Another excellent blog piece by Brian Krebs concerns a custom-made hardware skimmer module installed in Point Of Sale card-readers at an unnamed major US retailer.
The neat little module skims the card data and captures the PIN number from the PIN pad, encrypts them, and transmits them to the criminals either via Bluetooth or over the cellphone networks.
Those behind the scam evidently had the resources to get the module designed, manufactured, programmed and installed in card-readers, and presumably captured the stolen information using Bluetooth in or near the stores concerned in this case. They would also have needed the wherewithal to use the stolen information to drain their victims' bank accounts and launder the proceeds.
Commercial card-readers employ various anti-tamper and tamper-evident controls to prevent this kind of modification going unnoticed, but unless these (a) work as intended, and (b) are actually checked regularly, the criminals have a window of opportunity in which to more than recover their investment.
It's interesting that, in this case, the criminals also used strong encryption (AES), in other words they too are concerned about information security. Presumably they were careful not to leave any incriminating forensic evidence in the modified readers, and it's not clear from the blog how they were able to replace the original card-readers with the modified devices without being spotted on CCTV and without triggering silent alarms on the POS networks.