmers can be installed quickly by simply snapping on to the existing Ingenico device.  The process only takes a few seconds and can be installed with ease.  The skimmers will read credit card magnetic stripe track data and store it within a module inside of the skimmer.  The skimmers cannot read EMV cards, but do have an EMV slot to allow for EMV transactions to occur, as to not arouse suspicion.  To date, only 60% of US merchants have implemented EMV-ready devices, so criminals still have a significant market for stealing data from MSR transactions.  The PIN pad also records input, and will log a users PIN when a PIN is required (e.g. debit).

The footage below discusses the incident in detail, and demonstrates how quickly criminals can install these new skimmers, which cost only $200-300 per unit.

The sophisticated skimmers will likely spread, and merchants should perform regular inspections of their Point-of-Interaction (POI) payment terminals.  For PCI Validated P2PE merchants, the P2PE Instruction Manual (PIM) provided to you by your solution provider will guide you on the required frequency of POI devices.  That being said, we strongly suggest that merchants perform weekly inspections of their POI devices, even if their PIM guideline shave a less stringent standard.  If POI device inspections are not part of your current standard operating procedures, you should implement them as soon as possible.

Additional detail on the Ingenico payment terminal skimmers can be found here: http://krebsonsecurity.com/2016/05/skimmers-found-at-walmart-a-closer-look/

 

About PCI Blog 870 Articles
PCI Blog is the most trusted PCI Compliance and IT Security blog on the web. Authored by industry experts within the payments and IT security industries, PCI Blog provides insight on the complex world behind modern compliance and security standards. As a wholly independent source of news within the payments industry, PCI Blog focuses on the ever-changing responsibilities of merchants who accept credit cards. PCI Blog also provides reviews on PCI compliance tools and enterprise security solutions to offer a fair, independent critique of product offerings within the payments industry.

1 Comment

2 Trackbacks / Pingbacks

  1. Ingenico iSC250 Skimmers Found at Walmart, Inspect POI Devices | MakTechBlog
  2. EMV Skimmers Already Being Sold Online – PCI Blog

Leave a Reply