How do skimming devices installed on POS terminals work, and how do they transmit data?

[Student]

Skimming devices installed on POS terminals are sophisticated tools used by criminals to steal bank card data. For educational purposes, I will examine their design, operating principles, data transmission methods, and the vulnerabilities they exploit in detail. I will also describe how users and organizations can protect themselves from such threats. This answer will be as informative as possible to provide a comprehensive understanding of skimming technology.

1. What is skimming and how does it work on POS terminals?​

Skimming is a method of stealing bank card data in which criminals use special devices to intercept information from a card's magnetic stripe or chip while it's being used at a POS (Point of Sale) terminal. POS terminals are devices used to process payments in stores, restaurants, gas stations, and other locations. Skimmers are installed in a way that doesn't interfere with the normal operation of the terminal, making them undetectable to users and staff.

Skimmers work as follows:

1. The card is inserted or swiped through the terminal, where the skimmer reads the data.
2. The device either stores the data for later retrieval or transmits it to the attacker in real time.
3. The obtained data is used to create duplicate cards, conduct online transactions, or sell them on the black market.

2. Design of skimmers for POS terminals​

POS terminal skimmers are compact devices designed for maximum stealth. Their design depends on the card type (magnetic stripe or chip) and data transfer method. Key components include:

2.1. Body and camouflage​

• Card reader overlay: A skimmer is often a plastic or metal overlay that fits over the card slot. It is precision-manufactured to match the terminal's design (e.g., Verifone, Ingenico). 3D printers are used for camouflage, allowing the creation of overlays that are indistinguishable from the original terminal parts.
• Slim profile: Modern skimmers are only a few millimetres thick, making them virtually invisible.
• Mounting: Devices are mounted using double-sided tape, magnets or snaps for quick installation and removal.

2.2. Reading device​

• For magnetic stripes: Most skimmers are designed to read data from the magnetic stripe (Track 1 and Track 2). The magnetic stripe contains:
  • Track 1: Card number, owner's name, expiration date, service code.
  • Track 2: Card number, expiration date, and encrypted authentication data. Reading is performed using a miniature magnetic head embedded in the overlay.
• For chip cards (EMV): Chip skimmers are more complex, as data is transmitted via a contact interface and is encrypted. These devices can:
  • Intercept data through man-in-the-middle attacks, inserting themselves between the chip and the terminal.
  • Use a "shimming" technique—installing a thin film inside the card slot that reads data from the chip. Shimmers are much thinner than traditional skimmers and are more difficult to detect.
• Keypads or cameras: For cards that require a PIN, skimmers may include:
  • Keyboard Overlay: A thin membrane that records keystrokes.
  • Micro cameras: Installed near the terminal (for example, disguised as a decorative element) to record the PIN code entry.

2.3. Electronic components​

• Microcontroller: A small processor (such as one based on AVR or ARM chips) processes the read data, converts it into digital format, and controls the transmission.
• Memory: Flash memory (usually 8 MB to several GB) is used for data storage. Some skimmers can store data on thousands of transactions.
• Communication modules:
  • Bluetooth: For transmitting data to a device within a range of 10-100 meters.
  • Wi-Fi: For connecting to local networks and transferring data to the server.
  • GSM/GPRS: For sending data via mobile network (SMS or Internet).
  • NFC: For transmission to devices in close proximity.
• Power supply:
  • Battery: Lithium-ion or lithium-polymer batteries provide battery life ranging from days to months.
  • Parasitic power supply: Some skimmers are connected to the terminal's power supply, which makes them even more compact and durable.

2.4. Software​

• Skimmers contain firmware that controls the collection, encryption, and transmission of data.
• To protect against detection, data may be encrypted (for example, using AES algorithms).
• Some devices have remote control capabilities, allowing attackers to turn the skimmer on/off or change settings.

3. How do skimmers transmit data?​

Skimmers use several methods to transmit stolen data, depending on their design and the attackers' goals.

3.1 Physical Extraction​

• Process: The data is saved to the skimmer's built-in memory. The attacker returns to the terminal, removes the device, and connects it to a computer via USB or microSD to extract the data.
• Advantages:
  • Minimal risk of detection as the device does not transmit signals.
  • Simple design, which reduces the cost of the skimmer.
• Flaws:
  • Requires repeated physical access, which increases the risk to an attacker.
  • The limited memory capacity may become full if the terminal is actively used.

3.2 Wireless Transmission​

• Bluetooth:
  • The skimmer is equipped with a Bluetooth module that transmits data to the attacker's device (for example, a smartphone or laptop) within range.
  • An attacker could be nearby (for example, in a car near a store) and collect data in real time.
  • To disguise itself, Bluetooth connections can use random device names or passwords.
• Wi-Fi:
  • The skimmer connects to a local Wi-Fi network (if available) or creates its own access point.
  • Data is sent to a remote server via encrypted channels (e.g. HTTPS or VPN).
  • This method allows you to collect data from anywhere in the world as long as the skimmer is connected to the internet.
• GSM/GPRS:
  • SIM card skimmers send data via the mobile network.
  • This could be an SMS with encoded data or transmission via mobile Internet to a server.
  • GSM skimmers are especially popular in remote areas where there is no Wi-Fi.
• NFC:
  • Rarely used due to limited range (up to 10 cm).
  • Suitable for situations where an attacker can get close to the terminal to extract data.

3.3. Data encryption and protection​

• To prevent data interception, skimmers can encrypt information before transmission (for example, using AES-256).
• Attackers use secure channels such as Tor or private servers to hide their activity.
• Some skimmers have a self-destruct function that will erase data if someone tries to open the device.

4. Vulnerabilities exploited by skimmers​

Skimmers exploit the following weaknesses in POS terminals and payment systems:

1. Physical accessibility: POS terminals are often located in public places, making it easy for criminals to install a skimmer undetected.
2. Outdated technology: Magnetic stripes have no encryption, making them an easy target.
3. Lack of monitoring: Many retail outlets do not check terminals for foreign devices.
4. Difficulty of detection: Modern skimmers are so small that they are difficult to detect without special equipment.
5. Human factor: Staff and customers rarely pay attention to minor changes in the terminal design.

5. Skimming protection​

To protect against skimmers, users, merchants, and banks can take the following steps:

5.1 For Users​

• Terminal inspection: Check the card slot and keypad for any suspicious overlays. Skimmers may protrude slightly or be different in color or material.
• Using EMV cards: Chip cards are more difficult to skim because the data is encrypted and one-time tokens are generated.
• Contactless payments: Use NFC (Apple Pay, Google Pay), which do not require physical contact with the terminal.
• Transaction Monitoring: Check your bank statements regularly and set up transaction alerts.
• Closing a card if you suspect something: If the terminal looks suspicious, contact your bank immediately.

5.2. For retail outlets​

• Regular Checks: Conduct daily inspections of terminals for foreign devices.
• Anti-skimming sensors: Install terminals with sensors that detect unauthorized devices.
• Access Restriction: Keep terminals in locations inaccessible to unauthorized persons.
• Upgrade your hardware: Use terminals that only support EMV and NFC, eliminating magnetic stripes.
• Staff Training: Train employees to recognize skimmers and suspicious behavior.

5.3. For banks and payment systems[​

• Data Encryption: Strengthening encryption standards for chip cards and transactions.
• Transaction Monitoring: Using AI to detect anomalies that indicate skimming.
• Anti-skimming technologies: Implementation of devices that create electromagnetic interference for skimmers.

6. Case Studies​

• Skimmers in restaurants: Fraudsters often replace terminals in restaurants where waiters steal customers' cards for payment. In such cases, a skimmer may be built into the counterfeit terminal.
• EMV Shimmers: In 2023, shimmers installed inside chip card slots were discovered in the US. They intercepted data despite encryption, exploiting vulnerabilities in some older terminals.
• Wireless skimmers: There have been cases in Europe where skimmers with GSM modules have sent data to countries outside the region, making it difficult to track.

7. Conclusion​

POS skimmers are high-tech devices that combine mechanical camouflage, electronics, and data transfer methods to steal information from bank cards. They exploit the physical accessibility of terminals and the vulnerabilities of magnetic stripes, and in some cases, chip cards. Data transfer can occur both physically and wirelessly (Bluetooth, Wi-Fi, GSM), making skimmers versatile and difficult to detect.

Protecting against skimming requires a combination of vigilance, modern technologies (EMV, NFC), and regular monitoring. Users should be alert to suspicious terminals, and merchants should implement anti-skimming measures. Understanding how skimmers work helps better protect against this threat.

If you have any additional questions, such as specific protection technologies or attack examples, please let me know, and I'll discuss them in more detail!