More Gas Station Credit-Card Skimmers 251
coondoggie notes a Network World piece on credit-card skimmers found installed in gas pumps, this time in Florida. Like the similar wave of attacks in Utah earlier this year, the latest crop uses Bluetooth to transmit the illicitly collected data. Does this mean an accomplice has to hang around within 3m of the pump? "The Secret Service has indicated there's a crime wave throughout the Southeast involving the gas-station pump card skimmers, and it may be traced back to a single gang that may be working out of Miami... St. Johns County in Florida has also been hit by the gas-pump card skimmers. [A local sheriff's department spokesman] says criminals wanting to hide the credit-card skimmers in gas pumps have to have a key to the pump, but in some cases a single key will serve to get into many gas pumps." Here's an insight from the banking industry on the skimming fraud.
Hiders Keepers? (Score:4, Informative)
Does this mean an accomplice has to hang around within 3m of the pump?
No. What it means is that there's no need for there to be a wire that leads to the skimmer's recording device... which now can be hidden in the next pump over. This also means the mag reader could be placed in the pump without a recording device, therefore requiring the pump to be taken apart for inspection, adding to the cleanup costs.
Remember, once a fraud becomes so expensive to clear up that the expenses are greater than the total loss, then it's almost allowed to continue unchecked.
Re:Hiders Keepers? (Score:5, Informative)
Re:Hiders Keepers? (Score:4, Insightful)
...and with the price of flash memory so low, it would be pretty easy to hide a little digital camera to snap photos of the person as they put the card in and/or stood in front of the machine. It would be easy to download those too and if they saw a few with the manager and a customer standing and pointing at the machine they would know that the gig was up and to just walk away.
I'm really thinking the cash idea is the way to go from now on. :-(
Dan
Re:Hiders Keepers? (Score:4, Informative)
I have a Belkin F8T012 USB Bluetooth dongle that works quite well at distances well over 100m. (The advertised maximum is 100m.) It wouldn't be hard to make yourself inconspicuous at that distance from the pump.
Re: (Score:3, Insightful)
Why? If I get mugged at (or on the way to) the gas station I lose my cash. If my card gets skimmed, I do not lose my money. If many people's cards get skimmed from the same place, I may not even have to dispute the transaction - the card company will just cancel the card, invalidate the transactions and issue me a new card.
From the article:
When a card is compromised, however, the card issuer has to reimburse the customer. If incidents o
Re: (Score:2, Insightful)
The recording device is in the pump. It records the card numbers internally. The thief then comes back and downloads the data off the skimmer with bluetooth (probably with a phone). Totally inconspicuous.
Re: (Score:2, Insightful)
Re:Hiders Keepers? (Score:4, Insightful)
Particularly with all the cellphones floating around, a BT radio, even one yelling its little amplifier out, is hardly automatically suspicious in a reasonably crowded area. Somebody who knew what they were doing, had the right set of antennas, and had some knowledge of what they were looking for(if, for instance, the skimmer-manufacturers produced a large batch, all with BT modules from the same manufacturer, or even with MACs in series, and some were captured by conventional physical inspection), could definitely hunt them down much more quickly, unless they are very short range units, or were using some stealth strategy like the above...
Re: (Score:2)
BT radios are common, but ones with easily accessible obex files would be even more suspicious. Cracking such things isn't difficult, as there are usually only a thousand association codes-- easily dictionary attacked and done by a simple script.
Re:Hiders Keepers? (Score:5, Informative)
Re:Hiders Keepers? (Score:4, Interesting)
and if one get a directional antenna, things get really interesting. Iirc, there is at least one guy thats built something he called a bluetooth sniper rifle with a range of a kilometer or more.
Re: (Score:2)
Come on... don't lump all the AC's in with ignorant racist KKK hicks that pop up once in awhile. Anonymity is an integral sacrosanct part of freedom.
Re:Hiders Keepers? (Score:5, Funny)
In England, it's always Albanians or Romanians. Counts, the lot of them.
FTFY
Mod parent up (Score:2)
A+ hilarity.
Do they really need a key? (Score:2)
Re:Do they really need a key? (Score:4, Insightful)
Not many want to, no... But all those that want to do so illegally have really, really bad plans in store. It's enough to offset the relatively small number and need a good lock.
I don't know that they DO have them, but they should.
Re: (Score:2)
I lold at this quote from TFA:
Re: (Score:2)
There's no reason they have to even open the gas pump to pull it off though, and thats the problem. Pull up with a big SUV so that the Gas pump card reader isn't in view of any cameras. Next, pull your bluetooth reader, which can be smaller in size than a candy bar, put it on over the card reader and attach it with glue such that it is inconspicuous. Finish pumping gas. Go inside, Go to the bathroom. Hide your bluetooth reciever in the ceiling tiles. Come back every 3 days and be that creep that all the gas
No worries here. (Score:5, Insightful)
Re: (Score:2)
The only problem with paying cash for gas is that I generally like to fill up every time, and I don't have any buddies working the local gas station anymore, so there is no way anyone is going to let me fill up before I pay in cash.
Re: (Score:2)
You can often leave an ID with the clerk at the counter and they'll turn it on for you. At least they will around here.
Re: (Score:2)
This is slashdot where we can log every fill-up and resulting MPG to a graph, then analyze details like, is synthetic worth it(for differential fluid = yes, engine oil was no), how much MPG is ethanol stealing (10% on carburetored motorcycle, EFI is insignificant.) ...
efficiency issue (Score:3, Insightful)
(2) Amount not recorded automatically. Have to mess around with receipts. During high price periods my gas usage approaches 5% of my budget and should be tracked.
(3) Requires carrying around more cash, especially in periods when prices are high.
Re:No worries here. (Score:4, Insightful)
Re: (Score:3, Insightful)
And if the clerk pockets the cash and calls the cops on you to cover the theft? Here's a 20 for pump #2. *pumps $20 worth of gas and takes off*.
Just saying, ask for a receipt if your worried about the clerk pocketing your cash. Have proof of your purchase.
Re: (Score:3, Informative)
I haven't been to a gas station where this was possible...ever. Every pump I've ever used had to be authorized by the attendant, you couldn't just pump and go.
Pump swipe = no store visit (Score:2)
Re: (Score:3, Informative)
Where you live (some place in Canada) is not the same as everywhere in (Canada). In Toronto and likely most of Ontario, you only have to prepay when it's late at night or a bad area of the city (or both).
ATM Skimmer (Score:5, Interesting)
Re: (Score:2)
Which bank?
Re: (Score:2)
Re: (Score:2)
Re:ATM Skimmer (Score:5, Interesting)
This is not new in Europe. Every ATM now has it. Also sine 3-4 years ago all cards have a chip in them. The transaction is authorized by the chip in a real-time two way communication, and you have to punch in the pin code. But that is never going to happen here in US, primary because it means no tips. But why bug gas stations - just go work as a waiter, or at any cash register desk and just routinely slide the card through a second reader. In EU the waiter at a restaurant has to bring the POS terminal to your table. You insert the card into the slot, while the card is in the slot the waiter puts in the amount, you check it, decide to tip or not, put the amount of tip in, then dial your pin code. Then the chip on the card already connected with the bank of the POS terminal starts to make the transaction, the bank proxies that transaction to your bank, the chip on the card talks with your bank, and it's done, money are wired from you account to the merchant account. Plain and simple, and in no more than 10 seconds you get an SMS on your cell phone - hey - merchant XXX, pos terminal ID YYY just withdrew 20 euro from your card ending in ..... If it's not you, you pick up the phone, call your bank and just tell them it is not you. And that's it.. the merchant cannot change the amount you were billed at a later time. Here in US you have to wait up to 5 days to have it posted and it could get changed a lot (usually because of the tips).
You have to decide whether you want a convenience of just waving your card in front of a cash register, or you want the security of actually allowing the transfer of funds from your account. As for the banks - it will always be easier and more profitable to have the people loose their money and go into debt. That is why only a strong government regulation can make them change something. On a little bit of side not - in Europe if you don;t have enough funds in your card the transaction is refused and no penalty is payed. Here, because of the delay in posting transactions you could easily overdraw your card, and get charged 50 for each transfer after the limit.
So.. decide.. convenience or security.
Re: (Score:3, Interesting)
According to my father, who is a Branch Manager at Citibank, the Citi ATMs now have a system that shuts down the ATM completely (ie. the screen goes blank, the CPU shuts off, and the cash gets locked down) if any metal/magnets are placed on/near the card reader. To reboot, the ATM has to be opened (usually from the inside of the building) and manually reset. All to help avoid skimmers.
However, I've stuck my magnetic billfold right on top of the card reader and nothing happened, so YMMV.
Re: (Score:3, Interesting)
If you aren't already versed in the finer points of duck-fucking, you shouldn't ask.
Re: (Score:2)
The card reader display shows what the card reader should look like?
And if someone is able to compromise both the card and that image of "what it should look like"?
In this kind of situation it is better to have banks telling people — through another medium — what the terminals should look like. (But in some countries this might not be possible, if every bank/network has its own design)
Re: (Score:2, Insightful)
The point, as far as I can tell, is that there are many chances to bolt on external junk, whilst it's pretty difficult/unusual to be able to compromise the ATM itself. External devices are just opportunistic ways of reading the data off your card (ie. magnetic strip, maybe a camera to read out the PIN as the user inputs it). I suppose you could place an overlay on the screen, but it sounds like a lot of work compared to a little magnetic strip reader.
If you'd managed to compromise the ATM (so as to be able
Re: (Score:3, Insightful)
And if someone is able to compromise both the card and that image of "what it should look like"?
If an attacker has sufficient access to change what's being displayed on the ATM screen, then they can probably skip the external card-reader and just yoink the customer's bank data out of RAM.
bluetooth (Score:5, Informative)
Does this mean an accomplice has to hang around within 3m of the pump?
No, a Class 1 Bluetooth device has a range of up to 100m.
Doesnt sound overly hard to (Score:5, Insightful)
Why don't they make gas stations check their pumps once a day for skimmers? Perhaps when they set the price in the morning. Seems relatively simple.
Re: (Score:2, Informative)
Re:Doesnt sound overly hard to (Score:4, Interesting)
I wonder how man skimmers are installed by the person with the key to the gas pump? Checking wouldn't do much good if the guy checking the pump is the one who installed the skimmer.
Re: (Score:3, Insightful)
The uniforms of gas station employees aren't exactly secret, nor are clothes that look very much like them hard to get ahold of(given that they are generally just plaincloths, or mechanic-style coveralls, pos
Re: (Score:2)
Re: (Score:2)
Hmm, I had the key to the gas pumps - I'm no pump technician. Of course our pumps still had mechanical dials and the max price of fuel was 2.99/gal...
Anyway, there is a key to the printer on current digital pumps, so the receiver could be stashed inside the pump without needing to be a tech.
Re: (Score:2)
Why don't they make gas stations check their pumps once a day for skimmers? Perhaps when they set the price in the morning. Seems relatively simple.
Being "in" on the scam is even simpler. Especially if you don't need management approval, merely minimum wage McJob worker approval.
Re: (Score:3, Informative)
Because gas stations are no longer gas stations manned by trained mechanics. They are convenience stores, manned by people who generally don't have any control or technical knowledge of the pumps. Prices are set over the internet. About all the cashier can do is put a yellow bag over the handle if there's a complaint about a pump, and call it in.
Re: (Score:2, Funny)
Re: (Score:2)
Re:Doesnt sound overly hard to (Score:4, Interesting)
I was a gas station attendant for 3 years while getting my college degrees.
It was a nice easy job with fringe benefits like the ability to do homework on the job, free soda fountain mountain dew and access to jailbait.
At one time we had me - a CS major doing AI research and a Nuclear Physics major on her way to the Air Force Academy running the night shift.
Most of the people who can't handle the gas station clerk position think exactly like you do,
except they don't realize that they have to do paperwork at the end of each shift and quit because division is to hard.
Re: (Score:2)
Re:Doesnt sound overly hard to (Score:4, Insightful)
Most of the people who can't handle the gas station clerk position think exactly like you do,
except they don't realize that they have to do paperwork at the end of each shift and quit because division is to hard.
The problem is that not every gas station is structured like that. I worked at a Gas station for 2 and a half years, and they basically had 3 people on duty at all times. 2 to run the tills, maintain the cleanliness of the store, and watch the pumps. 1 would be in the back office, doing that paperwork and occaisonally watching security cams. The only paperwork the front line people had to do was count out their till to $100 each time their shift began and ended. Anyone with a pulse could have worked that job. The only way to keep that job was to NOT steal money.)
And while I wouldn't expect much from even those people, I think they could identify a card reader if taught how. It's as easy as saying "Look at this specific part of the pump. Remember how it looks. Every morning I want you to look at it. If it ever looks different, inform me."
Re: (Score:2)
Trusting sort, aren't you?
If a gas station employee is going to go through all the trouble of installing a skimmer, then what's to prevent him/her from lying about whether one is installed?
What's needed is an end-to-end validation system. My card needs to tell me if I'm connected over a secure, untampered channel to my bank; maybe some LEDs along with th
Re: (Score:2)
one time pad? better an RSA key
Of course then you have to build processing power into the card to use that key
Re: (Score:2)
Using public key cryptography your card can know it's communicating with a real terminal, and the bank can know it's a real card. You card can then "sign" the transaction.
All my cards have chips. They all have magnetic stripes too, so they work in the USA, although maybe it'd be cheaper for my bank if the standard card didn't have one, and I had to ask for a card with a magstripe if I wanted to use it outside much of Europe and a few other places. People stealing the magstripe data still happens here, altho
Re: (Score:2)
Re: (Score:3, Interesting)
No, although I saw a picture of a card with a tiny LCD screen somewhere. That would be useful to verify the amount -- someone could tamper with a terminal's display to show one amount, but ask the card to authenticate a different amount.
I don't know whether there's a key in the terminal that the card can validate...
There's been a case where tampered readers [wikipedia.org] have led to fraud (see "Successful attacks"), but that relied on using non-EMV transactions.
I also have one of these [wikipedia.org], which so far my bank only uses to
Re: (Score:3, Informative)
What's needed is an end-to-end validation system. My card needs to tell me if I'm connected over a secure, untampered channel to my bank; maybe some LEDs along with the chip (that's right, ditch the magnetic stripe). My bank needs to know that it is a valid card; perhaps some sort of one time pad that's burned into the card at time of issuance.
you mean a cryptographic smartcard that has the private key on chip and never tell it like this: http://en.wikipedia.org/wiki/Smart_card#Cryptographic_smart_cards [wikipedia.org] ?
Re:Doesnt sound overly hard to (Score:4, Interesting)
In the meantime, I'm curious why the "card path" of any exposed payment system would be designed such that it has internal voids where 3rd party hardware can be stashed. A mag-stripe reader is just a surface, with a few mm of electronics behind it. Generally, because people aren't too good at keeping their card at just the right distance, you mount the reader parallel to a passive plate a few mm away, through which the card is run. With a surface channel design, the attacker has to stick their skimmer onto the surface, where it can be detected by visual inspection(made easier if the card slot has blinkenlights, a highly specific shape, certain color/pattern, etc.)
If, for some reason, an internal card path must be used, so that the card can be held on to during the transaction or whatever, one could still make sure that the internal chamber is small enough to admit only a card, and that the eject mechanism doesn't just pop the card halfway out; but actually completely scrapes out the internal chamber each cycle(in order to remove, say, a thin-film reader fabricated on a sticky backed piece of flexible circuit board)...
Good mechanical design won't stop all skimmers; because people may not notice even a fairly blatant one just taped on top of the actual reader; but it should be fairly easy, with good design of the card path, to make it impossible to mount an internal reader without doing some in-situ metalworking.
Re: (Score:2, Insightful)
They only need to have the card scanner in place for a short period (say an hour or two) to get enough credit cards, then they move on to the next target.
Re: (Score:2)
Gas stations generally aren't required to protect your info though, the only laws regarding that are that any reciepts which print the card # have to be *'d out.
Re: (Score:2)
Re: (Score:2)
talked to a guy at a shell-station in europe. He said the prices are updated remotely via network. They change multiple times a day.
My card got skimmed in Iowa (Score:2, Informative)
I'm usually paranoid about such things, but I didn't even notice. Chase was really on the ball with it though. The crooks who stole my card weren't able to charge a damn thing, because their first attempt tripped the alarm bells.
These skimmer gangs are pervasive, though. They have people working on the inside at retailers everywhere. When mine was skimmed, they tried to use the card to buy several DVD players at a Walgreens nearby within minutes of me buying gas. As it turned out, they had skimmed several d
Get the chip (Score:2)
Re: (Score:2)
ZIP-confirmation and other two-factor authentication hacks aren't going to cut it.
ZIP confirmation has always seemed spectacularly useless. If you've got somebody's card, the ability to get their address seems trivial. The card comes with the name on it (including on the mag stripe), and Google will give you an address much of the time from that.
Is there some secret advantage here that I'm missing, or is it just the credit card company's lazy way of pretending to add security?
You're giving the crooks too much credit (Score:2)
Re: (Score:2)
"Jesus fuck, man, that sounds expensive! We mail out those cards, sometimes unsolicited and pre-activated to poorly validated addresses, like goddamn candy. If your next scheme involves a per-card hardware cost, you might as well go pack your desk, to save security the trouble..."
"Well, we could just change the software and add a scary-looking sc
Re: (Score:2)
The advantage is if you drop your card and a crackhead steals it. It's not security.. it's more just a roadblock for very basic theft. Fraud and more complicated stuff isn't actually prevented by it.
Re:Get the chip (Score:5, Insightful)
While it is certainly more secure than mag stripe, the various issuing institutions, at least in Britain, have tried to use this to argue that theft/skimming losses should now be the fault of the "negligent" customer, rather than their problem.
I have nothing against better security, I do have a problem with better security being tarted up as evidence that no intrusion could possibly have occurred without the connivance of the customer.
Re:Get the chip (Score:5, Informative)
Not since November 2009. [wikipedia.org] The banks are now required to prove the customer was at fault.
Re: (Score:2)
They, successfully, used the technological change to pass the buck for a number of years, until outrage and the law eventually caught up with them. Clearly, since the law had to force their hand, their intention was to keep the buck passed forever.
Given the, er, robust state of American democracy, and its laudable freedom from corruption and corporate influence at all levels, I for one am certain that thi
Re:Get the chip (Score:5, Interesting)
Yes, Slashdot covered a similar case [slashdot.org] a few years ago. "Stolen car!? That's impossible with our current state-of-the-art RFID keys! You must have negligently left your keys where someone could take them; no insurance for you!"
Re: (Score:2)
The chip isn't secure. We're already seeing cases in Canada where chipped cards are being copied.
Re:Get the chip (Score:4, Informative)
The system relies on the chip to tell the terminal that a valid PIN was used, rather than the terminal+chip+PIN creating a cryptographic message to the bank so the bank can verify that a valid PIN was used. End result: All you need is a fake chip that always tells the terminal a valid PIN was used.
http://www.zdnet.co.uk/news/security-threats/2010/02/11/chip-and-pin-is-broken-say-researchers-40022674/1/ [zdnet.co.uk]
Re: (Score:3, Informative)
Banks do take liability for credit card fraud unless they can prove merchants did not obey the security precautions mandated by the acquiring bank's or card association's agreement.
What a skimmer actually looks like (Score:5, Informative)
Re: (Score:2)
Re:What a skimmer actually looks like (Score:5, Informative)
That's an ATM skimmer, which are different to gas pump skimmers. Because the attackers don't have access to the inside of the ATM, everything is done by sticking gizmos on the outside of the ATM. With gas pumps, I don't think there are any signs that a user can see that a skimmer has been installed -- it's all internal to the gas pump.
How do they get into the gas pump? (Score:2)
Re: (Score:2)
You just put it on in front.
Re:What a skimmer actually looks like (Score:5, Informative)
Y'all got some religious prohibition about Reading The Fine Article [bankinfosecurity.com]?
The entirety of human knowledge at your fingertips, and you still insist on wearing your ignorance like a badge.
Re: (Score:3, Informative)
While I'm sure the author of that article is well intentioned, they get a few facts wrong. In addition to naming the wrong city, they have a incorrect picture. A correct picture can be found at the local newspaper [gainesville.com].
Re: (Score:2)
No, the second article was pretty clear that the devices are being placed in-between the reader and the rest of the pump. It's in-line, recording every signal the card reader sends to the processing system, and prior to the point that it's all encrypted for transmission.
Unlike ATM skimming devices, which are attached to the exterior of a machine, over the card reader, the Shell skimming device was actually inside the terminal, wired between the card scanner and the computer board.
This is like the classic
What we need... (Score:2)
What we need to do is make every debit and credit card use something like an RSA Secure ID token and make the user type in the pseudo random synced 6 digit code for every purchase. And then allow only one transaction for a card in that ~1 minute timeframe that the code is valid.
That would cut down on 99.99% of all opportunity for credit card fraud. You would either need the card/token on hand or have the algorithm and enough instance data to derive the key through brute force means.
The only downside to this
Re: (Score:2)
The problem with RSA tokens is that the system doesn't scale. I have two credit cards, an ATM/debit card, several bank website logins, etc. I don't want those accounts tied together for security and privacy, and I certainly don't want to carry around a half-dozen tokens. Also, doesn't RSA claim a patent on the token setup (so they'd be a sole-source and raise costs across the board)?
Re: (Score:3)
Embed the token into the cards. They don't have a significant cost these days, and it would make the cards significantly more secure. Yes, it makes the cards more expensive than a piece of plastic and a magstripe, but really, it's not THAT much. Particularly when amortized over all the cards in circulation.
If you're going that far, you could also include the PIN entry keypad on the card and use a secure link to make it nearly impossible for an attacker to get your PIN via the capture device.
And, if designed
Re: (Score:2)
I already carry an RSA device with me for my PayPal account's online access. It has a serial number on it which links my particular device back to the algorithm and seed to generate the numbers. Why would it not be feasible for me to enter that serial number into my banks' systems so I have a single OTP that works for all of my cards? It would take some massive cooperation between the card companies to do so, but it sure would give them some nice good-will towards their customers.
And before we head dow
Re: (Score:2)
if my touchscreen cellphone can't keep synced to my wall clock (+/- 1 minute) I wouldn't bet much on something stuck into a cheap card managing it reliably.
harder credit/emoney is less credit & bank pro (Score:2)
Security through obscurity, yet again (Score:2)
If the system was designed in such a way as to allow the generation of 1 time keys, instead of an embedded 16 digit number, this wouldn't be a problem. This could have been fixed 10 or maybe even 20 years ago... but we have the lowest possible cost system in place, and fraud is just a cost of business instead of a crime.
insight from the banking industry (Score:5, Interesting)
Interesting that this "insight from the banking industry" doesn't seem to indicate the banks have any responsibility for the problem.
There once was a time that people took their money to the bank for safekeeping. I think banks have partly weaseled themselves out of the security side of the business, and what used to be called "bank robbery" they now call "identity theft." Which works ok for the bank, seeing how it's the customer who lost the money and it must have been the customer's fault, or the gas station's, or the POS equipment vendor's.
The bank, which should act like a watchdog, portrays itself as something of an innocent bystander.
Re: (Score:3, Informative)
Re:insight from the banking industry (Score:4, Insightful)
When dealing with PR flacks, their salary depends on you not understanding it, which is likely even worse...
ATMs (Score:3, Interesting)
After several years of being told by banks to watch out for large plastic attachments to ATM card slots, I've noticed that an increasing number of bank-owned ATMs now have them as a part of their design. The simple, flush-mounted card slot on a grey plastic / metal bezel is now giving way to a protruding translucent green plastic bulge on grey plastic / metal bezel.
Which makes less than zero sense.
They look fake as can be, especially when paired with a slightly older ATM with the more sensible slot.
Now, one might argue that the crazy card slots are a great theft deterrent because they preclude the attachment of a skimmer, but they also make it impossible for the machine to snap up a stolen card, nor do they really look legitimate enough to give the user peace of mind.
It's usually the same key (Score:5, Informative)
I used to write code that talked to gas pumps, and I can tell you that most pumps take the same key for the printer door, a different same key for the terminal (Gilbarco CRIND/Wayne CAT) door, and I think another same key for the pump control door. That's the same keys for the entire model run of a pump, and maybe for more than one model, unless maybe a big oil chain installs a different same key. Even then, they're those round locks like the ones that some laptop cables use that can be picked with a part from a Bic pen. (Presumably they're better made than the laptop cable locks.)
The card data is sent up to the station's control computer directly, usually both track 1 and track 2 data. I don't think it would be hard to insert a skimmer behind the door, whether a second mag reader head, or just splice the wires from the card reader. Or even rig the station control computer if you have access to that. (For that matter, all the card numbers may end up in a log file on that computer.)
There's not much danger of a pin pad skimmer, however, because in the US, PINs are protected by each pinpad having a master key injected into RAM before shipping to the site. They are potted in epoxy and have a memory kill switch if you attempt to open them. This works differently from the European system, which is why the US hasn't had to go to "chip and pin". The PIN is encrypted in the pad, the pinpad's serial number is attached, and the result is only decrypted by the card clearing house computers, which have a list of all the decryption keys. Even if the guy who ran the station was doing the skimming, debit PINs couldn't be skimmed and still work properly. But that's just debit. Credit cards don't have a PIN.
So unlike ATM skimmers, they could definitely hide the skimmer behind the door, but they would still need a camera of some sort to capture the PINs. Fortunately most gas pump terminals have a relatively flat front, so they can't just hide the camera on a different part of the panel.
Actual picture of one of these skimmers (Score:5, Informative)
The local paper (Gainesville Sun) had a picture of the skimmer on the first day it was found:
http://www.gainesville.com/article/20100707/ARTICLES/100709681 [gainesville.com]
Basically it looks like a thin bundle of electrical tape attached to the wire between the magstripe reader and the circuit board inside the gas pump -- completely hidden inside the pump cabinet unlike ATM skimmers.
-Esme
Who's making this gear? (Score:3, Interesting)
miniscule Man in the Middle attack (Score:4, Informative)
A link http://www.networkworld.com/community/blog/newest-attack-your-credit-card-atm-shims?t51hb&hpg1=mp [networkworld.com] in the original story, entitled "Newest Attack on your Credit Card: ATM Shims" has some interesting information:
"The shim needs to be extremely thin and flexible. In fact it must be less than 0.1mm"
"The shim is inserted using a "carrier card" that holds the shim, inserts it into the card slot and locks it into place on the internal reader contacts."
"Once inserted, the shim is not visible from the outside of the machine. The shim then performs a man-in-the-middle attack between an inserted credit card and the circuit board of the ATM machine."
"flexible shims are recently being mass produced and widely used in certain parts of Europe"
"Diebold released five new anit-skimming protection levels for its ATM devices june 1st 2010...Unfortunately, none of these helps with the shim skimming attack. That problem has yet to be solved mechanically yet."
Virtual # writer (Score:4, Insightful)
How about a way to magstripe the virtual # you get from Citi or equiv. Basically, you program the card before use at the station with a fresh virtual#. So, skim away! I couldn't care less if they skimmed a virtual#.
Or have a $75 limit on the card and only use it for gas.