Criminals Hide Payment-Card Skimmers In Gas Pumps 332
tugfoigel writes "A wave of recent bank-card skimming incidents demonstrate how sophisticated the scam has become. Criminals hid bank card-skimming devices inside gas pumps — in at least one case, even completely replacing the front panel of a pump — in a recent wave of attacks that demonstrate a more sophisticated, insidious method of stealing money from unsuspecting victims filling up their gas tanks. Some 180 gas stations in Utah, from Salt Lake City to Provo, were reportedly found with these skimming devices sitting inside the gas pumps. The scam was first discovered when a California bank's fraud department discovered that multiple bank card victims reporting problems had all used the same gas pump at a 7-Eleven store in Utah."
Great (Score:3, Interesting)
I remember running into something like this a long time ago when I was in New York City. There was this small piece of metal in the card slot. Needless to say I didn't insert my debit card in to find out what it was.
How do I protect myself from a skimmer inside a gas pump?
Nothing New (Score:5, Interesting)
This got my credit card over a year ago in Saskatchewan, Canada. However, my card was skimmed at a do-it-yourself ticket-terminal at the local movie theatre.
It turned out it was a very large network of people who came together and organized the attack and paid people all over the country to do this and sent the info back to 'headquarters' in Ontario Canada.
They racked up over $600 in charges and it all appeared to have been used at Gas stations in Toronto / Missisaga in Ontario.
They put these things on any 'do-it-yourself' terminal they could find. This included pay-at-the-pump gas stations, ATM's, and any kiosk that could read a debit/credit card.
Luckily Mastercard covers things like this so it was much easier to report and reverse than a few friends of mine who had their debit cards skimmed. They had a much harder process to deal with.
The move to "Chip" cards ([url]http://en.wikipedia.org/wiki/Chip_card[/url]) are rapidly increasing these days. I know my local credit union is fully switched over, although maybe half of the retailers in town actually support them.
Re:Who is the victim? (Score:4, Interesting)
I, like you, felt that the bank's money was stolen, not ours. I put my money in the bank, and had not withdrawn it, so this was essentially a remote bank robbery in my opinion.
Where it gets interesting is this is EXACTLY how the bank treated it. They immediately refunded all money to the account, and then went after the fraud on the other end of the transaction.
Not sure if all banks treat you this way, but B of A did us right. (And they are usually listed as the most evil of providers, so I tend to think they are not unique).
I think identity theft was a real problem 10 years ago before it was understood, but now the banks realize it is not fraud by the victim in most cases and deal with it fairly.
Never use Debit (Score:3, Interesting)
Obviously you have to use debit at an ATM, but at gas stations i use credit, even with my debit card, because once they have your pin they can get cash out of your account and not just do a credit card charge. The crooks would much rather have the greenbacks than having to buy crap with your stolen card and fence it.
Re:Russian mob was doing this in the 1990's (Score:5, Interesting)
About 45 minutes after this happened, my CC company calls me to check on purchases that were made not five minutes ago at a "discount clothing store in the Bronx" (I live in Boston). Now, I am certain that this is the source of the theft, because prior to that, I had not used the card in several months.
My understanding is that the banks themselves don't absorb this loss because they pass it on to the merchant-- the merchant absorbs the loss. But I have to wonder whether banks (and credit card users) would be better (and cheaper) served by simply fixing these security problems now. Those fancy fraud-detection units can't be cheap. Our existing CC/ATM system is woefully anachronistic.
I briefly asked myself, if this guy, who was Hispanic, and given his choice of profession, probably poor, deserved some sympathy when it came to CC theft, and I quickly decided: no. There are many, many other people who are in exactly the same position, or worse, and they choose to do the right thing regardless. CC thieves are thieves. They don't point a gun at you, but the end result is the same thing.
hit twice... (Score:5, Interesting)
I've been the victim of skimming twice. I love paying at the pump but it's getting out of hand. Even with a credit card it's the inconvenience of filing a dispute, canceling the card, etc. This time they laundered the money by buying five $200 wal mart gift cards with a cloned card.
Here locally they say it's been the Fast Trip and AM PM stations that have been hit. The two with the lowest prices of course.
Re:Great (Score:4, Interesting)
Re:Russian mob was doing this in the 1990's (Score:4, Interesting)
Despite the fact that I ordered and paid for the pizza ahead of time, on the web, he told me that he "needed an imprint" of the card. Then he starts making the imprint with... his key? And then (and this is really where I kick myself), I take the original receipt and he goes, "Oh, nope, I need that one" and swaps with me. Of course, the carbon copy (which I am supposed to take but which he took) has the nicest key-imprint on it.
First of all, as somebody else already replied to, card imprints from pizza deliveries are the norm. It's not a scam, it's something they do.
About 45 minutes after this happened, my CC company calls me to check on purchases that were made not five minutes ago at a "discount clothing store in the Bronx" (I live in Boston). Now, I am certain that this is the source of the theft, because prior to that, I had not used the card in several months.
Then it can't possibly be the dude. 45-minutes is nowhere near enough time. You think if the pizza delivery guy is running a scam getting credit card imprints that he's just going to get ONE and then run off and start using it? And at a store? Do you think he just took your receipt and handed it over to the cashier when she told him how much the purchase was?
The actual imprinting scams involving scanning the magnetic strip, and making cards that people can use by actually scanning it at stores. I had my debit card skimmed (and so did a bunch of my friends, at the same time). The police eventually tracked it down to a waiter at a Ruby Tuesday restaurant. Apparently he would scan customers cards when he took our checks. It took months from the time he did so for the first purchases to occur, because the people doing the skimming are rarely the same people using the cards. They sell the information, other people make the cards, other people use them.
I briefly asked myself, if this guy, who was Hispanic, and given his choice of profession, probably poor, deserved some sympathy when it came to CC theft, and I quickly decided: no.
I'm going to assume you're not a racist moron, but I am wondering what the fuck him being Hispanic has anything at all with either being a thief or with a reason why a thief would deserve sympathy. Why did you even bother mentioning that factoid?
The pumps are the problem (Score:1, Interesting)
I've been following this since first I heard about it a week or two ago. My first thought was that it HAD to be an inside job for someone to be able to access the pumps since they are locked with keys. Then I ran across this article that says there are basically one or two key configurations for all pumps across the country:
http://www.ksl.com/index.php?nid=148&sid=9782411
Re:Russian mob was doing this in the 1990's (Score:4, Interesting)
>>Where do you think most of the pilfered credit card numbers really come from?
I had a friend (and no, it really was a friend, not me) that was involved in a ring of guys that did that sort of stuff out of Northridge. They'd take lists of CC numbers, pair them with PINs, reprogram some new cards using mag card writers, and then go to some place around 11:30, pull out all the money they could, wait for midnight to flip around, pull out all the money they could, split the money amongst them all, and bailed.
They'd use card readers and compromised clerks to get the CC numbers, and shoulder surfing (I imagine) to get the PINs. They'd move from gas station to gas station randomly in the LA area.
Now you know, and knowing is half the battle.
Re:How to solve this for good (Score:3, Interesting)
The problem with chip-and-pin is that the implementation is broken because it relies on the security of the card reader. My method does not rely on the security of the card reader and is not vulnerable to hacked card readers (wasnt there a recent story on here about chip-and-pin being broken?)
Designed right, its possible to even protect the account number so that only the smart card and the bank can see it (and since you never present enough of the mag strip to the mag strip reader, it cant read data from there)
Re:Russian mob was doing this in the 1990's (Score:3, Interesting)
I'm still amazing that people don't cover the num-pad when in shops. There are CCTV cameras everywhere.
Good move (Score:3, Interesting)
You nearly got carded.
http://en.wikipedia.org/wiki/Lebanese_loop [wikipedia.org]
How can you protect yourself? It's not easy anymore. You now see that a compromised machine doesn't necessarily have semi-obvious modifications you can see from outside. I think people will have to start using temporary credit cards with low limits more often.
I don't know if it was intentional but this seems to have been predicted in Batman of the Future - the characters carry around a large number of "creds" and each one seems to have a limited value. They also used portable devices to trade them - totally possible these days with short-range RFID and readers which could be built into smartphones.
They don't seem to have any authentication (and are sometimes traded like cash). A system like this could work - instead of mints printing money, they'd recycle "creds" which you can then get from the bank and assign to your account. I mean we're already using fiat currencies anyways.
Or maybe I'm getting ahead of myself - if the credit card system were to be overhauled, it would be easier to give the credit card some computational power rather than being basically a glorified barcode sticker (which you can now copy at range, thanks to RFID-enabled credit cards). Put some buttons and a screen (or a touchscreen) right on the credit card and have the card itself initiate an SSL (or similar) connection to the server, using the ATM only to act as a network access point (using some kind of very short range wireless or optical networking) and propose a transaction to the card (send $18.99 to SHIRTCO (Seller verified!) for T-SHIRT, Accept/Deny?). A MITM wouldn't be possible with no way to intercept keypresses or any legible network traffic. With the card running from a ROM, and with no way to access any onboard storage, data couldn't be stolen from there either. Carding someone in a system like this would have to start by physically stealing the card, and with the possibility of deactivating its account on the server side you'd also have to kidnap the owner.