Police in Lower Pottsgrove, Pennsylvania have spotted a group of thieves who are placing completely camouflaged skimmers on top of credit card terminals in Aldi stores. The skimmers, which the gang placed in plain sight of surveillance video cameras, look exactly like the original credit card terminals but would store debit card numbers and PINs of unsuspecting shoppers.
"While Aldi payment terminals in the United States are capable of accepting more secure chip-based card transactions," writes security researcher Brian Krebs. "The company has yet to enable chip payments (although it does accept mobile contactless payment methods such as Apple Pay and Google Pay). This is important because these overlay skimmers are designed to steal card data stored on the magnetic stripe when customers swipe their cards."
Interestingly, commenters reported that many Aldi stores support chipped EMV credit cards but that they would often tape over the slots and ask users to swipe instead.
"The Aldi stores near me got chip readers early last year with Apple Pay and everything enabled. After ~5 months they taped over the card insertion slot and now require customers to swipe again," wrote one commenter. "I asked one of the managers and he said corporate required them to switch back because 'swipes are faster.'"
I love these stories primarily because point of sale terminals are widely unguarded and offer the best of security theatre - you think you're safe because they look like the egg sacs of some armored beast but, with a quick addition of a skimmer, you create something that is deeply unsafe. That this skimmer ended up at a town of just 12,000 souls is particularly poignant.