Modified point-of-sale devices are being sold cheaply in underground markets that can siphon off card details via a 3G connection.
Researchers at Group-IB told The Register that the VeriFone VX670 had been modified to silently steal credentials.
The company's popular line of wireless point-of-sale machine have been sold for more than a decade.
Group-IB CTO Andrey Komarov told SC the modded devices could send data through GPRS (general packet radio service), Bluetooth, or Wi-Fi.
He said the devices were popular because it could store a lot of information, read track one and track two card magnetic strip data, detect PIN codes, and alter what is printed on a receipt.
“It is hard to detect on the bank side,” he said. “[The banks] need to analyse the possible location of the fraud. It is hard because you need to analyse the merchants where the card was used and interview the victim.”
At that point the crook would have likely recovered the device, Komarov added.
Komarov said he first heard of the devices being used in Moscow restaurants where $30,000 was being taken every month. Since then he has seen it pop up across the globe in retail locations and hotels.
“The key area is resort locations,” Komarov said, pointing to Asian countries, such as Thailand, where he said card security is not as high a priority.
The modified VeriFone device can be purchased for $3000 on various underground websites, Komarov said, but it could be rented for $2000 plus an additional 20 percent of the material theft.
The device's creator is suspected of having “Russian-speaking roots,” Komarov said, referencing a Sberbank card that was used in a vendor video to demonstrate the modified VeriFone device. Sberbank is the largest bank in Russia and Eastern Europe.
“Tampered devices are well-known since 2007,” Komarov said, explaining this type of campaign may be a game changer because $5000 to $10,000 ATM skimmers are becoming increasingly harder to hide and POS malware is difficult to install due to a lack of vulnerable machines and the need of insider help.
Financial services corporation Visa offers tips to businesses on how to protect against tampering of POS devices, including conducting frequent investigations for simple abnormalities, such as missing screws, extra holes or excess wiring.
Komarov suggested customers use an EMV card – which contains a microprocessor chip that prevents card information from being accessed by unauthorised parties – and said that cardholders should only use approved POS devices that contain a hologram.
A video of the hacked POS terminal from an underground forum, via El Reg.