“I must warn you that after reading this article and watching the video below you’ll probably never use a credit card reader or ATM again without first pulling on the keypad,” Matthew Humphries reports for PC Magazine. “And it’s not actually a bad idea to do so because of how stealthy skimmers have become.”
“As Krebs on Security reports, the latest way your card details can be stolen is through the use of ‘overlay skimmers,'” Humphries reports. “They take the form of a keypad that hides the card detail-capturing components behind a plastic casing. The keypads are then stuck over the top of either ATM keypads or the the card readers now typically found in checkout lanes.”
“Police in Lower Pottsgrove, PA are currently searching for a couple of men who have been installing these overlay skimmers on checkout lane card readers in Aldi supermarkets,” Humphries reports. “As the video below shows, installation simply requires a few seconds of interaction with the reader.”
Read more in the full article here.
MacDailyNews Take: Yet another reason why smart customers use their Apple Watches and/or iPhones to pay with Apple Pay, not by swiping a credit card.
We have a register system at the snack bar that takes Apple Pay, and I used it with my Apple Watch today for the first time. It took my breath away. Devin Prater Assistive Technology Instructor
, Microsoft Outlook, Excel, Word, and Powerpoint instructor certified by World Services for the Blind
>
Applepay on Applewatch is an absolute delight.
How o wish all supermarkets honored it plus gas pumps…
Around me most smaller establishments and mom and pop honor it… …id say 70% of my transactions ate on the Apple watch,:)
Apple pay with a debit card still requires you to use a PIN. That means typing it on a keypad. Plus, unfortunately, Apple pay still isn’t everywhere. Stubborn merchants.
Not everywhere. That depends upon the merchant and the bank they use.
IKEA and Sprouts ask for a PIN and nobody else I know does.
This sound fishy to me, I have never had to do that. My only problem with Apple Pay is it is treated like a tap card and only has a $100 Limit. Apple is doing the transaction with the retailer using a token and I don’t have a PIN with Apple to enter.
The pin to me provides an extra layer of security, they cannot steal a card they cannot intercept, the phone or watch NFC transaction is encrypted, and then you quickly type a pin, even if someone saw it, they’d have to steal your card to use it, and if your not carrying it because its behind touch ID or a locked Apple Watch once it leaves your wrist..
If more places would just get Apple Pay working, it would make things more secure and impossible for skimmers..
So don’t use your debit card. Seriously why on earth would anyone use a debit card to pay for things? Only if your credit is so awful you don’t qualify for a credit card. Or if you can’t be responsible to pay your credit card off every month because you spend beyond your means.
There are actually people with great credit and actual money in the bank that don’t want to rack up a credit card on some transactions and use a debit card, what a concept.
NOT … IF … The Payment System is setup “PROPERLY”. iCall for “THE MERCHANTS” to be held ACCOUNTABLE for STUPID IT DUFUSSOOSS>>>> piss, poor, performance of MICROSUCK IT JUNKK!
Ok rant done. LOVE Apple Pay @ Lucky’s. Apple Watch & Roll. No sig…. No….. pin…. No…. sign…….Just give me my goods & iAm on my way ….. No worries…. Get with the PROGRAM PEOPLE.
Don’t patronize businesses you don’t like. Use cash. What’s so effing difficult about that? Effing whiners.
Requiring users to enter a PIN with a debit card is nothing to do with Apple Pay. It’s a step insisted upon by either your retailer or bank.
I’ve been using Apple Pay in the UK for a few years now and my default card is a debit card. I’ve never ever been asked to enter a PIN when using it in Europe and I use it multiple times every day.
One of the annoyances with Apple Pay in the UK has been the £30 transaction limit imposed by banks and retailers. It was was the same limit as set for contactless payments using the same type of terminal. That limit is now starting to disappear and Apple Pay transactions in many shops can finally be of any value and of course still without needing a PIN.
Well Apple insists on having the public figure it out for themselves through the usual Apple Osmosis. Learn about it benefits, get the device, phone, learning curve, and even know it exists. You know they’d never run commercials to introduce the tech to the masses, and we know they never do anything enterprise, (oh you usually pay a business) so its a miracle anyone knows about this, or cares, dont assume the public does because you do. Awareness fail. Sorry, but it just is.
Even using Apple Pay with a Debt card may require a pen, the real account number is no involved in the transaction…
I use Apple Pay instead of my debit card whenever I can. It does always require me to enter my PIN except at places where the transaction is run as a credit card and not a debit card.
I use Apple Pay on my Apple watch every morning at the local coffee place. It is quick, effective, secure and never requires a PIN
This is what I hear everywhere about Apple Pay…
“It is not very secure”, said one idiot at a checkout in HomeSense.
“We don’t use it because you can’t leave tips”, said one idiot waiter at Red Robbin.
Infuriating and wrong. And why does it have a $100 limit????
A advertising campaign is needed to dispel these untruths…Timmy!!!
I have never encountered the $100 limit (yet). I’ve been using it for over two years. Some merchants require a signature on the PoS terminal (exactly who is the bright genius who thought up that? How is my signing that terminal going to ensure I am not somehow fooling my touchID sensor…??!! Because, everyone can fake the fingerprint, but signature is a 100% foolproof security measure, right…??!).
ApplePay works smoothly and reliably every time (except when it is very cold, my skin is very dry, and touchID can’t detect my fingerprint; happens very rarely). If we can train the next generation of kids to use it, then it may catch on. As it is, I can’t see how Apple intends to increase its adoption rates.
In Europe, the chip and pin approach is standard. Customers never give their card to a vendor. Instead, for any transaction, the customer will put the card in the reader and enter the pin.
Why in the States a pin is not required I cannot fathom. This would help reduce fraud significantly and would not create many issues for customers.
Ré the video evidence…can’t see it. Just shows checking out some goods. wtf?
Take a closer look towards the end. The dancing thief, presumably waiting to pay for a large purchase that the cashier is diligently ringing up, is discretely pulling his device out of his pocket and sliding it over the mag-stripe reader.
Or, you know, use a card with a chip instead of swiping it.
What’s this about a $100 limit? I’ve never run into that at all. I use it for groceries and it’s always >$100. No issues at all. Yes, some places want a PIN and that is annoying. For example, Sprouts as mentioned previously. Walgreens does not. It’s not an ApplePay thing, it’s a merchant choice or at the card issuer level.
The security researcher who’s been on top of this phenomenon is Brian Krebs. He started coverage of Russian & Ukrainian card skimmer gangs back in 2010. He made trips down to Mexico to document its genesis in North America. This search results page will get you started reading his trailblazing work. Be sure to click “Older Entries” at the bottom of the page(s) for even more:
https://krebsonsecurity.com/?s=ATM&x=0&y=0
And no, you won’t want to use an ATM again, even INSIDE a bank (despite them being the safest). The skippers available for purchase are now plentiful, for every sort of ATM. They’ve become thin and light such that it can be very difficult to tell they’ve been overlaid upon the real ATM hardware without bringing your own crowbar to verify there’s no overlay. Thankfully, some overlay skimmers simply use adhesive to stay in place. So it’s worth finger prying at the ATM interface to see if it comes off in your hand.
Oh and yes, MODERN (not first generation) chipped cards won’t spill the goods without feedback from a verification source. I don’t yet know of any skimmers that have become so sophisticated that they’ll reproduce the required bureaucratic process.
Will we see card users scraping off the mag-stripe still existing on vast numbers of cards? Could be! But sadly, now years after the mandate that mag-stripes come to an end, plenty of biznizziz still require the use of mag-stripes. PLEASE tell such companies to catch-the-hell-up with modern security! They’re putting their customers in blatant danger, and not just from card skimmers.