Breach, Threat Management, Data Security

Scammers bug Nordstrom registers with $40 devices to skim card data

A group of men boldly entered a Florida Nordstrom store and planted skimming devices on the retailer's registers, according to a security journo that publicized the scheme.

On Thursday, Brian Krebs detailed how six men allegedly carried out the con. On Saturday, part of the group distracted Nordstrom staff, while others worked to plant the devices over the course of several hours.

A team of three entered first with the mission to scope the premises, taking photos of the register and removing its back panel. Then, a few hours later, a separate group of three installed a keylogging device.

According to Krebs, who obtained an alert on the incident from police in Aventura, Fla., the suspects were caught on Nordstrom surveillance cameras tampering with store registers.

The keyloggers used by the fraudsters can be easily obtained online for about $40, he revealed. Nordstrom discovered that six devices had been planted.

“These hardware keyloggers are essentially PS2 connectors that are about an inch in length,” Krebs wrote. “The tiny data storage devices are usually purple in color to match the color-coded standard for keyboards, and are made to be inserted between the male end of a PS2 keyboard connector and the female receptor on a computer.”

He later added that while the color and shape of the devices indicated they were designed to interface with keyboards, that detail didn't mean that scammers “can't steal data from a credit card reader,” with the devices.

“Many cash registers at retailers have PS2-based card readers, or connect the reader directly to the computer's keyboard,” Krebs explained.

In a Friday email to, Brooke White, a Nordstrom spokeswoman, confirmed that devices were planted on its registers.

“We can confirm that we found and removed unauthorized devices on a small number of cash registers at our Nordstrom Aventura, Florida store,” she wrote. “We take this situation seriously and have been working closely with law enforcement and forensic experts to investigate this and understand any impact on our customers."

Chris Hague, managing consultant on the SpiderLabs research team at Trustwave, a Chicago-based firm that provides anti-cyber crime solutions, told on Friday that criminals have become more brazen over the years, sometimes opting to physically compromise businesses to overcome other implemented security measures.

“Retail merchants over the years have put in tremendous security to protect their devices from compromise,” Hague said. “So the next step [for criminals] is physical compromise. The one thing about skimmers themselves, which makes it really difficult for organizations to detect, is they really have no electronic component coded in – it's just a pass through where the data stream will [run] through the device to get recorded.”

Skimming cases occur most frequently on ATM machines, Hague explained, where fraudsters can simply put a transparent overlay on top of PIN pad devices, which are usually inconspicuous to users.

In a different recent scam, con artists entered target establishments to carry out fraud. Crooks in London, who posed as IT engineers, allegedly waltzed right into Barclays and Santander bank locations to fit computers with keyboard video mouse (KVM) devices. The devices were meant to give them access to multiple computers in the organization's network – to monitor accounts, move money or do any manner of malicious feats.

London police were able to thwart the cyber heist on Santander, but Barclays reported a £1.3 million loss in April, equivalent to around $2 million, as a result of the incident.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.