« Amazon Introduces the Kindle 2. Oops. | Main | Last-minute chocolates; picked-over flowers »

Friday, February 13, 2009


Feed You can follow this conversation by subscribing to the comment feed for this post.

Hi Andy,
nice article, with great insight. Just a quick one: in the example above, where transaction 2720192 raises suspicion, would this be the skimmer device showing up in the programData field in the fraud case described above? in other words, would the skimmer device register as the new, rogue device in that database entry?

Hi Marcus -

Great question.

What the article doesn't make entirely clear is that there was a PIN Pad device swap involved. The most probable scenario is that there were three separate events that transpired here:

In event #1, the defendants walked away with a PIN Pad from the store (they probably took it from an unattended lane) or had the inside person procure it. They then outfitted this device with the skimmer.

In event #2, PIN Pads were swapped - a clean device removed and the skimmer-enabled device put in place.

In event #3, the swap was reversed - the skimmer-enabled device removed & original device put back in place.

You only have to do event #1 one time, then repeat 2 & 3.

Another prosaic but effective preventative measure: screw down the PIN pad on the counter.

I've added my comments to Marcus back into the body of the main post so the full story is clearly told.

The comments to this entry are closed.

AddThis Social Bookmark Button


  • Alejandro's jPOS Project
    Faced with payment systems challenges? Start here to learn more about Alejandro Revilla's jPOS project.
  • Dave Bergert's Blog
    Insights from my OLS colleague, Dave Bergert, CISSP, CISA, CompTIA Security+, and former Visa-certified QSA.
  • Glenbrook's Blog List
    Glenbrook Partners has compiled "a current summary of the latest content from some of our favorite payments and banking blogs." Dave, Alejandro and I are on the list.
  • soliSYSTEMS
    My friend Roque Solis is our go-to guy for RFID, smart cards, chip cards, integrated circuit cards, HSMs, cryptographic accelerators and public-key cryptography.
  • Specs Online - AMEX
    American Express puts its acquirer specs online for public retrieval.
  • Specs Online - FDMS
    First Data Merchant Services puts its acquirer specs online for public retrieval.
    [NOTE: This repository is accessible only via IE; this link will not work with Firefox or other browsers.]


  • The PCI Split
    Depicts how we split an implementation into PCI and non-PCI halves.
  • The Virtuous Spiral
    A good payment system unleashes customer creativity. Does yours?
Blog Widget by LinkWithin

  • Your attention to detail is a great asset. Use it wisely.