Bluetooth Overlay Skimmers Planted in American Retain Chain

Last updated February 16, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

There’s a new skimming operation taking place in the United States, as an undisclosed retail store chain has reportedly discovered Bluetooth-enabled overlay skimmers on some of its terminals. The images of the skimmers and the details around them come from an employee of the targeted business, who has shared them with investigative journalist Brian Krebs. However, there’s no official announcement from any company at the moment, and neither is there a “fresh” pack of cards promoted online yet.

The skimmers interfered with the terminal’s ability to read chip-based cards, forcing a swiping action. This is what gave their presence away, as the problem was otherwise inexplicable. The overlay includes a PIN pad, which is used to intercept the precious codes, a magnetic stripe reader, a chip blocking component, and a cell phone battery used to power up the data exfiltration electronics. As Krebs points out, these devices can be installed on virtually any card payment processing terminal quickly and without raising any alarms.

btoverlay
Source: Krebs on Security

According to the tipster, the overlays stayed in the retail stores and carried on their malicious operations for several weeks before they got noticed. We don’t know how many of them were discovered by the victimized retail store chain or whether this was something isolated onto a single store.

However, the fact that the tipster is using plural for everything isn’t a good sign. Also, this could be either an external or an internal job, but we have no way to tell.

Source: Krebs on Security

Not having any information about which brand was compromised, we can only give general advice on what to look out for and protect yourself from dangers of this kind. The best way would be to pay with cash and never risk your debit or credit card details.

We understand that during COVID-19 times, people are looking to avoid touching money bills, etc., but the number pads are oftentimes equally risky anyway. If you have to use the card, dipping the chip is obviously more secure than swiping the card, as it’s harder for the hackers to get their hands on your card data from the chip.

Finally, you should regularly monitor your bank account statements and scrutinize even small transactions that you don’t recognize. Finding out that you have been compromised early enough can save you from many hassles, like having your checking account emptied of cash by someone who used a cloned card with the stolen data from your magnetic stripe.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: