These are obviously attractive to crooked employees, who could install them when nobody is watching and then remove them if a manager drifts into the area. Or, thieves posing as customers can install them while their partners distract the salespeople.
Chester Wisniewski, senior security adviser at Sophos, said thanks to technology like 3D printers, skimmers like this are well within the reach of the common criminal. "The parts aren't much more complicated than a cassette tape read head and an Arduino computer board," he said.
So, while retail managers should check POS devices regularly and monitor them with security cameras, Wisniewski said shoppers can check the POS device themselves. "Aside from giving it a good once over before inserting your card, we recommend giving it a wiggle," he said. "The part of the machine that accepts your card should not move or look like it has been bolted on."
But skimmers don't always have to be on the device itself. Robert Siciliano, CEO of IDTheftSecurity, said some of them are body worn or hand-held. A crooked employee, with access to hundreds of credit card transactions every day, "can easily double swipe card data on hand held or body worn skimmers fast enough that cameras, fellow employees or the customer would never notice," he said.
The only good news about most skimmers is that there are limits to the damage they can do. "They often are simplistic, and can only get credit-card numbers and not the CSC, CVD or CVN numbers on the back of the card to verify the transactions," said Chris Strand, security compliance practice manager at Bit9.
"Unless the exploit is using camera technology to record both the card swipe and the back of the card, which is often more physically detectable, these common skims limit the use of the stolen data to transactions where the card verification or security code is not needed," he said, noting that requiring the CSC or CVD code within transactions especially online is becoming commonplace.
Besides skimmers, experts say the other major physical threat is from cameras. "All it takes to log someone's keystrokes is a strategically placed web/security/spy camera," Wisniewski said. "And a smartphone can be easily reconfigured into a rogue access point for supposedly free Wi-Fi. It doesn't always require specialized equipment."
How can retailers and customers detect and defeat threats like these? A good way to start is with the same kind of healthy suspicion that should apply to unsolicited emails. "You are not being paranoid, they are out to get you," Wisniewski said.
A big piece of that should fall to retail management, Siciliano said. "Managers, coworkers and customers must be trained on the risks posed by skimming in general," he said. "Daily checks of existing hardware and close monitoring of employees are essential."
Sign up for CIO Asia eNewsletters.