more on skimming in australia – now an official epidemic

It turns out that a large percentage of recent fraud is being traced back to a single type of PIN pad: the Ingenico PX328. Here’s a piccy for you all…


It probably looks very familiar – that’s because its been around for a LONG time and lots of retailers use it. Last year there was a $5 million breach involving 20 or more McDonald’s in Western Australia. You can read about it here. That was in October, and if you were paying attention you’d have noticed that McDonalds now have bike chains on all there PIN pads.

What is happening out these in fraud-land is the bad guys have methods to “trojan” these devices and turn them into skimmers. This particular model is currently being targeted around Australia, which means that simple and effective trojan method exists in the fraud community (i.e. it’s easy to do and undetectable), and that there are a number of these devices are floating around in the black market.

The typical way fraudsters install these deives is for them to walk into a retailer, walk straight up the the cashier and say “Hi, I’m Joe Blogs from the bank, we’ve found a fault with your PIN pad and need to replace it”. The cashier says yes, the trojan’d device gets installed, and card number collection starts.

The trojan’d PIN pad, particularly for this model, will continue to work as normal, so it can stay there until it gets discovered (usually as a result of bank investiagations on the merchant once enough people have been compromised to join the dots together and figure out where it happened).The bad guys are now at the point where they are holding up retailers just so they can steal the PIN pad.

Here’s what you can do to avoid getting stung by hand held PIN pads:

1. Don’t use your card with this model of PIN pad. It seems obvious, but it’s not. The bad guys obviously have developed a reliable and simple method for stealing data from these things, so the best bet is just to not use them. (It’s a bit like using Internet Explorer as a web browser – the bad guys are good at finding new ways to hack it. The solution: Don’t use it.)

2. Don’t use your card when the hand held isn’t chained to the desk of the base station. This applies for all hand held PIN pads, not just the PX328. If you see a PIN pad that doesn’t have a chain, have a quick look and see for yourself just how easy it is to steal the things. It’s a bit scary.

3. Sign, not PIN. I’ve said this before, if you are using a credit card then sign, don’t use your PIN.

4. Switch to cash, even just for a little while. I know it sucks, and it probably encourages you to spend more, but if you can discipline yourself go back to using cash while the current spate of fraud settles down.

5. Reward good behavior. I noticed recently that a Coles cashier checked my credit card to make sure that it was actually embossed. An unembossed card is a sure sign that it is fraudulent. I respect and admire the initative that Coles have taken to train their employees to do this to reduce fraud. I will shop their more now because of that.

6. Discourage bad behavior. Think about it – all this could have been prevented if the PIN pads were chained down. The banks could mandate that, and supply a chain with the PIN pad. Yes, there is a cost involved, but what about the cost of fraud? What about those who go personally bankrupt because they are $10,000 in the hole for 6 weeks while the bank does its investigations? If someone you shop with is not doing what they should to minimize the risk to their customers, they are putting profit before people and treating you poorly. Vote with your feet.

7. Silo your cash. I can’t stress this one enough. The best approach to fraud and skimming is to just assume that it will happen to you at some point. So get yourself a low limit card, and/or a bank account that you only put money in when you are about to spend it.

8. Enable daily spend limits on your bank accounts and credit cards. Same as above, just assume that you will get hit at some point and work think in terms of minimizing the impact that would have on you.

9. Sell everything, give it to the poor or your local church, move to Pennsylvania and completely shun technology and money… (HINT: I’m being sarcastic here… although it would work.) One of my favorite sayings is “The best way to secure a computer is to unplug it.” The same goes for this stuff… The lifestyle we enjoy carries with it an inherent risk – so the focus should be on minimizing that risk. Obviously completely disconnecting is not possible, or even reasonable for most people. Even switching back to cash is risky…

The important thing is to make sure that you minimize your risk – ask yourself “If I got scammed out of $YOUR-CREDIT-LIMIT, how bad would it be? What can I do to change this?”

I’m very interested to hear from people who’ve been skimmed recently, please share your story via the Comments section below.

Best of luck out there!