Slashdot Mirror
Criminals Hide Payment-Card Skimmers In Gas Pumps
tugfoigel writes "A wave of recent bank-card skimming incidents demonstrate how sophisticated the scam has become. Criminals hid bank card-skimming devices inside gas pumps — in at least one case, even completely replacing the front panel of a pump — in a recent wave of attacks that demonstrate a more sophisticated, insidious method of stealing money from unsuspecting victims filling up their gas tanks. Some 180 gas stations in Utah, from Salt Lake City to Provo, were reportedly found with these skimming devices sitting inside the gas pumps. The scam was first discovered when a California bank's fraud department discovered that multiple bank card victims reporting problems had all used the same gas pump at a 7-Eleven store in Utah."
How is this shit news for nerds?
Any fucking fucking nerd has known about this tactic for decades.
I remember running into something like this a long time ago when I was in New York City. There was this small piece of metal in the card slot. Needless to say I didn't insert my debit card in to find out what it was.
How do I protect myself from a skimmer inside a gas pump?
This is a fairly old scam.
I remember atleast 10 years ago at an Arco station had a sticker on the machine that said don't enter in your card if the reader looks wierd. I have also seen that warning on swipe ATMs
become fertilizer, no need to pollute
And yeah maybe it is an inside job. Paying clerks $6.00 an hour to work from midnight to 8:00AM does not buy a lot of loyalty. Where do you think most of the pilfered credit card numbers really come from? Try paying people a living wage and this won't happen. Employees who have to live with their mother are not adverse to listening to some ones criminal scheme, which to them sounds like justice rendered.
Why do "Al Qaeda" bulletins allegedly authored by Osama Bin Laden sound as if they were authored by Oliver North?
This got my credit card over a year ago in Saskatchewan, Canada. However, my card was skimmed at a do-it-yourself ticket-terminal at the local movie theatre.
It turned out it was a very large network of people who came together and organized the attack and paid people all over the country to do this and sent the info back to 'headquarters' in Ontario Canada.
They racked up over $600 in charges and it all appeared to have been used at Gas stations in Toronto / Missisaga in Ontario.
They put these things on any 'do-it-yourself' terminal they could find. This included pay-at-the-pump gas stations, ATM's, and any kiosk that could read a debit/credit card.
Luckily Mastercard covers things like this so it was much easier to report and reverse than a few friends of mine who had their debit cards skimmed. They had a much harder process to deal with.
The move to "Chip" cards ([url]http://en.wikipedia.org/wiki/Chip_card[/url]) are rapidly increasing these days. I know my local credit union is fully switched over, although maybe half of the retailers in town actually support them.
PCI (Payment Card Industry) will deal with this eventually, as traffic should be encrypted from the reader to the backoffice server or whatever brokers the transaction to the payment processor. What needs to be done is encrypt the card information at the reader at the pump, even if the information is transmitted via serial connection (out of PCI scope today). Prudent companies keep the keys to the gas pumps secure as well as do at least daily checks on the pumps (crack the box, look for skimmer).
I suspect this type of skimming is more prevalent that is getting press for.
Let's define this scenario clearly. You put your money in a bank. The bank then gives you access to the bank's services. It's not access to "your" money so much as it is access to a money exchange service. (Think of an ATM and similar services as a vending machine that serves up cash and other things in exchange for the money in your bank account.)
Now there are the criminal parties. These parties are the ones who come in and exploit weaknesses in the system to get cash and other things. In the course of exploiting these weaknesses, they use the credentials of other people to extract the cash and other things from the actual victims.
Who are the actual victims? They are the banks themselves and they are the sellers of other things.
When the people whose credentials were used in the commission of a crime against the banks and merchants are charged with responsibility for the criminal acts, it is the banks and merchants who are victimizing the people... their customers! The criminal performed their crimes against the banks and merchants. It is the banks and merchants who are passing the burden along to the innocent individuals who quite literally have no way to protect or control the situation. It is the banks and merchants who have the means to control and protect.
Every time I hear "identity theft" and other referrals of uninvolved parties as victims of a crime, the lie bothers me. These banks and merchants have created a system that is weak and exploitable that uses its customers as a buffer and even a shield against those weaknesses. You cannot protect your "secret information" so long as it must be shared in order to use it. And once that information is out there and used, the banks and merchants take money from your account instead of theirs. The original victims are, in turn, victimizing the innocent by declaring that the innocents are victims of the original crime.
I am sure there are plenty of people who disagree with my sentiments on the matter. But if you do, point out the flaw in the logic I presented.
If you have a pair of sunglasses and a jacket, you should be good to go.
1: Get a $10-$25 cash card from your credit card company
2: Slide it through the card reader
3: Light up a cigarette
4: Spray gas all over the pump
5: Slowly walk away, flicking the smouldering cigarette behind you, onto the pump. Speak a one-liner about gas, pumps, explosions, fire, smoking, or credit card fraud. It is very important NOT to laugh at your own joke.
6: No matter how hot your back suddenly gets, keep walking slowly and DON'T turn around, (glass or shrapnel is going to hit you, it's better to take it in the back than in the face.)
7: Never worry about gas pump skimmers for the rest of your life.
I am the richest astronaut ever to win the superbowl.
After waiting patiently for the US Government to implement a carbon tax, the ever-altruistic Utah mafia has decided to take matters into their own hands.
Obviously you have to use debit at an ATM, but at gas stations i use credit, even with my debit card, because once they have your pin they can get cash out of your account and not just do a credit card charge. The crooks would much rather have the greenbacks than having to buy crap with your stolen card and fence it.
This is but one reason why I use only cash to buy gas. The other is that greedy operators like ARCO will skim $0.45 off the top of every debit card transaction. I happened to be an early victim of debit card reproduction over a decade ago, before these current devices even existed; back then it apparently required collusion with a station employee to redirect outside security cameras and collect register data. The result was the same: my Versatel card was duplicated without ever leaving my possession, and then a withdrawal spree took place over three days at race track and casino third-party ATMs all over four counties.
taking it to a new level, of course
Any gas station you go into now (unless its in podunk la-la land) has a crazy amount of security cameras all over out there monitoring pumps and to catch fuel pumping thieves. I would suppose the reason the high number of pumps that do get hi-jacked are places that aren't open 24-hours or have a douchebag clerk who "pushes the blinky light" to authorize fuel and doesn't notice someone taking apart the pump next to it.
I remember when skimming waiters or waitresses with hand-held swipe devices was "the scam of the year". Someone is always going to 1-up the next I guess. However, it still is very surprising that this type of theft is still happening to begin with, though, and especially to credit card scanning card devices on gas pumps. That's like the bank leaving the door open on an ATM machine.
this took place in the Delaware county PA about 10 to 12 months ago. One of the tests they gave locals was to give the card swipe area a good tug before scanning Guess the front fascia would pull off easily and it wasn't the banks hat caught it, it was the local police & Wawa
no matter how good it is, it is human nature always wants to make things better
Not with that attitude!
It happened to me in Malibu. Bastards made some kind of copy of my debit card and spent $250 before my bank shut them down. Fortunately, my bank (wells fargo) restored the $250 to my bank account. I bet the gas stations where the fake card was used got stuck with the bill. Serves them right for not guaranteeing the financial security of their customers. They should keep an eye on their pumps.
Or Joseph Smith, Jr.
I've been the victim of skimming twice. I love paying at the pump but it's getting out of hand. Even with a credit card it's the inconvenience of filing a dispute, canceling the card, etc. This time they laundered the money by buying five $200 wal mart gift cards with a cloned card.
Here locally they say it's been the Fast Trip and AM PM stations that have been hit. The two with the lowest prices of course.
How does that differ from the nanny conservatives watching everything you want to do?
Are you going to pay for the billions of dollars it costs to have our military constantly deployed to the middle east?
There are about 115,000 gas stations. Let's say two clerks, open an average of 20 hours, gives m about 1.7 billion man hours per year. So, for about a month of expenses in Iraq, we could bump their pay from $6 to $13.
And if you're worried about security, we could triple the size of the TSA, monitor every parcel of incoming cargo, and follow the Israeli's policy of personally interviewing every single person trying to enter the country. They haven't had a single incident since they started, and we'd still be saving money.
Hooray for diversions!
Off and on, over the last year, I have been employed as a contractor to the ATM industry, to develop anti-skimming hardware and software.
When I started, I was amazed that skimmers worked at all.
Now, I am truly impressed by the ingenuity of skimmer makers.
BUT...in the end, our technology will defeat them...
This has driven down crime in the UK with their Chip and PIN system.
Here in the states, the industry is pushing ahead with encrypting magnetic stripe readers, but that still does not protect you if the attacker taps into the read head before it is encrypted.
I saw a device inside a gas pump in California two years ago. It was the size of a pack of gum, and made specifically to plug into the pump's cables. Small ICs, a pro job.
I have to say, despite not being very pleased in other ways with Wells Fargo, that they are on top of the game with fraud as far as I can see. I've had five separate issues with my WF credit card in the last year, all of which were handled swiftly (once before I even reported it).
What I really want is a card that I can use for on-line purchases where I either transfer the money for the transaction in advance, or authorize it up to two hours later or it's canceled. I've looked (not very seriously) for two years, but I must be missing it. This seems an obvious evolution to CC use that benefits everyone. AmEx used to have a program like this, but I don't see it now. (NB: Gift cards - read the terms of service. These are NOT an option with those sorts of fees!)
Another thing that needs to stop is revolving charges without cardholder approval. I once used a card to buy a 1 year subscription to a magazine for a friend, then after the year, spent the next 12 months, every month, contesting the charge. I finally closed that card to stop it at it was taking 3 hours a month to file all the paperwork.
Last, there needs to be more enforcement done vis-a-vi credit card fraud. I administer a mail server farm - I see literally THOUSANDS of frauds sent every day. A swift, sure way to stop the merchant account is needed.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
With chip cards, it's my understanding that even having the PIN, it is not possible to perform a transaction without the actual card. They should just swap out all the magstripes for chip cards for everybody. Surely that costs less than what they lose every year with magstripes?
I'm excited to see how often issues like this occur when cards start incorporating RFIDs and other remote technology gets used to pay for things (like using punching in a number to your cell to buy something).
www.RacquetUp.org - Helping Detroit Youth
Um, don't they have security cameras on the pumps? Eas
Use Cash! F*ck all this electronic transfer stuff that banks and others haven't learned to protect yet!
I've been following this since first I heard about it a week or two ago. My first thought was that it HAD to be an inside job for someone to be able to access the pumps since they are locked with keys. Then I ran across this article that says there are basically one or two key configurations for all pumps across the country:
http://www.ksl.com/index.php?nid=148&sid=9782411
Never thought i'd get ripped off by a gas pump.
We had a crew of people running around here (the Seattle area) not long ago. They were getting inside the pump and circumventing the controls to enable the pump. And then they'd steal a few hundred gallons at a time with a specially equipped pickup truck.
You'd think they would have some sort of tamper alarm and pump shutdown to keep unauthorizedd people from screwing around inside the pumps.
Have gnu, will travel.
Yes. *All* conflict arises from economic disparity. Why, if only we could fight poverty would could stop fighting each other. I've never even *heard* of a rich man stealing (much less murdering). /sarcasm.
Dynamite = the end of war. Failed. The airplane = the end of war. Failed. Television = the end of war. Failed. Atomic bomb = the end of war. Failed. Let's extrapolate. If you were to do something so humanitarian as to end hunger, you would also end hungry armies. Who could then wage more efficient war. Humans bring about their own problems, not their circumstances.
Of course, the answer is Jesus, but many people don't want to hear that.
these people are not criminals. they are simply pointing out to people how easy it is for you to get ripped off by credit card scanners. by .. you know. ripping you off with a credit card scanner.
Equip all cards with a simple chip. This chip contains an encryption algorithim (something strong enough to not be easily cracked by running brute force on data packets). It would also contain a secret key unique to your account. And it should not give the key itself out.
Then the reader sends a formatted packet containing the PIN (if entered), the options (credit vs debit etc) and the amount of the purchase. The card encrypts this data and hands the reader a data packet saying "this is a chip-and-pin transaction" and containing the encrypted data. The reader sends this through the bank networks to the issuing bank.
The issuing bank has another copy of the secret key which it uses to decrypt the data packet and validate that the transaction is possible (i.e. enough money there etc) and returns a "yes, proceed" result to the card reader. The bank would ONLY record the transaction as a chip-and-pin if it was sent through this process (thus preventing dodgy or compromised swipe-only terminals reading the mag stripe and running up the transaction like a mag stripe transaction but telling the bank its chip-and-pin)
no point getting victimized ;)
This got inside job written all over it.
As others have indicated, most gas stations have more cameras than Fort Knox (after all, it's black gold).
At the end of the day, I would rather have my credit card swiped and have the bank cover any fraud charges than carry around a wad of cash. The single most dangerous activity you will do regularly is withdraw cash from an ATM that is slightly hidden or in a dark area. I swipe my card safe in the knowledge that my bank will cover any fraud.
Yes, I've had my debit card used fraudulently for about $700 and the bank reversed the charges immediately. I was out the money for about 30 minutes beyond the time I first discovered.
I also use the service from my bank that texts me when I use my card. I know two people who were able to stop a fraud transaction within minutes of it actually happening by seeing the alerts.
You think like a racist ReThuglican Jew
Of course the Hispanic deserves your sympathy.
No one want to pay to update these fine examples of 1950's technology. That would be too difficult.
Samuel: Enough is enough. I have had it with these motherf*king prices in this motherf*king place. Strap yourself in, I'm about to fill the f*king truck.
Samuel tosses the hose over into the back of the El Camino. Swipes his card and begins filling. Just when the back of the truck has been filled to capacity thanks to a thick, liquid-proof lining, Chuck Norris comes out of the store with an Uzi.
Chuck: You gonna pay for all that gas.
Samuel: I just did!
Chuck: No you didn't.
Samuel checks the pump and sees all sorts of jumbled characters. Biting his lip and cocking his head back with a nearly spent cigarette butt still in his mouth...
Samuel: Pleeeeeez! Goddammit! I hate this hacker crap.
This problem has existed for many years now. It is almost impossible to identify a machine that has one of these as most of these machines are inside the actual pump on the interior of the swiper, they are able to do this because the actual locking mechanism that keeps the machine secure almost always a generic lock who's key will fit not only every lock at that gas station, but probably a good 1/4 of all the gas pump locks in a city. I remember seeing a video with a reporter some years ago and they showed how such things are installed and the guy had the thing unlocked, installed, and drove away in not even 2 minutes.
The technology is a little more resistant than it used to be, requiring the input of a zip code or a pin makes getting it harder but not impossible , just make sure your covering your keystrokes when you put that info in as its possible your being watched by binoculars or a camera with a telephoto so they can pickup your pin info.
The east europeans have been doing this in western Europe for many years by now.
That is why 95%+ of all cards in Denmark has a chip that must be used, and Sweden will have completed the card replacement cycle this year.
US is technological way behind the rest of the civilized world.
Banks should make some haste an move to EMV. SmartCards cannot be skimmed. Smartcard can be cracked, but usually that's for cheap smartcards with some old and proprietary encryption method. EMV is much safer. There are currently some ways to abuse EMV , but it currently requires a stolen card and a man in the middle attack that puts the criminal at much greater risk than skimming
---
Here in the UK, especially since the advent of 'Chip & Pin' security, card skimmers and other intercept methods have become increasingly common, and fuel pumps are among the most common targets of all. The reason why is ease of access. You're stood at the pump for quite a long time (in the UK you have to keep the handle squeezed to pump fuel, no latch) with noone paying any real attention to you. Since you're stood for so long you have ample opportunity to install your device, and since there are no attendants, just a couple of cashiers, the chances of detection are minimal. Since automatic number plate recognition technology was added to aid in apprehending fuel thieves, the cashiers have no reason to look at the CCTV screens either, so they don't.
I was had by just such a device a couple of years ago, but here the banks are so confident in chip and pin as a security method they weren't exactly sympathetic - and bank fraud is now a matter for the banks, not the police. It took a long struggle to get my money back, and in the end the best I could manage was about 50% of it.
Real happiness lies in the completion of work using your own brains and skills.
I'm sorry, but in psuedo code:
Price != Cost + desired margin(profit)
Price == demand/supply
As evidence:
The average price in New Jersey is 2.47 per gallon, and the average fuel price in Pennsylvania is 2.73 per gallon. New Jersey has a law that all pumps MUST be full service, so they have to hire at least one extra attendant, this does nothing to the price in comparison to prices in neighboring states. I am not suggesting that the minimum raise be increased, Economics 101 states that the net affect of minimum wage IS teenagers and college students with less work experience while the economy catches up to absorb the difference. I am suggesting that gas stations start paying their employees a living wage and provide reasonable benefits, and then brag like hell.
Most ignorance is vincible ignorance. We don't know because we don't want to know. --Aldous Huxley
since most people have cell phones why not require banks to txt your phone with a verification query for every transaction with the options of verify, refuse, refuse and i think my info was stolen, refuse and have a card rep call me when available.
If the crooks have compromised the reader, they can have your card encrypt a couple of packets they plan to use before going through with the actual legitimate transaction.
I don't like cars. I mostly walk. But yes, I have always lived in a big city. And occasionally I use taxis, buses, trains and airplanes. Even motorcycles and bicycles. But never cars. Do some math and you might find the same. I do use cars when the system gives me no other alternative, it happens often, no need to be fanatic...
Build your own energy sources from scratch. http://otherpower.com/
... there's still no legal mandate to provide digital signatures for credit card transactions! Why?
Signing smart cards have been around for well over a decade. Smart phones could easily handle the duty and give you a processing/verification module that is really tough for a criminal to tamper with.
It goes like this:
1. You step up to the register/pump and identify your payment device. An iPhone can display a bar code with a public key, so that would work well. Heck, the iPhone camera can even read a bar code off the counter to get the register's public key, but that might be overkill.
2. The register uses the bar code identity to encrypt the payment details.
3. The iPhone owner approves the transaction, most likely entering a PIN.
4. The iPhone sends a strong digital signature of the approved transaction to the register.
5. The store/gas station must submit all digital signatures to the bank to get any payment.
DONE!
Tractor trailer sized holes that lead to credit card fraud could be sealed.
What is the friggin' problem here?
Oh yeah, credit card companies write off the fraud so it doesn't hurt them too much. Consumers aren't held responsible for using credit card companies that refuse to upgrade their infrastructure.
Why are you letting these clowns ruin our country?
The credit card offers the service that got compromised. It's up to them to fix it and to pay the bill; they used to go with it because those things were not frequent. Now they started putting chips on the cards because the cost of fraud got too high.
Sorry but, Price != demand/supply, it is related to demand/supply but it would more accurately be characterized by something like
Price = operating_cost + profit_I_can_get_away_with
where profit_I_can_get_away_with is related to demand/supply
You always have to cover your operating_cost, however. Gas stations have thin margins so there does come a point where raising wages requires a raise in cost.
I mean, just do a quick mental experiment. Let's say you raise someone's wage to more than the net profit of the entire shop. Obviously you would have to raise prices.
Also, you are only citing gas price difference between New Jersey and Pennsylvania as "evidence" for your argument. First: gas stations don't make that much money on gas. They make money on the stuff inside of the gas station. The gas is merely a way to attract customers to come and pay for candy and soda, etc. To make the argument you are making you need to compare average profit margins, so check out the average markup across all items at the gas stations in each state and report back to us.
Second: you haven't shown whether Pennsylvania gas stations pay their attendants more or less. If they pay more, then it would actually support the people arguing against you, because higher prices and higher wages would be related.
Third: even if the wages were the same between the two states it may be more expensive, in terms of taxes, for a company to have an employee in Pennsylvania which would eat up its operating budget and require it to pay its employees less than it otherwise would.
Bottom line: your comparison of gas prices is a red herring and does not get even close to proving your point. A lot more in depth analysis of operating budgets and profit margins is needed to make the argument that gas stations can raise wages without raising prices--something that I think is probably a pretty dubious claim.
You nearly got carded.
http://en.wikipedia.org/wiki/Lebanese_loop
How can you protect yourself? It's not easy anymore. You now see that a compromised machine doesn't necessarily have semi-obvious modifications you can see from outside. I think people will have to start using temporary credit cards with low limits more often.
I don't know if it was intentional but this seems to have been predicted in Batman of the Future - the characters carry around a large number of "creds" and each one seems to have a limited value. They also used portable devices to trade them - totally possible these days with short-range RFID and readers which could be built into smartphones.
They don't seem to have any authentication (and are sometimes traded like cash). A system like this could work - instead of mints printing money, they'd recycle "creds" which you can then get from the bank and assign to your account. I mean we're already using fiat currencies anyways.
Or maybe I'm getting ahead of myself - if the credit card system were to be overhauled, it would be easier to give the credit card some computational power rather than being basically a glorified barcode sticker (which you can now copy at range, thanks to RFID-enabled credit cards). Put some buttons and a screen (or a touchscreen) right on the credit card and have the card itself initiate an SSL (or similar) connection to the server, using the ATM only to act as a network access point (using some kind of very short range wireless or optical networking) and propose a transaction to the card (send $18.99 to SHIRTCO (Seller verified!) for T-SHIRT, Accept/Deny?). A MITM wouldn't be possible with no way to intercept keypresses or any legible network traffic. With the card running from a ROM, and with no way to access any onboard storage, data couldn't be stolen from there either. Carding someone in a system like this would have to start by physically stealing the card, and with the possibility of deactivating its account on the server side you'd also have to kidnap the owner.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Take a regular card, swipe it, enter a PIN that is not correct. The skimming systems are usually not a "man in the middle" attack: they are card readers that will accept any PIN just to get your information.
If the wrong PIN is not authenticated, the card reader is connected to your bank. If the wrong PIN passes, buy everything you can carry out.
This is another symptom of what's wrong in this country. Two manufacturers of gas pumps? WTF happened to competition? Imagine how easy it would be for a foreign power or terrorist organization to subvert our gas pumps and literally bring this country to it's knees in a week.
Our car-only transit culture and lack of standardized security models (oh no, government interference!!! socialism!!!) makes our country weak and an easy target.
Make sure everyone's vote counts: Verified Voting
Insiders being paid off to look the other way?
Maybe.
Or maybe it's a gas station that isn't manned 24/7?
I've seen gas stations in the suburbs where they only have a clerk from say, 8am-8pm. During late hours when they don't get much business, you can use a credit card at the pump, but there's no clerk.
Go find a dumpster pull out an old ironing board and 4 soup cans and buld your self a rocket powered skate board. Problem solved.
Adult Toys For Less