Six men may have been involved in the installation of cash register skimmers at a Nordstrom store in Florida according to a report from Brian Krebs.
According to a police alert on October 5, the store was first visited by three men whose actions were captured by CCTV cameras. Two of the men, it is said, distracted sales staff whilst the third took photos of the outside of a register before removing the back panel whereupon he took more pictures.
A few hours later another three-man team entered the store and, once again, two of them gained the attention of sales staff. During this time, the third man opened up the back of the register and installed a keylogging device.
The Aventura Police Department said that Nordstrom discovered a total of six devices attached to its registers. They were connected in series between the keyboard and the computer and likely had 4MB or more of on-board storage to record data.
Krebs highlights how cheap skimming devices are, with standard versions being widely available and costing from just $40. Such devices may be hard for untrained staff to spot too – they look like a standard PS/2 keyboard connector, even down to the fact that they are purple in colour, which is seen as a standard for this type of pre-USB keyboard connector.
Krebs quotes a memo from the Aventura Police Department:
The connector was made to match the connections on the back of the register to include color match. Therefore, no one would have detected it unless there was a problem with the register.
Nordstrom spokesperson Kara Darrow said:
We did find some unauthorized devices on some of our cash registers. It's not anything broader at this point.
As soon as we figured out this was happening, we had forensics experts looking at the situation, but it's still very early in our investigation.
At this time it is unknown if the men ever returned to the store in order to retrieve the keyloggers and Nordstrom are unaware of any arrests being made.
Krebs pointed out that, while the devices look like they are designed to log keystrokes from an attached keyboard, they could also be used to steal credit card information.
This is because many retailers employ cash registers that connect directly to the computer’s keyboard or use readers that are themselves PS/2 based.
The Aventura Police Department memo did note this possible next step and motive:
The subjects then return at a later date to recover the devices and create fake credit cards for fraud.
That, of course, supposes they need to return to the store at all – the same search on Google that reports the $40 standard skimmer also shows that it is surprisingly easy to also source another model which comes with 2GB of storage, as well as the ability to connect to a wireless network.
For just $139, the alleged credit card thieves could have parked nearby and acquired all the data they wanted over the airwaves.
Image of Nordstrom courtesy of Shutterstock and keylogger hardware PS2 courtesy of weboctopus.nl.
Aaaccckkk!!! Cash register data connections are publicly accessible? If it's true for Nordstrom, one wonders how many other stores have a similar affliction.
The data hijacking reported here sounds like an epidemic waiting to happen. Every store manager on the planet should read this article…and do something about it.
Very good point Nigel.
Looks like all stores will have to work on this and somehow figure out how to make the POS registers a sealed device requiring special tools to open it up (or at least make it more difficult for the perps, errr, thieves to do much).
The number of stores with this kind of situation, it must be massive…
Hmm it appears like your site ate my first comment (it was super long) so I guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying your blog. I as well am an aspiring blog writer but I’m still new to everything. Do you have any points for newbie blog writers? I’d really appreciate it.
This flaw in device connectivity isn’t even covered by
PCI compliance. It’s all preventable if the credit card device head encrypts the data after the swipe and the data travels encrypted to the processor. The POS system knows the sales total and ONLY needs an authorization code is the sale clears. The POS system should never see the card data.