Slashdot Mirror
More Gas Station Credit-Card Skimmers
coondoggie notes a Network World piece on credit-card skimmers found installed in gas pumps, this time in Florida. Like the similar wave of attacks in Utah earlier this year, the latest crop uses Bluetooth to transmit the illicitly collected data. Does this mean an accomplice has to hang around within 3m of the pump? "The Secret Service has indicated there's a crime wave throughout the Southeast involving the gas-station pump card skimmers, and it may be traced back to a single gang that may be working out of Miami... St. Johns County in Florida has also been hit by the gas-pump card skimmers. [A local sheriff's department spokesman] says criminals wanting to hide the credit-card skimmers in gas pumps have to have a key to the pump, but in some cases a single key will serve to get into many gas pumps." Here's an insight from the banking industry on the skimming fraud.
Does this mean an accomplice has to hang around within 3m of the pump?
No. What it means is that there's no need for there to be a wire that leads to the skimmer's recording device... which now can be hidden in the next pump over. This also means the mag reader could be placed in the pump without a recording device, therefore requiring the pump to be taken apart for inspection, adding to the cleanup costs.
Remember, once a fraud becomes so expensive to clear up that the expenses are greater than the total loss, then it's almost allowed to continue unchecked.
It seems that the sort of people dedicated enough to develop this attack would also be able to learn to pick locks. I don't know for sure, but I'd guess that a gas pump lock isn't very tough to pick. There's no reason that most people would want to open a gas pump, so there's no reason to use a very expensive, pick resistant lock on it.
I always pay for gas in cash. I think I will not change this personal policy in the near future.
I've noticed that my bank has introduced new ATM's to combat skimming. The card reader now has flashing lights, and the display shows a picture of what the card reader should look like.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
Does this mean an accomplice has to hang around within 3m of the pump?
No, a Class 1 Bluetooth device has a range of up to 100m.
Why don't they make gas stations check their pumps once a day for skimmers? Perhaps when they set the price in the morning. Seems relatively simple.
Those who can, do. Those who cannot, sue.
I'm usually paranoid about such things, but I didn't even notice. Chase was really on the ball with it though. The crooks who stole my card weren't able to charge a damn thing, because their first attempt tripped the alarm bells.
These skimmer gangs are pervasive, though. They have people working on the inside at retailers everywhere. When mine was skimmed, they tried to use the card to buy several DVD players at a Walgreens nearby within minutes of me buying gas. As it turned out, they had skimmed several dozen cards that morning and had people working in retail stores all around the area trying to buy mostly electronics merchandise with the card numbers. It was a pretty large theft ring...
The US really needs to get on board with EMV chip & PIN. Once Canada finishes it's conversion America will be the last major mag-stripe holdout. ZIP-confirmation and other two-factor authentication hacks aren't going to cut it. Chip isn't 100% perfect, but it is 1,000x more secure than an unencrypted mag stripe and has yet to be compromised in the wild. Combined with EMV-compliant contactless payments and PIN-less low value transactions (so that PINs aren't captured en masse), the situation could be greatly improved.
Also, since the US isn't switching, the rest of the world needs to keep a mag strip on their cards. This leaves a major vulnerability open and will result in continued international skimming but with exploitation migrating to the US.
When you have nothing left to burn you must set yourself on fire
Since none of the articles linked to by the summary felt it was relevant to mention what these skimmers actually look like, here's an article from Consumerist.
Facts do not cease to exist because they are ignored. -Aldous Huxley
What we need to do is make every debit and credit card use something like an RSA Secure ID token and make the user type in the pseudo random synced 6 digit code for every purchase. And then allow only one transaction for a card in that ~1 minute timeframe that the code is valid.
That would cut down on 99.99% of all opportunity for credit card fraud. You would either need the card/token on hand or have the algorithm and enough instance data to derive the key through brute force means.
The only downside to this is that recurring credit card charges would no longer work... So there is no downside.
If the system was designed in such a way as to allow the generation of 1 time keys, instead of an embedded 16 digit number, this wouldn't be a problem. This could have been fixed 10 or maybe even 20 years ago... but we have the lowest possible cost system in place, and fraud is just a cost of business instead of a crime.
Interesting that this "insight from the banking industry" doesn't seem to indicate the banks have any responsibility for the problem.
There once was a time that people took their money to the bank for safekeeping. I think banks have partly weaseled themselves out of the security side of the business, and what used to be called "bank robbery" they now call "identity theft." Which works ok for the bank, seeing how it's the customer who lost the money and it must have been the customer's fault, or the gas station's, or the POS equipment vendor's.
The bank, which should act like a watchdog, portrays itself as something of an innocent bystander.
(1) Takes extra time to visit a clerk and pay cash.
(2) Amount not recorded automatically. Have to mess around with receipts. During high price periods my gas usage approaches 5% of my budget and should be tracked.
(3) Requires carrying around more cash, especially in periods when prices are high.
Credit/debit companies make money on volume. They balance a certain level of fraud against the ease of obtaining credit. Thats why there is pin-less debit and signature-less credit below certain threshholds.
pun not intended. Seriously, a lot of crooks are stopped cold by simple measures, and it's a cheap solution.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
The article mentioned shim attacks, which I took to mean a mini-reader stuck into the real reader. Are they comming in pretending to be maintenance and getting to crack open the pump that way?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
After several years of being told by banks to watch out for large plastic attachments to ATM card slots, I've noticed that an increasing number of bank-owned ATMs now have them as a part of their design. The simple, flush-mounted card slot on a grey plastic / metal bezel is now giving way to a protruding translucent green plastic bulge on grey plastic / metal bezel.
Which makes less than zero sense.
They look fake as can be, especially when paired with a slightly older ATM with the more sensible slot.
Now, one might argue that the crazy card slots are a great theft deterrent because they preclude the attachment of a skimmer, but they also make it impossible for the machine to snap up a stolen card, nor do they really look legitimate enough to give the user peace of mind.
I used to write code that talked to gas pumps, and I can tell you that most pumps take the same key for the printer door, a different same key for the terminal (Gilbarco CRIND/Wayne CAT) door, and I think another same key for the pump control door. That's the same keys for the entire model run of a pump, and maybe for more than one model, unless maybe a big oil chain installs a different same key. Even then, they're those round locks like the ones that some laptop cables use that can be picked with a part from a Bic pen. (Presumably they're better made than the laptop cable locks.)
The card data is sent up to the station's control computer directly, usually both track 1 and track 2 data. I don't think it would be hard to insert a skimmer behind the door, whether a second mag reader head, or just splice the wires from the card reader. Or even rig the station control computer if you have access to that. (For that matter, all the card numbers may end up in a log file on that computer.)
There's not much danger of a pin pad skimmer, however, because in the US, PINs are protected by each pinpad having a master key injected into RAM before shipping to the site. They are potted in epoxy and have a memory kill switch if you attempt to open them. This works differently from the European system, which is why the US hasn't had to go to "chip and pin". The PIN is encrypted in the pad, the pinpad's serial number is attached, and the result is only decrypted by the card clearing house computers, which have a list of all the decryption keys. Even if the guy who ran the station was doing the skimming, debit PINs couldn't be skimmed and still work properly. But that's just debit. Credit cards don't have a PIN.
So unlike ATM skimmers, they could definitely hide the skimmer behind the door, but they would still need a camera of some sort to capture the PINs. Fortunately most gas pump terminals have a relatively flat front, so they can't just hide the camera on a different part of the panel.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Around here it's almost all post-pay the attendant, because they want you to buy stuff in their store. Few pumps have card swipes, and only in selected poor or rough areas do they require pre-payment, sometimes only when the price has spiked.
A+ hilarity.
DRM: Terminator crops for your mind!
Since almost all ATM cards, in the US at least, now carry a Visa/MC logo that can be used as either debit with pin or credit, does it even matter whether they are capturing the pin number? You could use your debit card on a pin transaction at the pump, and the skimmer could capture the mag swipe, then use that card data on the credit card network without the pin, right?
It annoys me that banks send debit cards by default, and will almost never honor your previous choice. So on every regular card replacement you have to cut it up and call and request an ATM only card. I did this for a while, but finally gave up. Now I never put my debit card in anything but an ATM machine, and in the signature panel I write "DO NOT ACCEPT AS VISA". Not perfect security, but better than nothing. I wish banks were required to maintain your preference with ATM vs. debit card.
The local paper (Gainesville Sun) had a picture of the skimmer on the first day it was found:
http://www.gainesville.com/article/20100707/ARTICLES/100709681
Basically it looks like a thin bundle of electrical tape attached to the wire between the magstripe reader and the circuit board inside the gas pump -- completely hidden inside the pump cabinet unlike ATM skimmers.
-Esme
Where does this stuff come from? I've seen gear like this on sale on Russian underground sites, together with custom trojans etc..., but if it comes from inside the states couldn't you just nab the problem at the source?
Emotions! In your brain!
A link http://www.networkworld.com/community/blog/newest-attack-your-credit-card-atm-shims?t51hb&hpg1=mp in the original story, entitled "Newest Attack on your Credit Card: ATM Shims" has some interesting information:
"The shim needs to be extremely thin and flexible. In fact it must be less than 0.1mm"
"The shim is inserted using a "carrier card" that holds the shim, inserts it into the card slot and locks it into place on the internal reader contacts."
"Once inserted, the shim is not visible from the outside of the machine. The shim then performs a man-in-the-middle attack between an inserted credit card and the circuit board of the ATM machine."
"flexible shims are recently being mass produced and widely used in certain parts of Europe"
"Diebold released five new anit-skimming protection levels for its ATM devices june 1st 2010...Unfortunately, none of these helps with the shim skimming attack. That problem has yet to be solved mechanically yet."
How about a way to magstripe the virtual # you get from Citi or equiv. Basically, you program the card before use at the station with a fresh virtual#. So, skim away! I couldn't care less if they skimmed a virtual#.
Or have a $75 limit on the card and only use it for gas.
Does anyone EVER check that signature panel? Mine has my signature on it, but I usually draw a smiley face when asked to sign on a digitizer. Only ONCE did anyone ask to see it.
1. Never, ever use a debit card for anything. It isn't worth it.
2. Your credit card number will be stolen. Accept it as a fact of life. It doesn't cost you anything so stop worrying.
That's it.
Bluetooth devices can be up to 350 ft or so if they are class 1 extended range devices. Normal enhanced bluetooth has about a 50 ft range. My headset works all over my house with the computer down in the basement. With extended range capabilities, it can easily reach next door. So, the perps of these crimes could be across and down the street and still skim the card data.
Sometimes, real fast is almost as good as real-time.
Seriously... if Alice alters Bob's machine to steal money from Trent, you want the bank to be on the hook?
The problem with that is the bank isn't in a position to oversee any of this transaction. You can easily hook Alice for the crime. You can argue fault for Bob (if physical security of the machines is lax), as he needs to keep his machines secure. Trent should only be 'on the hook' for pursuing legal action. But the bank.... what did they do wrong? Process a transaction from Trent? How do you secure that while actually letting Trent buy his gas?
In N. America: no. Elsewhere: yes. Elsewhere always checked, even before chip+pin made signatures a novelty and something to be distrusted further.
To all those people questioning range, don't forget that Bluetooth operates in 2.4GHz - roughly the same frequency as wireless, and thus is a prime candidate for Pringle "cantenna's" or just plugging in any old 2.4GHz directional antenna. You can get Wifi going dozens if not hundreds of kilometres with some simple antennas, so Bluetooth and a directional antenna, even homebrew, is likely to provide 100's of metres of safe distance between you and a device if you're hacking hardware on these scales anyway.
Does this mean an accomplice has to hang around within 3m of the pump?
What a stunningly stupid question. Was it an attempt to be funny? It failed. Even if bluetooth didn't have vastly more range than 3 meters, there is bluesniper which you too can build.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Just one more reason why I use CASH whenever possible. No account numbers to steal, few privacy issues (so far), and it has a hard time vanashing without your knowledge.
There's no need to pick the gas pump lock. Somewhere I have a key from a Pitney-Bowes postage meter. It's a "high security" double edged key with each edge having a different profile. One day I noticed that the gas pump I was filling my car from had a similar looking lock. Turns out that key opens almost any gas pump.
Putting moderation advice in your
God forbid...don`t educate anyone.