Swedish police are unraveling a scheme where criminals stole credit card details by tampering with a point-of-sale (POS) terminals at a Toys R Us store in Malmö.
One terminal was found to be equipped with a bogus keyboard overlay that could record PINs (personal identification numbers) as well as details on the card's magnetic stripe, said Detective Chief Inspector Harald Runge.
The case is similar to one revealed earlier this year affecting several U.K. retailers, where point-of-sale devices were hacked to record debit and credit card details for use in frauds. It also demonstrates the increasing technical knowledge cybercriminals have gained in order to perpetuate card fraud.
It's the second time police have discovered a tampered POS terminal at Toys R Us, Runge said. Three months ago, two compromised terminals were found, rigged with Bluetooth transmitters to send card details, he said.
In that case, at least 500 to 600 cards were compromised. The case came to light after people reported fraudulent withdrawals on their cards, Runge said. The withdrawals were made in Romania, a country known as a haven for cybercriminals
"We know that usually those people who do these crimes in Sweden are usually from Romania," Runge said.
With the help of Swedish banks, it was determined the cards had all been used at Toys R Us, Runge said. Swedish police are now carrying a technical investigation into how the POS terminals were compromised, he said. In Romania, the authorities have photos of people who were making the fraudulent withdrawals, he said.
The Swedish card numbers and details recorded at Toys R Us may already be showing up on illegal Web sites where card details are sold, said Frank Engelsman, a fraud expert with Ultrascan Advanced Global Investigations, a company based in Netherlands. Runge said people who shopped at Toys R Us should ask their bank to issue them new cards.
It appears cybercriminals are already trying to sell those details. Four hundred Swedish card numbers have turned up in one of the underground cybercriminal databases that is located in Russia, Engelsman said. The card details sell for US$1 to US$6, he said.
Engelsman said Ultrascan has seen a sharp uptick in the number of credit card details that are being tested. In order to sell a credit card record, the buyer often wants to ensure the card number is valid and hasn't been canceled. To do that, cybercriminals will charge a very small amount to an organization such as political campaign, Engelsman said.
The charge can be as little as $0.26. Cybercriminals will tend to vary the amounts, since banks will often cancel cards if their anti-fraud systems notice, for example, 1,000 cards all being charged for $0.13, Engelsman said.
Lately, "we've never seen so much testing before," Engelsman said. "After testing, they are going to use them [the cards]."
Tampering with the point-of-sale terminals is getting increasingly sophisticated. Engelsman said he's heard of teams of professional "burglars" who carefully break into a store at night and install equipment to record card details. They leave without a trace.
Terminals are also being rigged to record credit card details at certain peak shopping times when the most details can be captured for the least battery power. For example, a POS device would only record details from 1 p.m. to 3 p.m., Engelsman said.
The devices can also be programmed to only record, for example, American Express cards rather than Visa or MasterCard, Engelsman said. That's because some fraudsters, such as ones in North Africa, prefer American Express since the cards are more widely accepted in the area, he said.
In some instances, the card details are transmitted via a wireless mobile chip installed in the POS device, Engelsman said. In other cases, the terminals have a short-range Bluetooth capability. A fraudster can come back into the store to transfer the captured data to another Bluetooth-enabled device.