Slashdot Mirror
More Gas Station Credit-Card Skimmers
coondoggie notes a Network World piece on credit-card skimmers found installed in gas pumps, this time in Florida. Like the similar wave of attacks in Utah earlier this year, the latest crop uses Bluetooth to transmit the illicitly collected data. Does this mean an accomplice has to hang around within 3m of the pump? "The Secret Service has indicated there's a crime wave throughout the Southeast involving the gas-station pump card skimmers, and it may be traced back to a single gang that may be working out of Miami... St. Johns County in Florida has also been hit by the gas-pump card skimmers. [A local sheriff's department spokesman] says criminals wanting to hide the credit-card skimmers in gas pumps have to have a key to the pump, but in some cases a single key will serve to get into many gas pumps." Here's an insight from the banking industry on the skimming fraud.
Does this mean an accomplice has to hang around within 3m of the pump?
No. What it means is that there's no need for there to be a wire that leads to the skimmer's recording device... which now can be hidden in the next pump over. This also means the mag reader could be placed in the pump without a recording device, therefore requiring the pump to be taken apart for inspection, adding to the cleanup costs.
Remember, once a fraud becomes so expensive to clear up that the expenses are greater than the total loss, then it's almost allowed to continue unchecked.
It seems that the sort of people dedicated enough to develop this attack would also be able to learn to pick locks. I don't know for sure, but I'd guess that a gas pump lock isn't very tough to pick. There's no reason that most people would want to open a gas pump, so there's no reason to use a very expensive, pick resistant lock on it.
I always pay for gas in cash. I think I will not change this personal policy in the near future.
I've noticed that my bank has introduced new ATM's to combat skimming. The card reader now has flashing lights, and the display shows a picture of what the card reader should look like.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
Does this mean an accomplice has to hang around within 3m of the pump?
No, a Class 1 Bluetooth device has a range of up to 100m.
Why don't they make gas stations check their pumps once a day for skimmers? Perhaps when they set the price in the morning. Seems relatively simple.
Those who can, do. Those who cannot, sue.
I'm usually paranoid about such things, but I didn't even notice. Chase was really on the ball with it though. The crooks who stole my card weren't able to charge a damn thing, because their first attempt tripped the alarm bells.
These skimmer gangs are pervasive, though. They have people working on the inside at retailers everywhere. When mine was skimmed, they tried to use the card to buy several DVD players at a Walgreens nearby within minutes of me buying gas. As it turned out, they had skimmed several dozen cards that morning and had people working in retail stores all around the area trying to buy mostly electronics merchandise with the card numbers. It was a pretty large theft ring...
The US really needs to get on board with EMV chip & PIN. Once Canada finishes it's conversion America will be the last major mag-stripe holdout. ZIP-confirmation and other two-factor authentication hacks aren't going to cut it. Chip isn't 100% perfect, but it is 1,000x more secure than an unencrypted mag stripe and has yet to be compromised in the wild. Combined with EMV-compliant contactless payments and PIN-less low value transactions (so that PINs aren't captured en masse), the situation could be greatly improved.
Also, since the US isn't switching, the rest of the world needs to keep a mag strip on their cards. This leaves a major vulnerability open and will result in continued international skimming but with exploitation migrating to the US.
When you have nothing left to burn you must set yourself on fire
Probably also ensures that the skimmers are working properly.
Simples!
Since none of the articles linked to by the summary felt it was relevant to mention what these skimmers actually look like, here's an article from Consumerist.
Facts do not cease to exist because they are ignored. -Aldous Huxley
I'm not sure if it is, no sources mention it but skimming ATMs was big in Moscow RUSSIA in beginning of 2000s. ATMs were relative novelty and people would never question the look of it.
It took a while to realize that US folks are just as vulnerable to this and the party moved here.
Who says the skimmer has to transmit the skimmed numbers as soon as they are skimmed or that physical possession of the device needs to be reattained? The skimmers could store the numbers and respond with them on request. Criminal drives by the area and remotely queries skimmers downloading all of the data. Please ask why anything so easily copied serves as an authentication scheme for something so universally in demand. Fortunately for us consumers the banks eat most fraudulent credit card transactions, but these same negligent authentication procedures cost individuals tons of money for copied social security numbers.
The religions are meant to enslave and execute people unless they adhere to the largely illogical creeds. It's time to cleanse the world of these blights.
FTFY
What we need to do is make every debit and credit card use something like an RSA Secure ID token and make the user type in the pseudo random synced 6 digit code for every purchase. And then allow only one transaction for a card in that ~1 minute timeframe that the code is valid.
That would cut down on 99.99% of all opportunity for credit card fraud. You would either need the card/token on hand or have the algorithm and enough instance data to derive the key through brute force means.
The only downside to this is that recurring credit card charges would no longer work... So there is no downside.
If the system was designed in such a way as to allow the generation of 1 time keys, instead of an embedded 16 digit number, this wouldn't be a problem. This could have been fixed 10 or maybe even 20 years ago... but we have the lowest possible cost system in place, and fraud is just a cost of business instead of a crime.
Interesting that this "insight from the banking industry" doesn't seem to indicate the banks have any responsibility for the problem.
There once was a time that people took their money to the bank for safekeeping. I think banks have partly weaseled themselves out of the security side of the business, and what used to be called "bank robbery" they now call "identity theft." Which works ok for the bank, seeing how it's the customer who lost the money and it must have been the customer's fault, or the gas station's, or the POS equipment vendor's.
The bank, which should act like a watchdog, portrays itself as something of an innocent bystander.
(1) Takes extra time to visit a clerk and pay cash.
(2) Amount not recorded automatically. Have to mess around with receipts. During high price periods my gas usage approaches 5% of my budget and should be tracked.
(3) Requires carrying around more cash, especially in periods when prices are high.
Credit/debit companies make money on volume. They balance a certain level of fraud against the ease of obtaining credit. Thats why there is pin-less debit and signature-less credit below certain threshholds.
pun not intended. Seriously, a lot of crooks are stopped cold by simple measures, and it's a cheap solution.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
The article mentioned shim attacks, which I took to mean a mini-reader stuck into the real reader. Are they comming in pretending to be maintenance and getting to crack open the pump that way?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
After several years of being told by banks to watch out for large plastic attachments to ATM card slots, I've noticed that an increasing number of bank-owned ATMs now have them as a part of their design. The simple, flush-mounted card slot on a grey plastic / metal bezel is now giving way to a protruding translucent green plastic bulge on grey plastic / metal bezel.
Which makes less than zero sense.
They look fake as can be, especially when paired with a slightly older ATM with the more sensible slot.
Now, one might argue that the crazy card slots are a great theft deterrent because they preclude the attachment of a skimmer, but they also make it impossible for the machine to snap up a stolen card, nor do they really look legitimate enough to give the user peace of mind.
I used to write code that talked to gas pumps, and I can tell you that most pumps take the same key for the printer door, a different same key for the terminal (Gilbarco CRIND/Wayne CAT) door, and I think another same key for the pump control door. That's the same keys for the entire model run of a pump, and maybe for more than one model, unless maybe a big oil chain installs a different same key. Even then, they're those round locks like the ones that some laptop cables use that can be picked with a part from a Bic pen. (Presumably they're better made than the laptop cable locks.)
The card data is sent up to the station's control computer directly, usually both track 1 and track 2 data. I don't think it would be hard to insert a skimmer behind the door, whether a second mag reader head, or just splice the wires from the card reader. Or even rig the station control computer if you have access to that. (For that matter, all the card numbers may end up in a log file on that computer.)
There's not much danger of a pin pad skimmer, however, because in the US, PINs are protected by each pinpad having a master key injected into RAM before shipping to the site. They are potted in epoxy and have a memory kill switch if you attempt to open them. This works differently from the European system, which is why the US hasn't had to go to "chip and pin". The PIN is encrypted in the pad, the pinpad's serial number is attached, and the result is only decrypted by the card clearing house computers, which have a list of all the decryption keys. Even if the guy who ran the station was doing the skimming, debit PINs couldn't be skimmed and still work properly. But that's just debit. Credit cards don't have a PIN.
So unlike ATM skimmers, they could definitely hide the skimmer behind the door, but they would still need a camera of some sort to capture the PINs. Fortunately most gas pump terminals have a relatively flat front, so they can't just hide the camera on a different part of the panel.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Around here it's almost all post-pay the attendant, because they want you to buy stuff in their store. Few pumps have card swipes, and only in selected poor or rough areas do they require pre-payment, sometimes only when the price has spiked.
Why can't credit card companies implement the chip & pin technology that is the standard elsewhere in the world. Skimming would no longer present the threat it does today.
A+ hilarity.
DRM: Terminator crops for your mind!
Since almost all ATM cards, in the US at least, now carry a Visa/MC logo that can be used as either debit with pin or credit, does it even matter whether they are capturing the pin number? You could use your debit card on a pin transaction at the pump, and the skimmer could capture the mag swipe, then use that card data on the credit card network without the pin, right?
It annoys me that banks send debit cards by default, and will almost never honor your previous choice. So on every regular card replacement you have to cut it up and call and request an ATM only card. I did this for a while, but finally gave up. Now I never put my debit card in anything but an ATM machine, and in the signature panel I write "DO NOT ACCEPT AS VISA". Not perfect security, but better than nothing. I wish banks were required to maintain your preference with ATM vs. debit card.
The local paper (Gainesville Sun) had a picture of the skimmer on the first day it was found:
http://www.gainesville.com/article/20100707/ARTICLES/100709681
Basically it looks like a thin bundle of electrical tape attached to the wire between the magstripe reader and the circuit board inside the gas pump -- completely hidden inside the pump cabinet unlike ATM skimmers.
-Esme
Where does this stuff come from? I've seen gear like this on sale on Russian underground sites, together with custom trojans etc..., but if it comes from inside the states couldn't you just nab the problem at the source?
Emotions! In your brain!
A link http://www.networkworld.com/community/blog/newest-attack-your-credit-card-atm-shims?t51hb&hpg1=mp in the original story, entitled "Newest Attack on your Credit Card: ATM Shims" has some interesting information:
"The shim needs to be extremely thin and flexible. In fact it must be less than 0.1mm"
"The shim is inserted using a "carrier card" that holds the shim, inserts it into the card slot and locks it into place on the internal reader contacts."
"Once inserted, the shim is not visible from the outside of the machine. The shim then performs a man-in-the-middle attack between an inserted credit card and the circuit board of the ATM machine."
"flexible shims are recently being mass produced and widely used in certain parts of Europe"
"Diebold released five new anit-skimming protection levels for its ATM devices june 1st 2010...Unfortunately, none of these helps with the shim skimming attack. That problem has yet to be solved mechanically yet."
How about a way to magstripe the virtual # you get from Citi or equiv. Basically, you program the card before use at the station with a fresh virtual#. So, skim away! I couldn't care less if they skimmed a virtual#.
Or have a $75 limit on the card and only use it for gas.
Does anyone EVER check that signature panel? Mine has my signature on it, but I usually draw a smiley face when asked to sign on a digitizer. Only ONCE did anyone ask to see it.
1. Never, ever use a debit card for anything. It isn't worth it.
2. Your credit card number will be stolen. Accept it as a fact of life. It doesn't cost you anything so stop worrying.
That's it.
While the original article is about Florida, the epicenter of credit card skimming has been California and more specifically Southern California. BTW, I would advice you NOT to use a debit card at the pump anywhere in California. Stay with credit cards as your fraud liability and headache with credit cards is much less. Some brands have done a better job at protecting themselves then others, but rather be safe then sorry.
Normal Criminal Card Hierarchy of Use
1. Debit Cards (people see the $ leave fast so fraud gets caught faster)
2. Credit Cards (Good Lines and Can Be Used Anywhere)
3. Commercial Fleet Cards (Higher lines and its tougher for companies to distinguish fraud behavior unless its blatant, downside no universal acceptance)
4. Branded Gas Cards (Lowest Lines and only used at stations)
Pump locks are common key for many stations and you can buy the key off Ebay (which the criminals already do). In addition, once into the pump it takes less then a minute and sometimes less then 30 secs to connect a skimmer. If Bluetooth is in place, they never have to get out of the car. Unfortunately Zip Code and PIN prompts are not effective deterrents here because the transmission from the pump to inside the C-Store is generally unencrypted. So if you punch in your PIN not only does the skimmer have your card but now your PIN. In addition the criminals can be methodical. There was a recent article that a Russian criminal gang placed a store manager who worked a year at the location before starting to rip off cards. If a gang has that kind of patience its tough for the authorities.
There are a few basic things convenience store operators can do to protect pumps that are relatively cheap, but their is no impetus to do so. Because A. the customer who gets their card skimmed doesn't where it happened B. the Major may or may not care because they already have contracts in place with networks and they probably do not eat the fraud C. each credit card company gets hit, but unless they decide to turn off pump credit access...the credit card company is powerless. D. No one has rights to inspect and cite the owners if their pumps are not up to par.
The problem lies in the value chain
1. Credit Card companies get hit with the fraud, but can only deal with it after the fact
2. Oil Majors, who own no or very few stations, want to keep their store owners happy so are much less likely to press the issue. Some majors are vigilant about fraud and keep a watchful eye and some could care less .
3. Most convenience store owners have little to no inclination to step in and protect pumps because the fraud doesn't hit them unless the credit card company identifies the common point of purchase and takes action (typically sending all customers inside - which will get the attention of a store owner fast)
Store Owners can do a few things to protect consumers from this fraud
1. Are there video cameras on the pumps? Stupid, but effective.
2. Is staff checking pump integrity on a regular basis? Walking by, looking for suspicious activity, etc.
3. Is there security tape over the pump lock? Security tape will change to a "VOID" and have serial numbers on it.
4. Have they changed the pump locks from common key that the pump ships?
None of this has to be expensive. Effective security costs less then a couple of hundred dollars on average, maybe less. Unfortunately, most owners are rather cheap (I get that its a low margin business, but still) and unless they get hit by the CC company who stop authorizing - they do not care. However, at that point its too little too late. The compromise has occurred - the customer goes through hell, the CC company eats the fraud, and the criminal walks off with either cash, store bought items, or free fuel.
Bluetooth devices can be up to 350 ft or so if they are class 1 extended range devices. Normal enhanced bluetooth has about a 50 ft range. My headset works all over my house with the computer down in the basement. With extended range capabilities, it can easily reach next door. So, the perps of these crimes could be across and down the street and still skim the card data.
Sometimes, real fast is almost as good as real-time.
Seriously... if Alice alters Bob's machine to steal money from Trent, you want the bank to be on the hook?
The problem with that is the bank isn't in a position to oversee any of this transaction. You can easily hook Alice for the crime. You can argue fault for Bob (if physical security of the machines is lax), as he needs to keep his machines secure. Trent should only be 'on the hook' for pursuing legal action. But the bank.... what did they do wrong? Process a transaction from Trent? How do you secure that while actually letting Trent buy his gas?
In N. America: no. Elsewhere: yes. Elsewhere always checked, even before chip+pin made signatures a novelty and something to be distrusted further.
With BT able to get 50 meters, more if it is outside, where the average pump is, the collector could be in a car across the road, or anywhere.
To all those people questioning range, don't forget that Bluetooth operates in 2.4GHz - roughly the same frequency as wireless, and thus is a prime candidate for Pringle "cantenna's" or just plugging in any old 2.4GHz directional antenna. You can get Wifi going dozens if not hundreds of kilometres with some simple antennas, so Bluetooth and a directional antenna, even homebrew, is likely to provide 100's of metres of safe distance between you and a device if you're hacking hardware on these scales anyway.
Using a typical keyfob used for computer logins would prevent skimmers from getting anything but the card number. Many companies use SecurID -- you enter your user ID (credit card in this instance) and then a unique one-time password is used (typically a pin number plus some number of digits from the SecurID fob). For credit cards, a fob would only need to generate 3 to 4 digits. The fob could also be configured as a credit-card sized device. One such device can be used with any number of credit cards.
Does this mean an accomplice has to hang around within 3m of the pump?
What a stunningly stupid question. Was it an attempt to be funny? It failed. Even if bluetooth didn't have vastly more range than 3 meters, there is bluesniper which you too can build.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Just one more reason why I use CASH whenever possible. No account numbers to steal, few privacy issues (so far), and it has a hard time vanashing without your knowledge.
I'm wondering if anyone reading this has ever tried to get a fraudulent charge removed from their account? I know the credit card companies all say the cardholder is not responsible for fraudulent charges but I wonder if it is simple to get them removed, or is it like pulling teeth.
There's no need to pick the gas pump lock. Somewhere I have a key from a Pitney-Bowes postage meter. It's a "high security" double edged key with each edge having a different profile. One day I noticed that the gas pump I was filling my car from had a similar looking lock. Turns out that key opens almost any gas pump.
Putting moderation advice in your
God forbid...don`t educate anyone.