Criminals Hide Payment-Card Skimmers In Gas Pumps

← Back to Stories (view on slashdot.org)

Criminals Hide Payment-Card Skimmers In Gas Pumps

Posted by kdawson on Tuesday February 23, 2010 @12:36PM from the swipe-and-get-swiped dept.

tugfoigel writes "A wave of recent bank-card skimming incidents demonstrate how sophisticated the scam has become. Criminals hid bank card-skimming devices inside gas pumps — in at least one case, even completely replacing the front panel of a pump — in a recent wave of attacks that demonstrate a more sophisticated, insidious method of stealing money from unsuspecting victims filling up their gas tanks. Some 180 gas stations in Utah, from Salt Lake City to Provo, were reportedly found with these skimming devices sitting inside the gas pumps. The scam was first discovered when a California bank's fraud department discovered that multiple bank card victims reporting problems had all used the same gas pump at a 7-Eleven store in Utah."

62 of 332 comments (clear)

Great by areusche · 2010-02-23 12:40 · Score: 3, Interesting

I remember running into something like this a long time ago when I was in New York City. There was this small piece of metal in the card slot. Needless to say I didn't insert my debit card in to find out what it was.
How do I protect myself from a skimmer inside a gas pump?
1. Re:Great by YrWrstNtmr · 2010-02-23 12:43 · Score: 5, Informative
  
  How do I protect myself from a skimmer inside a gas pump?
  
  Pay cash inside.
2. Re:Great by Kitkoan · 2010-02-23 12:45 · Score: 2, Insightful
  
  How do I protect myself from a skimmer inside a gas pump? Pay cash inside.
  Or use a bike. Better for you and the environment too at the same time.
  
  --
  Attention... all grammer nazi"s! Is they're anything; wrong with: my post,
3. Re:Great by Smallpond · 2010-02-23 12:51 · Score: 2, Insightful
  
  Pay at the counter.
  How does that help?
  http://www.wired.com/threatlevel/2009/10/florida_skimming/
4. Re:Great by interkin3tic · 2010-02-23 12:53 · Score: 5, Funny
  
  Ride 50 miles one way to work on your bicycle.
  Not too hard, I'd only need to do it once before my boss fires me for being 4 hours late.
5. Re:Great by eldavojohn · 2010-02-23 12:57 · Score: 4, Funny
  
  I remember running into something like this a long time ago when I was in New York City. There was this small piece of metal in the card slot. Needless to say I didn't insert my debit card in to find out what it was.
  How do I protect myself from a skimmer inside a gas pump?
  Step 1: Assume they're compromised.
  Step 2: Pull out the concealed Glock that every freedom loving American carries around and fire wildly into them.
  Step 3: If the machine is rendered out of order, move onto the next machine and go to Step 1. If someone tries to stop you, go to Step 1.
  
  But in all seriousness I think you could pick up a "preferred customer card" at some grocery store and carry that around with you. When you approach the pump, put that card in first. A compromised machine might feel weird and will most likely not respond to you inserting a card. An uncompromised machine will swipe easily and also think for a second and then ask you to reswipe your card. While not flawless, this is the best thing I can think of aside from prepaying at the attendant in the store or something really crazy like demanding to borrow a passerby's card to see if it works before you put yours in. It's also probably your best option if you buy gas after hours like I do. The unfortunate side effect is it wastes time and makes it look like you're flipping through maxed/stolen cards.
  
  --
  My work here is dung.
6. Re:Great by zippthorne · 2010-02-23 13:00 · Score: 3, Insightful
  
  The counter takes cash.
  
  --
  Can you be Even More Awesome?!
7. Re:Great by screamphilling · 2010-02-23 13:12 · Score: 4, Funny
  
  what if you're buying a bike and the credit card machine at the bike shop has a skimmer installed?!
8. Re:Great by maxume · 2010-02-23 13:14 · Score: 5, Informative
  
  You seem confused. The skimmer is entirely parallel to the regular reader, it does not effect the operation of the pump.
  There will be no observable difference in the transaction.
  The most secure remedy is cash.
  
  --
  Nerd rage is the funniest rage.
9. Re:Great by HybridJeff · 2010-02-23 13:22 · Score: 2, Insightful
  
  You could have said no. The clerk was probably just low on small bills and didn't want to clear them out if it wasn't necessary.
10. Re:Great by John+Hasler · 2010-02-23 13:33 · Score: 4, Funny
  
  > Pull out the concealed Glock...
  A "Glock"? Please. That's an Austrian pistol. Every freedom loving American carries an M1911A1.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
11. Re:Great by fast+turtle · 2010-02-23 13:35 · Score: 2, Insightful
  
  That's why I don't have Credit/Debit Cards and only pay cash. Sure it's a PITA at times but I don't have to worry about this issue at all.
  
  --
  Mod me up/Mod me down: I wont frown as I've no crown
12. Re:Great by SpazmodeusG · 2010-02-23 13:40 · Score: 2, Insightful
  
  No, pretty much all a card skimmer does is record the data on the magnetic stripe.
  They don't care what the data is or how the machine uses that data.
  A typical mag card reader that you can legally buy off the shelf will happily record the info on your drivers license or preferred customer card every bit as easily as on your credit card. Mag stripe cards have the data in plain ASCII text, credit cards included.
  
  If you've ever written a program that reads text data off a serial port and saves that data to a file you have all the knowledge you need to create a credit card skimmer that won't get confused based on what card is inserted.
13. Re:Great by pwizard2 · 2010-02-23 13:49 · Score: 3, Insightful
  
  Not everyone lives in $big_local_city for a variety of reasons. (crowded conditions, crime, expense, etc.) If you live out in the sticks, (essential if you want to own a plot of land that is somewhat bigger than what your house actually sits on) public transportation or biking is not a serious option. Plus, who the hell wants to bike to work and get sweaty in the summer and freeze during the winter?
  
  --
  "It is a denial of justice not to stretch out a helping hand to the fallen; that is the common right of humanity."
14. Re:Great by Kitkoan · 2010-02-23 13:50 · Score: 5, Insightful
  
  How do I protect myself from a skimmer inside a gas pump?
  Or use a bike. Better for you and the environment too at the same time.
  Okay, that's one problem avoided. So then how would one protect themselves from a skimmer on any other type of card reader, like at an ATM, vending machine, or a gas pump since no, you can't always just bike everywhere.
  Ok, on a serious note about the problem. How to figure out a solution to this problem. Issue is, there isn't a simple answer.
  Some might say we just need more education on the subject. But lets be honest. That won't work, never has, never will. People have been told that about everything from health (eat less processed/junk food, exercise more, ect... and as there are more people obese today then ever shows how well that works), to drugs (I've heard of the problems with things like crack since the 80's when I was born, and it's still being used today), to the basics of never share passwords but these things still happen.
  Others might say we need more surveillance with cameras and police. But this isn't working either with Britain having millions of CCTV and also being the most violent country in Europe ( http://www.dailymail.co.uk/news/article-1196941/The-violent-country-Europe-Britain-worse-South-Africa-U-S.html ). So this is also not a solution.
  Other things need to be taken into consideration. Why are these happening? People are need money more then before with a lack of jobs due to the recession. Also the ease of availability of these problems (these machines are showing up in more and more places). Also a lack of security in these newer forms of payment that are shown to be insecure ( http://tv.boingboing.net/2008/03/19/how-to-hack-an-rfide.html ) yet still forced upon the consumer due to the millions funded into these technologies and the fear of admitting these losses to shareholders.
  Many of these company's and people are no doubt hoping things like DMCA laws and their inclusion into global laws like the ACTA will help get rid of the problems since it will make the technology illegal (these break digital security locks). Thing is, again it won't work. Drug growers have shown that when these problems come about, people will just go underground and look for other ways to do this. This was shown during the Regan years of the war against drugs. As time passed, it was harder to smuggle weed from places like Afghanistan, so people started shipping hash. Same type of drug but smaller and easier to ship. After that came hash oil since it was again smaller and the law started to figure out about hash. When hash oil was found out, people started to look into hydroponics (a new growing method for plants of ANY kind) and found they could grow a better crop (better watered, feed, controlled, ect...) in the country bypassing the issue of smuggling it in.And just like pot dealers/growers showed that the law means little in the end to get what they want, same will happen with this and as with every crime in history.
  
  --
  Attention... all grammer nazi"s! Is they're anything; wrong with: my post,
15. Re:Great by nomadic · 2010-02-23 14:05 · Score: 2, Funny
  
  You communist. Real Americans carry not one but two pearl-handled, silver-plated Colt .45s, which they are permitted to shoot into the air and shout "yahoo."
16. Re:Great by Itninja · 2010-02-23 14:10 · Score: 3, Interesting
  
  Or you could do what I do and just get a dedicated gas card from Chevron, Shell, etc. Then, even if it's scanned and compromised, all they could get are gas $40 worth of gas (and snacks) at a time.
  
  --
  I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
17. Re:Great by Daengbo · 2010-02-23 16:05 · Score: 3, Insightful
  
  I don't think that there was anyone talking about forcing anyone to do anything. In fact no one forced you to argue via reductio ad absurdum, but you did it, anyway. Isn't freedom nice? :)
  More seriously, most people could commute less. Many people could do without a computer (or ten). In fact, that's common in Asia, where gamers don't want to waste a bunch of money upgrading constantly. The game room absorbs the cost over many clients. More people could live in apartments or planned housing, which speaks directly to the AC that said he lives 50 miles from work in order to have a large house and yard. Not everyone needs to be Mr. Blandings.
  People get to make that choice: I don't want to let them pretend that they had no choice or were required to buy a house or an SUV, unless they were. Most people just want to keep up with the Jones, even if that means going into massive debt, commuting an hour and a half each way, and getting all the massive stress that goes along with those things.
  Me? I'll take a condo, a bike, public transportation, no debt, and two years' living money in the bank. It's better for my health. It's better for my future.
  
  --
  Put identity in the browser.
18. Re:Great by Capt.+Skinny · 2010-02-23 16:16 · Score: 3, Insightful
  
  Not everyone considers homes and jobs fungible.
  Some of us invest significant thought and effort into finding the right home in the right area, maintaining it well, making improvements (e.g. replace the Linoleum with tile one year, build a larger deck the next, plant trees in the yard after that), getting to know the neighbors, etc. Having pride in and enjoying a home can easily outweigh an hour or more commute, and giving that up can be a very big deal for some people.
  The same goes for jobs. Some people do in fact work for more than just a paycheck -- they identify with and take pride in their company and their work; they work hard not just to advance their career, but because they genuinely want to see the company improve and succeed. Here, too, giving that up can be a big deal.
  Exchange for a better option? It's a matter of personal preference. If being able to ride your bike to work is important to you, changing your home or job might be the "better option." Just know that for some, the current home and job are the better option -- and the commute is an insignificant price to pay for being happy with each.
19. Re:Great by Anonymous Coward · 2010-02-23 16:35 · Score: 2, Funny
  
  Dear coworker,
  That change of clothes just isn't cutting it.
  Sincerely,
  The cubemates of "The Goat"
20. Re:Great by Laser+Dan · 2010-02-23 16:42 · Score: 4, Funny
  
  what if you're buying a bike and the credit card machine at the bike shop has a skimmer installed?!
  Use a car.
21. Re:Great by dwillden · 2010-02-23 17:12 · Score: 3, Informative
  
  Good analysis. The skimmers in question were built by someone who knows their way around these pumps. They evidently replaced the entire panel. The device would read the card data, and record the typed in PIN. It then held the data until the paired Bluetooth receiver came in range and then would dump it's data.
  
  No need to sit in proximity to the compromised pump. I haven't seen anything on the storage capacity but I dare say who ever was doing this just downloaded when they filled their tank up, or when they'd stop by for morning coffee.
  
  The way they were able to make the switch is all pumps nationwide are made by only two manufacturers, and those manufacturers each have A key design to open their pumps. Two keys can open every modern gas pump in the country.
  
  All the perps needed to do was get access to one machine of the model used at the targeted 7-11. Rewire the front panel from that one. Make the swap and rewire the swapped out panel for the next pump they want to wire.
  
  Contrary to TFA, most reports are that only one or two stations were found to be compromised, but given time that number could have quickly grown.
  
  Up above I linked to an article about a Gas chain that heard of this potential scam, identified the weakness in the key system and re-keyed all their pumps with each store having a unique key pattern for its pumps. Not perfect, but makes the inside part of such an inside job have to be an employee of the store the pump is located at.
  
  --
  I'm too lazy to compose a creative sig.
22. Re:Great by syousef · 2010-02-23 17:20 · Score: 3, Funny
  
  Ride 50 miles one way to work on your bicycle.
  Not too hard, I'd only need to do it once before my boss fires me for being 4 hours late.
  This is your boss. You're fired for slacking off on slashdot.
  
  --
  These posts express my own personal views, not those of my employer
23. Re:Great by BJ_Covert_Action · 2010-02-24 05:08 · Score: 4, Funny
  
  I know you're a Brit because you used the word, "Yank" - no one here says that. Few people will even claim to be Yankees.
  
  We laugh at people on the internet for blowing things out of all proportion. It's nicknamed, "a series of tubes," for a reason.
  
  I kept reading your post after I noticed the Score: 1 Flamebait moderation, sometimes they are too silly to pass up. Sorry you tea drinking, haughty twit.
  
  Say American next time. We won't even make fun of you for getting your ass kicked a couple hundred years ago by a bunch of degenerates with pitchforks and your uptight neighbors that have something against shaving.
  
  =P
  
  --
  Motorcycles, Robots, Space Gossip and More!
Re:This isn't new by Jah-Wren+Ryel · 2010-02-23 12:52 · Score: 5, Informative

I remember atleast 10 years ago at an Arco station had a sticker on the machine that said don't enter in your card if the reader looks wierd. I have also seen that warning on swipe ATMs.
The new part is that the reader does NOT look weird.
It looks physically identical to the standard reader.
Didja even read the summary?

--
When information is power, privacy is freedom.
Russian mob was doing this in the 1990's by DVD9 · 2010-02-23 12:58 · Score: 5, Insightful

And yeah maybe it is an inside job. Paying clerks $6.00 an hour to work from midnight to 8:00AM does not buy a lot of loyalty. Where do you think most of the pilfered credit card numbers really come from? Try paying people a living wage and this won't happen. Employees who have to live with their mother are not adverse to listening to some ones criminal scheme, which to them sounds like justice rendered.

--
Why do "Al Qaeda" bulletins allegedly authored by Osama Bin Laden sound as if they were authored by Oliver North?
1. Re:Russian mob was doing this in the 1990's by riker1384 · 2010-02-23 13:24 · Score: 3, Insightful
  
  You gonna pay extra for gas from a station that pays its clerks "living wage"?
2. Re:Russian mob was doing this in the 1990's by John+Hasler · 2010-02-23 13:36 · Score: 4, Informative
  
  No. He expects the station owner to run it as a charity.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
3. Re:Russian mob was doing this in the 1990's by Dalambertian · 2010-02-23 13:38 · Score: 2, Insightful
  
  Do you pay extra for cotton?
4. Re:Russian mob was doing this in the 1990's by raddan · 2010-02-23 13:41 · Score: 4, Interesting
  
  That's a good point, and obviously the answer is 'no'. I recently had my CC # stolen by a pizza guy. I had just finished something like a 15-hour shift at work, I was tired, and I fell for a scam that, in retrospect, I should have caught on to immediately. Despite the fact that I ordered and paid for the pizza ahead of time, on the web, he told me that he "needed an imprint" of the card. Then he starts making the imprint with... his key? And then (and this is really where I kick myself), I take the original receipt and he goes, "Oh, nope, I need that one" and swaps with me. Of course, the carbon copy (which I am supposed to take but which he took) has the nicest key-imprint on it.
  
  About 45 minutes after this happened, my CC company calls me to check on purchases that were made not five minutes ago at a "discount clothing store in the Bronx" (I live in Boston). Now, I am certain that this is the source of the theft, because prior to that, I had not used the card in several months.
  
  My understanding is that the banks themselves don't absorb this loss because they pass it on to the merchant-- the merchant absorbs the loss. But I have to wonder whether banks (and credit card users) would be better (and cheaper) served by simply fixing these security problems now. Those fancy fraud-detection units can't be cheap. Our existing CC/ATM system is woefully anachronistic.
  
  I briefly asked myself, if this guy, who was Hispanic, and given his choice of profession, probably poor, deserved some sympathy when it came to CC theft, and I quickly decided: no. There are many, many other people who are in exactly the same position, or worse, and they choose to do the right thing regardless. CC thieves are thieves. They don't point a gun at you, but the end result is the same thing.
5. Re:Russian mob was doing this in the 1990's by TrekkieGod · 2010-02-23 14:48 · Score: 3, Interesting
  
  Despite the fact that I ordered and paid for the pizza ahead of time, on the web, he told me that he "needed an imprint" of the card. Then he starts making the imprint with... his key? And then (and this is really where I kick myself), I take the original receipt and he goes, "Oh, nope, I need that one" and swaps with me. Of course, the carbon copy (which I am supposed to take but which he took) has the nicest key-imprint on it.
  First of all, as somebody else already replied to, card imprints from pizza deliveries are the norm. It's not a scam, it's something they do.
  
  About 45 minutes after this happened, my CC company calls me to check on purchases that were made not five minutes ago at a "discount clothing store in the Bronx" (I live in Boston). Now, I am certain that this is the source of the theft, because prior to that, I had not used the card in several months.
  
  Then it can't possibly be the dude. 45-minutes is nowhere near enough time. You think if the pizza delivery guy is running a scam getting credit card imprints that he's just going to get ONE and then run off and start using it? And at a store? Do you think he just took your receipt and handed it over to the cashier when she told him how much the purchase was?
  The actual imprinting scams involving scanning the magnetic strip, and making cards that people can use by actually scanning it at stores. I had my debit card skimmed (and so did a bunch of my friends, at the same time). The police eventually tracked it down to a waiter at a Ruby Tuesday restaurant. Apparently he would scan customers cards when he took our checks. It took months from the time he did so for the first purchases to occur, because the people doing the skimming are rarely the same people using the cards. They sell the information, other people make the cards, other people use them.
  
  I briefly asked myself, if this guy, who was Hispanic, and given his choice of profession, probably poor, deserved some sympathy when it came to CC theft, and I quickly decided: no.
  
  I'm going to assume you're not a racist moron, but I am wondering what the fuck him being Hispanic has anything at all with either being a thief or with a reason why a thief would deserve sympathy. Why did you even bother mentioning that factoid?
  
  --
  Warning: Opinions known to be heavily biased.
6. Re:Russian mob was doing this in the 1990's by QuoteMstr · 2010-02-23 15:08 · Score: 3, Insightful
  
  Yes, because if he's paid more, he and people like him have more money to spend on the things I make. A race to the bottom is bad for the economy and bad for society.
7. Re:Russian mob was doing this in the 1990's by ShakaUVM · 2010-02-23 15:41 · Score: 3, Interesting
  
  >>Where do you think most of the pilfered credit card numbers really come from?
  I had a friend (and no, it really was a friend, not me) that was involved in a ring of guys that did that sort of stuff out of Northridge. They'd take lists of CC numbers, pair them with PINs, reprogram some new cards using mag card writers, and then go to some place around 11:30, pull out all the money they could, wait for midnight to flip around, pull out all the money they could, split the money amongst them all, and bailed.
  They'd use card readers and compromised clerks to get the CC numbers, and shoulder surfing (I imagine) to get the PINs. They'd move from gas station to gas station randomly in the LA area.
  Now you know, and knowing is half the battle.
8. Re:Russian mob was doing this in the 1990's by Bent+Mind · 2010-02-23 20:00 · Score: 2, Funny
  
  Paying clerks $6.00 an hour to work from midnight to 8:00AM
  They still have those? I thought they replaced them all with card readers years ago.
  
  --
  Request a Linux Shockwave player here: http://www.macromedia.com/support/email/wishform/
9. Re:Russian mob was doing this in the 1990's by Inda · 2010-02-23 23:12 · Score: 2, Interesting
  
  Around here they'll fix a new front to the ATM, making sure they cover the camera lens, rent the flat above a shop opposite and place a camcorder facing out the window.
  
  I'm still amazing that people don't cover the num-pad when in shops. There are CCTV cameras everywhere.
  
  --
  This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
Nothing New by corychristison · 2010-02-23 12:59 · Score: 4, Interesting

This got my credit card over a year ago in Saskatchewan, Canada. However, my card was skimmed at a do-it-yourself ticket-terminal at the local movie theatre.
It turned out it was a very large network of people who came together and organized the attack and paid people all over the country to do this and sent the info back to 'headquarters' in Ontario Canada.
They racked up over $600 in charges and it all appeared to have been used at Gas stations in Toronto / Missisaga in Ontario.
They put these things on any 'do-it-yourself' terminal they could find. This included pay-at-the-pump gas stations, ATM's, and any kiosk that could read a debit/credit card.
Luckily Mastercard covers things like this so it was much easier to report and reverse than a few friends of mine who had their debit cards skimmed. They had a much harder process to deal with.
The move to "Chip" cards ([url]http://en.wikipedia.org/wiki/Chip_card[/url]) are rapidly increasing these days. I know my local credit union is fully switched over, although maybe half of the retailers in town actually support them.
Who is the victim? by erroneus · 2010-02-23 13:02 · Score: 5, Insightful

Let's define this scenario clearly. You put your money in a bank. The bank then gives you access to the bank's services. It's not access to "your" money so much as it is access to a money exchange service. (Think of an ATM and similar services as a vending machine that serves up cash and other things in exchange for the money in your bank account.)
Now there are the criminal parties. These parties are the ones who come in and exploit weaknesses in the system to get cash and other things. In the course of exploiting these weaknesses, they use the credentials of other people to extract the cash and other things from the actual victims.
Who are the actual victims? They are the banks themselves and they are the sellers of other things.
When the people whose credentials were used in the commission of a crime against the banks and merchants are charged with responsibility for the criminal acts, it is the banks and merchants who are victimizing the people... their customers! The criminal performed their crimes against the banks and merchants. It is the banks and merchants who are passing the burden along to the innocent individuals who quite literally have no way to protect or control the situation. It is the banks and merchants who have the means to control and protect.
Every time I hear "identity theft" and other referrals of uninvolved parties as victims of a crime, the lie bothers me. These banks and merchants have created a system that is weak and exploitable that uses its customers as a buffer and even a shield against those weaknesses. You cannot protect your "secret information" so long as it must be shared in order to use it. And once that information is out there and used, the banks and merchants take money from your account instead of theirs. The original victims are, in turn, victimizing the innocent by declaring that the innocents are victims of the original crime.
I am sure there are plenty of people who disagree with my sentiments on the matter. But if you do, point out the flaw in the logic I presented.
1. Re:Who is the victim? by randy+of+the+redwood · 2010-02-23 13:17 · Score: 4, Interesting
  
  Actually, my wife was a victim of this type of scam recently. They systematically cleaned our entire checking account out.
  I, like you, felt that the bank's money was stolen, not ours. I put my money in the bank, and had not withdrawn it, so this was essentially a remote bank robbery in my opinion.
  Where it gets interesting is this is EXACTLY how the bank treated it. They immediately refunded all money to the account, and then went after the fraud on the other end of the transaction.
  Not sure if all banks treat you this way, but B of A did us right. (And they are usually listed as the most evil of providers, so I tend to think they are not unique).
  I think identity theft was a real problem 10 years ago before it was understood, but now the banks realize it is not fraud by the victim in most cases and deal with it fairly.
  
  --
  The sun is the same in a relative way, but you are shorter of breath and one day closer to death
2. Re:Who is the victim? by Jah-Wren+Ryel · 2010-02-24 03:57 · Score: 2, Informative
  
  Yeah, the Fed prounounced that mandatory overdraft covers was verboten and that it had to be opt-in, but it isn't 100% - it doesn't apply to things like checks or scheduled payments and the change doesn't go into effect until July.
  
  --
  When information is power, privacy is freedom.
My solution for just about anything, actually by CorporateSuit · 2010-02-23 13:04 · Score: 5, Funny

If you have a pair of sunglasses and a jacket, you should be good to go.

1: Get a $10-$25 cash card from your credit card company
2: Slide it through the card reader
3: Light up a cigarette
4: Spray gas all over the pump
5: Slowly walk away, flicking the smouldering cigarette behind you, onto the pump. Speak a one-liner about gas, pumps, explosions, fire, smoking, or credit card fraud. It is very important NOT to laugh at your own joke.
6: No matter how hot your back suddenly gets, keep walking slowly and DON'T turn around, (glass or shrapnel is going to hit you, it's better to take it in the back than in the face.)
7: Never worry about gas pump skimmers for the rest of your life.

--
I am the richest astronaut ever to win the superbowl.
1. Re:My solution for just about anything, actually by Stoutlimb · 2010-02-23 15:38 · Score: 2, Funny
  
  I am a gas pump mechanic, and I've wanted to do the same thing sooooo many times!!!!
Alternate title by drewm1980 · 2010-02-23 13:05 · Score: 5, Funny

After waiting patiently for the US Government to implement a carbon tax, the ever-altruistic Utah mafia has decided to take matters into their own hands.
Re:Kdawson FUD by __aaclcg7560 · 2010-02-23 13:13 · Score: 5, Funny

We oldsters in the 1970's used to skim gas out of the gas tank. Some of the more ballsier-types would steal whole gas tankers. The fact that you can skim debit cards at the gas pump without spilling gas on yourself is a great technological improvement since you don't have to resell the gas.
Never use Debit by TheNarrator · 2010-02-23 13:19 · Score: 2, Interesting

Obviously you have to use debit at an ATM, but at gas stations i use credit, even with my debit card, because once they have your pin they can get cash out of your account and not just do a credit card charge. The crooks would much rather have the greenbacks than having to buy crap with your stolen card and fence it.
1. Re:Never use Debit by Mad+Merlin · 2010-02-23 13:35 · Score: 3, Informative
  
  The bank is also far more likely to go to bat for you over a fraudulent credit card charge than a fraudulent debit card transaction. The reason, of course, is that in the former case, its the bank's money on the line (until you pay them), but in the latter case, its your money on the line.
  
  --
  Game! - Where the stick is mightier than the sword!
2. Re:Never use Debit by TubeSteak · 2010-02-23 15:29 · Score: 3, Informative
  
  The bank is also far more likely to go to bat for you over a fraudulent credit card charge than a fraudulent debit card transaction. The reason, of course, is that in the former case, its the bank's money on the line (until you pay them), but in the latter case, its your money on the line.
  Actually... the bank is most likely to go to bat for you over credit card charges because the consumer protections on credit cards are vastly stronger than the protections on debit cards.
  I've never used a debit card for just that reason. You have a problem with your credit card and it's just the one card that might get frozen. You have a problem with your debit card and your bank account might get locked down, which usually leads to a cascading array of problems for most people.
  
  --
  [Fuck Beta]
  o0t!
Re:I guess I wouldn't be that hard... by MichaelSmith · 2010-02-23 13:45 · Score: 2, Insightful

Buy a commercial van, outfit it with signage "Bobs fuel pump repair services" or some such. Carry the right tools. Make the attendant sign a receipt for the work. Turn up, install your stuff and go. Fake plates obviously.

--
http://michaelsmith.id.au
hit twice... by PhantomHarlock · 2010-02-23 13:46 · Score: 4, Interesting

I've been the victim of skimming twice. I love paying at the pump but it's getting out of hand. Even with a credit card it's the inconvenience of filing a dispute, canceling the card, etc. This time they laundered the money by buying five $200 wal mart gift cards with a cloned card.
Here locally they say it's been the Fast Trip and AM PM stations that have been hit. The two with the lowest prices of course.
Re:Kdawson FUD by zx-15 · 2010-02-23 14:02 · Score: 4, Funny

Hosers!
wow..... by trum4n · 2010-02-23 15:11 · Score: 3, Funny

Never thought i'd get ripped off by a gas pump.
Re:This isn't new by __aasqbs9791 · 2010-02-23 15:25 · Score: 2, Insightful

I just assume that half of all the comments on here are the result of millions of monkeys in front of million of keyboards, with some sort of quick check to filter out most of the comments without real words in them.
Re:This isn't new by Stoutlimb · 2010-02-23 15:49 · Score: 2, Informative

I'm a gas pump mechanic, and I'm shocked it's not way more prevalent. A handful of keys anyone can buy from a petroleum maintenance supply store without any questions, will open every gas pump on the continent. And most employees at gas stations don't watch their videos continuously, some don't even have video surveillance. The parts inside are easy to swap, as they are very similar to the way a PC is set up, with ribbon cables, USB, etc. I found myself staring at the card reading gear and be amazed at how simple the gear really is, and how easy to swap.
Heck, the security is so poor on most pumps, that I could just crack a panel open a little, and with just a small pair of pliers and 15 seconds, make the pump give me a major discount on gas.
Gas pumps are almost entirely built on security by obscurity. I've only ever seen a handful of gas stations in my travels that have any kind of security system in place to detect if the panels have been opened.
That being said, I don't sweat about being ripped off at the pump, and I just go about my life worrying about much more important things.
How to solve this for good by jonwil · 2010-02-23 15:55 · Score: 4, Insightful

Equip all cards with a simple chip. This chip contains an encryption algorithim (something strong enough to not be easily cracked by running brute force on data packets). It would also contain a secret key unique to your account. And it should not give the key itself out.
Then the reader sends a formatted packet containing the PIN (if entered), the options (credit vs debit etc) and the amount of the purchase. The card encrypts this data and hands the reader a data packet saying "this is a chip-and-pin transaction" and containing the encrypted data. The reader sends this through the bank networks to the issuing bank.
The issuing bank has another copy of the secret key which it uses to decrypt the data packet and validate that the transaction is possible (i.e. enough money there etc) and returns a "yes, proceed" result to the card reader. The bank would ONLY record the transaction as a chip-and-pin if it was sent through this process (thus preventing dodgy or compromised swipe-only terminals reading the mag stripe and running up the transaction like a mag stripe transaction but telling the bank its chip-and-pin)
1. Re:How to solve this for good by syousef · 2010-02-23 17:23 · Score: 2, Informative
  
  If you use a PGP key, you don't need a 2nd copy of the secret key at the bank, just the matching public key.
  
  --
  These posts express my own personal views, not those of my employer
2. Re:How to solve this for good by jimicus · 2010-02-23 22:02 · Score: 2, Informative
  
  Wow, what an amazing and original idea. You should sell it to Mastercard - you'd make a fortune.
  Oh, wait...
3. Re:How to solve this for good by jonwil · 2010-02-23 22:43 · Score: 2, Interesting
  
  The problem with chip-and-pin is that the implementation is broken because it relies on the security of the card reader. My method does not rely on the security of the card reader and is not vulnerable to hacked card readers (wasnt there a recent story on here about chip-and-pin being broken?)
  Designed right, its possible to even protect the account number so that only the smart card and the bank can see it (and since you never present enough of the mag strip to the mag strip reader, it cant read data from there)
4. Re:How to solve this for good by jimicus · 2010-02-23 23:08 · Score: 2, Insightful
  
  Would redeveloping chip & pin to solve the known issues and rolling out new terminals cost significantly more than the anticipated losses through fraudulent chip & pin transactions? Because as far as the bank is concerned, if the losses they have to eat are £100,000 per annum but the extra cost is in the millions, it'll be a long time before they can justify the investment.
5. Re:How to solve this for good by Anonymous Coward · 2010-02-24 01:19 · Score: 2, Informative
  
  The Chip and PIN implementation is broken largely because it is very complicated. Between your idea being accepted as a good idea and being implemented by the world's card issuers, it too would become very complicated, and thus likely broken.
  The mistake made for Chip and PIN (a conscious decision which was erroneous) was not to allow third parties to audit the complex system before it went public. This makes no sense, because all it did was increase their costs (they will now have to replace parts of the system to fix known holes, instead of re-designing it while it was still on the drawing board)
  But your system isn't actually any better than Chip and PIN, except that since it's described so briefly you can claim it isn't "broken" because you haven't offered anything to break.
  In terms of design class vulnerabilities, it has all the same problems as Chip and PIN. Most notably for offline transactions it's vulnerable to the "yes card" attack, and for online transactions it is in fact vulnerable to "bad proxy" hacked card readers -- the bad guys hack the reader so that it is authorising a payment they're doing in a jewellers nearby. You "pay for gas" enter the right PIN, things seem OK, but actually you bought thousands of dollars of easily fenced jewellery.
  This stuff is hard, which is why Chip & PIN should have taken 2-3 extra years with independent experts from the crypto community finding problems and figuring out solutions. But it can be rescued, so long as governments or courts ensure banks suck down the cost of fraud due to failures of Chip & PIN there will be an incentive to fix things.
6. Re:How to solve this for good by Xibby · 2010-02-24 10:00 · Score: 2, Informative
  
  Problem with a new solution is dealing with all the legacy hardware out there for processing transactions. Retailers have to buy new readers that would support both old and new cards, or buy new readers and keep the old ones in service. Retailers profits are hurt.
  Card Issuers could force the change over by only processing transactions with the new cards, but if retailers push back and not install new readers the Card Issuers profits take a hit.
  Consumers would have to update as well. Some people just won't do it. Example: Old ladies who have an old card without a mag stripe and no expiration date in their deceased 25 years ago husbands name. Card issuers and retailers can either loose out on the transaction or make the sale.
  A bit of a stalemate all around really until the cost of dealing with the fraud exceeds the cost of updating the hardware.
  
  --
  I'm going to go back in my box and will think within the limits of my box: MS Sucks Linux Good I read too much Slashdot.
Re:I guess I wouldn't be that hard... by Stoutlimb · 2010-02-23 16:06 · Score: 2, Funny

As a gas pump mechanic, I can say that most of those security features are just security theatre. Anyone with even 1 weeks apprentice knowledge of gas pumps can probably get into most pumps without notice, after hours or not.
Also, a safety vest, hard hat, clip board, fancy business card, and an attitude will get you everywhere. Hell you could probably get them to turn off all their security cameras for "testing" purposes too LOL.
Re:Kdawson FUD by moeinvt · 2010-02-24 01:17 · Score: 3, Funny

My grandfather stole horses...
My father smuggled cigarettes...
My brother stole gas...
I, meanwhile, read Slashdot...
Jeesh, you're an embarrassment to your family's 3 generations of nefarious activities! Get your butt in gear and write some malware or something. :-)
Good move by GameboyRMH · 2010-02-24 03:34 · Score: 2, Interesting

You nearly got carded.
http://en.wikipedia.org/wiki/Lebanese_loop
How can you protect yourself? It's not easy anymore. You now see that a compromised machine doesn't necessarily have semi-obvious modifications you can see from outside. I think people will have to start using temporary credit cards with low limits more often.
I don't know if it was intentional but this seems to have been predicted in Batman of the Future - the characters carry around a large number of "creds" and each one seems to have a limited value. They also used portable devices to trade them - totally possible these days with short-range RFID and readers which could be built into smartphones.
They don't seem to have any authentication (and are sometimes traded like cash). A system like this could work - instead of mints printing money, they'd recycle "creds" which you can then get from the bank and assign to your account. I mean we're already using fiat currencies anyways.
Or maybe I'm getting ahead of myself - if the credit card system were to be overhauled, it would be easier to give the credit card some computational power rather than being basically a glorified barcode sticker (which you can now copy at range, thanks to RFID-enabled credit cards). Put some buttons and a screen (or a touchscreen) right on the credit card and have the card itself initiate an SSL (or similar) connection to the server, using the ATM only to act as a network access point (using some kind of very short range wireless or optical networking) and propose a transaction to the card (send $18.99 to SHIRTCO (Seller verified!) for T-SHIRT, Accept/Deny?). A MITM wouldn't be possible with no way to intercept keypresses or any legible network traffic. With the card running from a ROM, and with no way to access any onboard storage, data couldn't be stolen from there either. Carding someone in a system like this would have to start by physically stealing the card, and with the possibility of deactivating its account on the server side you'd also have to kidnap the owner.

--
"When information is power, privacy is freedom" - Jah-Wren Ryel