Criminals Hide Payment-Card Skimmers In Gas Pumps

tugfoigel writes "A wave of recent bank-card skimming incidents demonstrate how sophisticated the scam has become. Criminals hid bank card-skimming devices inside gas pumps — in at least one case, even completely replacing the front panel of a pump — in a recent wave of attacks that demonstrate a more sophisticated, insidious method of stealing money from unsuspecting victims filling up their gas tanks. Some 180 gas stations in Utah, from Salt Lake City to Provo, were reportedly found with these skimming devices sitting inside the gas pumps. The scam was first discovered when a California bank's fraud department discovered that multiple bank card victims reporting problems had all used the same gas pump at a 7-Eleven store in Utah."

Re:Great

[YrWrstNtmr]

How do I protect myself from a skimmer inside a gas pump?

Pay cash inside.

Re:This isn't new

[Jah-Wren Ryel]

I remember atleast 10 years ago at an Arco station had a sticker on the machine that said don't enter in your card if the reader looks wierd. I have also seen that warning on swipe ATMs.

The new part is that the reader does NOT look weird.
It looks physically identical to the standard reader.
Didja even read the summary?

Re:Great

[maxume]

You seem confused. The skimmer is entirely parallel to the regular reader, it does not effect the operation of the pump.

There will be no observable difference in the transaction.

The most secure remedy is cash.

Re:Never use Debit

[Mad Merlin]

The bank is also far more likely to go to bat for you over a fraudulent credit card charge than a fraudulent debit card transaction. The reason, of course, is that in the former case, its the bank's money on the line (until you pay them), but in the latter case, its your money on the line.

Re:Russian mob was doing this in the 1990's

[John Hasler]

No. He expects the station owner to run it as a charity.

Re:Great

[Anonymous Coward]

Not all of us work at the same place every day. I move between hospitals on a daily basis and my drive can be anywhere from 4 miles to 50 miles according to where I'm needed. Such is the life of medicine.

Don't lump everyone into a nice little package.

Re:Never use Debit

[TubeSteak]

The bank is also far more likely to go to bat for you over a fraudulent credit card charge than a fraudulent debit card transaction. The reason, of course, is that in the former case, its the bank's money on the line (until you pay them), but in the latter case, its your money on the line.

Actually... the bank is most likely to go to bat for you over credit card charges because the consumer protections on credit cards are vastly stronger than the protections on debit cards.

I've never used a debit card for just that reason. You have a problem with your credit card and it's just the one card that might get frozen. You have a problem with your debit card and your bank account might get locked down, which usually leads to a cascading array of problems for most people.

Re:This isn't new

[Stoutlimb]

I'm a gas pump mechanic, and I'm shocked it's not way more prevalent. A handful of keys anyone can buy from a petroleum maintenance supply store without any questions, will open every gas pump on the continent. And most employees at gas stations don't watch their videos continuously, some don't even have video surveillance. The parts inside are easy to swap, as they are very similar to the way a PC is set up, with ribbon cables, USB, etc. I found myself staring at the card reading gear and be amazed at how simple the gear really is, and how easy to swap.

Heck, the security is so poor on most pumps, that I could just crack a panel open a little, and with just a small pair of pliers and 15 seconds, make the pump give me a major discount on gas.

Gas pumps are almost entirely built on security by obscurity. I've only ever seen a handful of gas stations in my travels that have any kind of security system in place to detect if the panels have been opened.

That being said, I don't sweat about being ripped off at the pump, and I just go about my life worrying about much more important things.

Because carrying around big wad of cash is safe

[Anonymous Coward]

At the end of the day, I would rather have my credit card swiped and have the bank cover any fraud charges than carry around a wad of cash. The single most dangerous activity you will do regularly is withdraw cash from an ATM that is slightly hidden or in a dark area. I swipe my card safe in the knowledge that my bank will cover any fraud.

Yes, I've had my debit card used fraudulently for about $700 and the bank reversed the charges immediately. I was out the money for about 30 minutes beyond the time I first discovered.

I also use the service from my bank that texts me when I use my card. I know two people who were able to stop a fraud transaction within minutes of it actually happening by seeing the alerts.

Re:Great

[dwillden]

Good analysis. The skimmers in question were built by someone who knows their way around these pumps. They evidently replaced the entire panel. The device would read the card data, and record the typed in PIN. It then held the data until the paired Bluetooth receiver came in range and then would dump it's data.

No need to sit in proximity to the compromised pump. I haven't seen anything on the storage capacity but I dare say who ever was doing this just downloaded when they filled their tank up, or when they'd stop by for morning coffee.

The way they were able to make the switch is all pumps nationwide are made by only two manufacturers, and those manufacturers each have A key design to open their pumps. Two keys can open every modern gas pump in the country.

All the perps needed to do was get access to one machine of the model used at the targeted 7-11. Rewire the front panel from that one. Make the swap and rewire the swapped out panel for the next pump they want to wire.

Contrary to TFA, most reports are that only one or two stations were found to be compromised, but given time that number could have quickly grown.

Up above I linked to an article about a Gas chain that heard of this potential scam, identified the weakness in the key system and re-keyed all their pumps with each store having a unique key pattern for its pumps. Not perfect, but makes the inside part of such an inside job have to be an employee of the store the pump is located at.

Re:How to solve this for good

[syousef]

If you use a PGP key, you don't need a 2nd copy of the secret key at the bank, just the matching public key.

Re:How to solve this for good

[jimicus]

Wow, what an amazing and original idea. You should sell it to Mastercard - you'd make a fortune.

Oh, wait... [wikipedia.org]

Re:How to solve this for good

[Anonymous Coward]

The Chip and PIN implementation is broken largely because it is very complicated. Between your idea being accepted as a good idea and being implemented by the world's card issuers, it too would become very complicated, and thus likely broken.

The mistake made for Chip and PIN (a conscious decision which was erroneous) was not to allow third parties to audit the complex system before it went public. This makes no sense, because all it did was increase their costs (they will now have to replace parts of the system to fix known holes, instead of re-designing it while it was still on the drawing board)

But your system isn't actually any better than Chip and PIN, except that since it's described so briefly you can claim it isn't "broken" because you haven't offered anything to break.

In terms of design class vulnerabilities, it has all the same problems as Chip and PIN. Most notably for offline transactions it's vulnerable to the "yes card" attack, and for online transactions it is in fact vulnerable to "bad proxy" hacked card readers -- the bad guys hack the reader so that it is authorising a payment they're doing in a jewellers nearby. You "pay for gas" enter the right PIN, things seem OK, but actually you bought thousands of dollars of easily fenced jewellery.

This stuff is hard, which is why Chip & PIN should have taken 2-3 extra years with independent experts from the crypto community finding problems and figuring out solutions. But it can be rescued, so long as governments or courts ensure banks suck down the cost of fraud due to failures of Chip & PIN there will be an incentive to fix things.

Re:Who is the victim?

[Jah-Wren Ryel]

Yeah, the Fed prounounced that mandatory overdraft covers was verboten and that it had to be opt-in, but it isn't 100% - it doesn't apply to things like checks or scheduled payments and the change doesn't go into effect until July.

Re:How to solve this for good

[Xibby]

Problem with a new solution is dealing with all the legacy hardware out there for processing transactions. Retailers have to buy new readers that would support both old and new cards, or buy new readers and keep the old ones in service. Retailers profits are hurt.

Card Issuers could force the change over by only processing transactions with the new cards, but if retailers push back and not install new readers the Card Issuers profits take a hit.

Consumers would have to update as well. Some people just won't do it. Example: Old ladies who have an old card without a mag stripe and no expiration date in their deceased 25 years ago husbands name. Card issuers and retailers can either loose out on the transaction or make the sale.

A bit of a stalemate all around really until the cost of dealing with the fraud exceeds the cost of updating the hardware.