Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Gas Station Credit-Card Skimmers

Posted by kdawson on from the look-for-the-guy-with-the-blue-tooth dept.

coondoggie notes a Network World piece on credit-card skimmers found installed in gas pumps, this time in Florida. Like the similar wave of attacks in Utah earlier this year, the latest crop uses Bluetooth to transmit the illicitly collected data. Does this mean an accomplice has to hang around within 3m of the pump? "The Secret Service has indicated there's a crime wave throughout the Southeast involving the gas-station pump card skimmers, and it may be traced back to a single gang that may be working out of Miami... St. Johns County in Florida has also been hit by the gas-pump card skimmers. [A local sheriff's department spokesman] says criminals wanting to hide the credit-card skimmers in gas pumps have to have a key to the pump, but in some cases a single key will serve to get into many gas pumps." Here's an insight from the banking industry on the skimming fraud.

61 of 251 comments (clear)

  1. Hiders Keepers? by LostCluster · · Score: 4, Informative

    Does this mean an accomplice has to hang around within 3m of the pump?

    No. What it means is that there's no need for there to be a wire that leads to the skimmer's recording device... which now can be hidden in the next pump over. This also means the mag reader could be placed in the pump without a recording device, therefore requiring the pump to be taken apart for inspection, adding to the cleanup costs.

    Remember, once a fraud becomes so expensive to clear up that the expenses are greater than the total loss, then it's almost allowed to continue unchecked.

    1. Re:Hiders Keepers? by atrus · · Score: 5, Informative

      Or, in reality, every skimmer records numbers. The thief comes by with the "dumper", buys some gas while take a complete download of the current recorder memory. Its far less risky on the retrieval of the numbers, especially if the skimmers have already been identified and the cops are waiting around the corner for the guys to come back (unlikely, but you never know).

    2. Re:Hiders Keepers? by Stephenmg · · Score: 5, Informative

      Bluetooth range can go up to 100 meters depending on the class of the transmitter. Class 1 ~100m, Class 2 ~10m, class 3 ~1m. A class 2 the recording device could be hidden in the trunk of the abandoned car at the place next door. Class 1 could be down the street.

    3. Re:Hiders Keepers? by dan_linder · · Score: 4, Insightful

      ...and with the price of flash memory so low, it would be pretty easy to hide a little digital camera to snap photos of the person as they put the card in and/or stood in front of the machine. It would be easy to download those too and if they saw a few with the manager and a customer standing and pointing at the machine they would know that the gig was up and to just walk away.

      I'm really thinking the cash idea is the way to go from now on. :-(

      Dan

    4. Re:Hiders Keepers? by mldi · · Score: 2, Insightful

      On the bright side, it's easily detectable by checking for BT radios.

      --
      If you aren't suspicious of your government's actions, you aren't doing your job as a responsible citizen.
    5. Re:Hiders Keepers? by fuzzyfuzzyfungus · · Score: 3, Insightful

      I doubt the skimmer-makers would bother, unless the cops have quietly been hunting bluetooth emissions for a while now; but it wouldn't exactly be rocket surgery to have a bluetooth device that just sits there, receiving but maintaining absolute radio silence unless it hears a particular transmission(from a particular bluetooth MAC, if you really want to get paranoid). The wireless analog of port knocking, more or less...

      Particularly with all the cellphones floating around, a BT radio, even one yelling its little amplifier out, is hardly automatically suspicious in a reasonably crowded area. Somebody who knew what they were doing, had the right set of antennas, and had some knowledge of what they were looking for(if, for instance, the skimmer-manufacturers produced a large batch, all with BT modules from the same manufacturer, or even with MACs in series, and some were captured by conventional physical inspection), could definitely hunt them down much more quickly, unless they are very short range units, or were using some stealth strategy like the above...

    6. Re:Hiders Keepers? by Beardo+the+Bearded · · Score: 4, Funny

      In England, it's always Albanians or Romanians. Counts, the lot of them.

      FTFY

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    7. Re:Hiders Keepers? by Anonymous Coward · · Score: 2, Insightful

      Wait, what did Chase do? Or are you just listing bank names without actually knowing anything about what went on?

    8. Re:Hiders Keepers? by Sulphur · · Score: 2, Interesting

      The English don't have Counts, they have Earls. The wife of an Earl is a Countess, go figure. If they made their Earls Counts, then there would not be a shortage in the Counts.

    9. Re:Hiders Keepers? by BrokenHalo · · Score: 4, Informative

      In any case, returning to the issue of range for a moment:

      I have a Belkin F8T012 USB Bluetooth dongle that works quite well at distances well over 100m. (The advertised maximum is 100m.) It wouldn't be hard to make yourself inconspicuous at that distance from the pump.

    10. Re:Hiders Keepers? by hitmark · · Score: 3, Interesting

      and if one get a directional antenna, things get really interesting. Iirc, there is at least one guy thats built something he called a bluetooth sniper rifle with a range of a kilometer or more.

      --
      comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
    11. Re:Hiders Keepers? by Anonymous Coward · · Score: 2, Interesting

      White folks just do it differently - often legally and out in the open. Goldman Sachs, Morgan Stanley, Bank of America, Chase, etc.

      Fannie Mae: "As WND reported, an Enron-like accounting scandal enabled Raines to earn $90 million in his five years as Fannie Mae CEO, from 1999 to 2004."

      Is this the exception that proves the rule? Don't know, but I'm not a racist like you, Mister Whirly (964219). Did your father teach you that black people aren't smart enough to commit multi-million dollar financial fraud?

    12. Re:Hiders Keepers? by TheLink · · Score: 2, Insightful

      > I'm really thinking the cash idea is the way to go from now on. :-(

      Why? If I get mugged at (or on the way to) the gas station I lose my cash. If my card gets skimmed, I do not lose my money. If many people's cards get skimmed from the same place, I may not even have to dispute the transaction - the card company will just cancel the card, invalidate the transactions and issue me a new card.

      From the article:
      When a card is compromised, however, the card issuer has to reimburse the customer. If incidents of skimming at unattended terminals such as pay-at-the-pump continue to rise, gaps in security may be looked at with more scrutiny.

      Cash may be more private, but cash is definitely not safer than credit cards.

      --
  2. No worries here. by The+MAZZTer · · Score: 4, Insightful

    I always pay for gas in cash. I think I will not change this personal policy in the near future.

    1. Re:No worries here. by pgmrdlm · · Score: 3, Insightful

      You get a receipt? Peace of paper with the time, date, and transaction. Are you always in the habit of paying for anything, no matter how you pay for it, without receiving a receipt???????

      --
      Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
    2. Re:No worries here. by pgmrdlm · · Score: 2, Insightful
      I was trying to dispute the position of the previous AC.

      And if the clerk pockets the cash and calls the cops on you to cover the theft? Here's a 20 for pump #2. *pumps $20 worth of gas and takes off*.

      Just saying, ask for a receipt if your worried about the clerk pocketing your cash. Have proof of your purchase.

      --
      Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
    3. Re:No worries here. by MaskedSlacker · · Score: 2, Informative

      I haven't been to a gas station where this was possible...ever. Every pump I've ever used had to be authorized by the attendant, you couldn't just pump and go.

    4. Re:No worries here. by kyrio · · Score: 3, Informative

      Where you live (some place in Canada) is not the same as everywhere in (Canada). In Toronto and likely most of Ontario, you only have to prepay when it's late at night or a bad area of the city (or both).

  3. ATM Skimmer by Thelasko · · Score: 4, Interesting

    I've noticed that my bank has introduced new ATM's to combat skimming. The card reader now has flashing lights, and the display shows a picture of what the card reader should look like.

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
    1. Re:ATM Skimmer by Anonymous Coward · · Score: 5, Interesting

      This is not new in Europe. Every ATM now has it. Also sine 3-4 years ago all cards have a chip in them. The transaction is authorized by the chip in a real-time two way communication, and you have to punch in the pin code. But that is never going to happen here in US, primary because it means no tips. But why bug gas stations - just go work as a waiter, or at any cash register desk and just routinely slide the card through a second reader. In EU the waiter at a restaurant has to bring the POS terminal to your table. You insert the card into the slot, while the card is in the slot the waiter puts in the amount, you check it, decide to tip or not, put the amount of tip in, then dial your pin code. Then the chip on the card already connected with the bank of the POS terminal starts to make the transaction, the bank proxies that transaction to your bank, the chip on the card talks with your bank, and it's done, money are wired from you account to the merchant account. Plain and simple, and in no more than 10 seconds you get an SMS on your cell phone - hey - merchant XXX, pos terminal ID YYY just withdrew 20 euro from your card ending in ..... If it's not you, you pick up the phone, call your bank and just tell them it is not you. And that's it.. the merchant cannot change the amount you were billed at a later time. Here in US you have to wait up to 5 days to have it posted and it could get changed a lot (usually because of the tips).

      You have to decide whether you want a convenience of just waving your card in front of a cash register, or you want the security of actually allowing the transfer of funds from your account. As for the banks - it will always be easier and more profitable to have the people loose their money and go into debt. That is why only a strong government regulation can make them change something. On a little bit of side not - in Europe if you don;t have enough funds in your card the transaction is refused and no penalty is payed. Here, because of the delay in posting transactions you could easily overdraw your card, and get charged 50 for each transfer after the limit.

      So.. decide.. convenience or security.

    2. Re:ATM Skimmer by Anonymous Coward · · Score: 3, Interesting

      According to my father, who is a Branch Manager at Citibank, the Citi ATMs now have a system that shuts down the ATM completely (ie. the screen goes blank, the CPU shuts off, and the cash gets locked down) if any metal/magnets are placed on/near the card reader. To reboot, the ATM has to be opened (usually from the inside of the building) and manually reset. All to help avoid skimmers.

      However, I've stuck my magnetic billfold right on top of the card reader and nothing happened, so YMMV.

    3. Re:ATM Skimmer by kaiidth · · Score: 2, Insightful

      The point, as far as I can tell, is that there are many chances to bolt on external junk, whilst it's pretty difficult/unusual to be able to compromise the ATM itself. External devices are just opportunistic ways of reading the data off your card (ie. magnetic strip, maybe a camera to read out the PIN as the user inputs it). I suppose you could place an overlay on the screen, but it sounds like a lot of work compared to a little magnetic strip reader.

      If you'd managed to compromise the ATM (so as to be able to change the image displayed on that particular screen) you wouldn't need to bolt anything onto the outside at all - the ATM knows everything you're likely to want to steal. But then, if you were able to successfully hack an ATM, why waste time skimming credit card numbers?

    4. Re:ATM Skimmer by spazdor · · Score: 2, Interesting

      If you aren't already versed in the finer points of duck-fucking, you shouldn't ask.

      --
      DRM: Terminator crops for your mind!
    5. Re:ATM Skimmer by spazdor · · Score: 2, Insightful

      And if someone is able to compromise both the card and that image of "what it should look like"?

      If an attacker has sufficient access to change what's being displayed on the ATM screen, then they can probably skip the external card-reader and just yoink the customer's bank data out of RAM.

      --
      DRM: Terminator crops for your mind!
    6. Re:ATM Skimmer by Mr+Muppet · · Score: 2, Informative

      On my few trips to the US, there's something I've always been a bit wary of, yet it seems common practice... When I pay for things at the checkout, I hand over my credit card, they give it back to me, then I sign for it without having my signature checked to see if it matches the card.

      Over here (UK), I know we have Chip & Pin now, but before then, the cashier would keep your card and check your signature against the one on the card before handing it back .I used to do that job, once had a guy sign nothing like the one on the card, claimed it was his boyfriend's card. As per company policy, I rang the bank's authorisation phone number, they told me to destroy and return the card to the bank!

  4. bluetooth by confused+one · · Score: 5, Informative

    Does this mean an accomplice has to hang around within 3m of the pump?

    No, a Class 1 Bluetooth device has a range of up to 100m.

  5. Doesnt sound overly hard to by kaptink · · Score: 4, Insightful

    Why don't they make gas stations check their pumps once a day for skimmers? Perhaps when they set the price in the morning. Seems relatively simple.

    --
    Those who can, do. Those who cannot, sue.
    1. Re:Doesnt sound overly hard to by Anonymous Coward · · Score: 2, Informative

      Your gas station must have more initiative than mine. At the one closest to my job they let a dead cat sit by the side of the building until it smelled so bad they couldn't ignore it anymore.

    2. Re:Doesnt sound overly hard to by nizo · · Score: 3, Interesting

      I wonder how man skimmers are installed by the person with the key to the gas pump? Checking wouldn't do much good if the guy checking the pump is the one who installed the skimmer.

      --
      I Am My Own Worst Enemy
    3. Re:Doesnt sound overly hard to by blair1q · · Score: 2, Informative

      Because gas stations are no longer gas stations manned by trained mechanics. They are convenience stores, manned by people who generally don't have any control or technical knowledge of the pumps. Prices are set over the internet. About all the cashier can do is put a yellow bag over the handle if there's a complaint about a pump, and call it in.

    4. Re:Doesnt sound overly hard to by Anonymous Coward · · Score: 2, Funny

      Hey now, don't insult gas station attendants. Some of them are Slashdot's most prolific posters. I think a couple are even editors here.

    5. Re:Doesnt sound overly hard to by Nadaka · · Score: 3, Interesting

      I was a gas station attendant for 3 years while getting my college degrees.

      It was a nice easy job with fringe benefits like the ability to do homework on the job, free soda fountain mountain dew and access to jailbait.

      At one time we had me - a CS major doing AI research and a Nuclear Physics major on her way to the Air Force Academy running the night shift.

      Most of the people who can't handle the gas station clerk position think exactly like you do,
      except they don't realize that they have to do paperwork at the end of each shift and quit because division is to hard.

    6. Re:Doesnt sound overly hard to by Anonymous Coward · · Score: 2, Insightful

      They only need to have the card scanner in place for a short period (say an hour or two) to get enough credit cards, then they move on to the next target.

    7. Re:Doesnt sound overly hard to by fuzzyfuzzyfungus · · Score: 2, Insightful

      Even in situations where there isn't an inside man(and I'm sure that there sometimes is), a scheme that habituates the employees, anybody monitoring the CCTV cameras, and the public at large, to people frequently opening and poking at the pumps is likely to decrease security, rather than increase it.

      The uniforms of gas station employees aren't exactly secret, nor are clothes that look very much like them hard to get ahold of(given that they are generally just plaincloths, or mechanic-style coveralls, possibly with silkscreened logos), so it would be pretty trivial to concoct a plausible disguise in which to tamper with the device.

    8. Re:Doesnt sound overly hard to by molecular · · Score: 2, Informative

      What's needed is an end-to-end validation system. My card needs to tell me if I'm connected over a secure, untampered channel to my bank; maybe some LEDs along with the chip (that's right, ditch the magnetic stripe). My bank needs to know that it is a valid card; perhaps some sort of one time pad that's burned into the card at time of issuance.
       

      you mean a cryptographic smartcard that has the private key on chip and never tell it like this: http://en.wikipedia.org/wiki/Smart_card#Cryptographic_smart_cards ?

    9. Re:Doesnt sound overly hard to by fuzzyfuzzyfungus · · Score: 3, Interesting

      While a CC system that doesn't utterly suck, and trust pretty much every link in the chain like it would its own mother, after she had been notarized and presented two forms of photo ID, I suspect that we could be waiting a while for that...

      In the meantime, I'm curious why the "card path" of any exposed payment system would be designed such that it has internal voids where 3rd party hardware can be stashed. A mag-stripe reader is just a surface, with a few mm of electronics behind it. Generally, because people aren't too good at keeping their card at just the right distance, you mount the reader parallel to a passive plate a few mm away, through which the card is run. With a surface channel design, the attacker has to stick their skimmer onto the surface, where it can be detected by visual inspection(made easier if the card slot has blinkenlights, a highly specific shape, certain color/pattern, etc.)

      If, for some reason, an internal card path must be used, so that the card can be held on to during the transaction or whatever, one could still make sure that the internal chamber is small enough to admit only a card, and that the eject mechanism doesn't just pop the card halfway out; but actually completely scrapes out the internal chamber each cycle(in order to remove, say, a thin-film reader fabricated on a sticky backed piece of flexible circuit board)...

      Good mechanical design won't stop all skimmers; because people may not notice even a fairly blatant one just taped on top of the actual reader; but it should be fairly easy, with good design of the card path, to make it impossible to mount an internal reader without doing some in-situ metalworking.

    10. Re:Doesnt sound overly hard to by Monkeedude1212 · · Score: 3, Insightful

      Most of the people who can't handle the gas station clerk position think exactly like you do,
      except they don't realize that they have to do paperwork at the end of each shift and quit because division is to hard.

      The problem is that not every gas station is structured like that. I worked at a Gas station for 2 and a half years, and they basically had 3 people on duty at all times. 2 to run the tills, maintain the cleanliness of the store, and watch the pumps. 1 would be in the back office, doing that paperwork and occaisonally watching security cams. The only paperwork the front line people had to do was count out their till to $100 each time their shift began and ended. Anyone with a pulse could have worked that job. The only way to keep that job was to NOT steal money.)

      And while I wouldn't expect much from even those people, I think they could identify a card reader if taught how. It's as easy as saying "Look at this specific part of the pump. Remember how it looks. Every morning I want you to look at it. If it ever looks different, inform me."

    11. Re:Doesnt sound overly hard to by xaxa · · Score: 2, Interesting

      No, although I saw a picture of a card with a tiny LCD screen somewhere. That would be useful to verify the amount -- someone could tamper with a terminal's display to show one amount, but ask the card to authenticate a different amount.

      I don't know whether there's a key in the terminal that the card can validate...

      There's been a case where tampered readers have led to fraud (see "Successful attacks"), but that relied on using non-EMV transactions.

      I also have one of these, which so far my bank only uses to validate money transfers on online banking, but could be used to validate web purchases too.

    12. Re:Doesnt sound overly hard to by Anonymous Coward · · Score: 2, Insightful

      division is to hard

      ooh ooh! I know this one!
      division is to hard as gas station attendant is to job.
      right?

  6. My card got skimmed in Iowa by EmagGeek · · Score: 2, Informative

    I'm usually paranoid about such things, but I didn't even notice. Chase was really on the ball with it though. The crooks who stole my card weren't able to charge a damn thing, because their first attempt tripped the alarm bells.

    These skimmer gangs are pervasive, though. They have people working on the inside at retailers everywhere. When mine was skimmed, they tried to use the card to buy several DVD players at a Walgreens nearby within minutes of me buying gas. As it turned out, they had skimmed several dozen cards that morning and had people working in retail stores all around the area trying to buy mostly electronics merchandise with the card numbers. It was a pretty large theft ring...

  7. Re:Do they really need a key? by Aladrin · · Score: 3, Insightful

    Not many want to, no... But all those that want to do so illegally have really, really bad plans in store. It's enough to offset the relatively small number and need a good lock.

    I don't know that they DO have them, but they should.

    --
    "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  8. What a skimmer actually looks like by kryptKnight · · Score: 4, Informative

    Since none of the articles linked to by the summary felt it was relevant to mention what these skimmers actually look like, here's an article from Consumerist.

    --
    Facts do not cease to exist because they are ignored. -Aldous Huxley
    1. Re:What a skimmer actually looks like by whoever57 · · Score: 4, Informative

      Since none of the articles linked to by the summary felt it was relevant to mention what these skimmers actually look like, here's an article from Consumerist.

      That's an ATM skimmer, which are different to gas pump skimmers. Because the attackers don't have access to the inside of the ATM, everything is done by sticking gizmos on the outside of the ATM. With gas pumps, I don't think there are any signs that a user can see that a skimmer has been installed -- it's all internal to the gas pump.

      --
      The real "Libtards" are the Libertarians!
    2. Re:What a skimmer actually looks like by Rogerborg · · Score: 5, Informative

      attackers don't have access to the inside of a gas pump either.

      Y'all got some religious prohibition about Reading The Fine Article?

      Unlike ATM skimming devices, which are attached to the exterior of a machine, over the card reader, the Shell skimming device was actually inside the terminal, wired between the card scanner and the computer board.

      The entirety of human knowledge at your fingertips, and you still insist on wearing your ignorance like a badge.

      --
      If you were blocking sigs, you wouldn't have to read this.
    3. Re:What a skimmer actually looks like by grommit · · Score: 2, Informative

      While I'm sure the author of that article is well intentioned, they get a few facts wrong. In addition to naming the wrong city, they have a incorrect picture. A correct picture can be found at the local newspaper.

  9. insight from the banking industry by flaming+error · · Score: 5, Interesting

    Interesting that this "insight from the banking industry" doesn't seem to indicate the banks have any responsibility for the problem.

    There once was a time that people took their money to the bank for safekeeping. I think banks have partly weaseled themselves out of the security side of the business, and what used to be called "bank robbery" they now call "identity theft." Which works ok for the bank, seeing how it's the customer who lost the money and it must have been the customer's fault, or the gas station's, or the POS equipment vendor's.

    The bank, which should act like a watchdog, portrays itself as something of an innocent bystander.

    1. Re:insight from the banking industry by mandelbr0t · · Score: 2, Informative

      No, an individual card issuer does not have any responsibility, nor should they. It is the responsibility of the financial network to mandate minimum security requirements of each card issuer, and all terminals under their control. (e.g. Interac, Cirrus, Visa). It is only the card issuer's responsibility to adhere to the policy set out by their network.

      --
      "Please describe the scientific nature of the 'whammy'" - Agent Scully
    2. Re:insight from the banking industry by fuzzyfuzzyfungus · · Score: 3, Insightful

      Sinclair said: "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"

      When dealing with PR flacks, their salary depends on you not understanding it, which is likely even worse...

  10. Re:Get the chip by fuzzyfuzzyfungus · · Score: 5, Insightful

    There is one unpleasant downside to "chip & PIN"...

    While it is certainly more secure than mag stripe, the various issuing institutions, at least in Britain, have tried to use this to argue that theft/skimming losses should now be the fault of the "negligent" customer, rather than their problem.

    I have nothing against better security, I do have a problem with better security being tarted up as evidence that no intrusion could possibly have occurred without the connivance of the customer.

  11. efficiency issue by peter303 · · Score: 2, Insightful

    (1) Takes extra time to visit a clerk and pay cash.
    (2) Amount not recorded automatically. Have to mess around with receipts. During high price periods my gas usage approaches 5% of my budget and should be tracked.
    (3) Requires carrying around more cash, especially in periods when prices are high.

  12. Re:What we need... by Big+Boss · · Score: 2

    Embed the token into the cards. They don't have a significant cost these days, and it would make the cards significantly more secure. Yes, it makes the cards more expensive than a piece of plastic and a magstripe, but really, it's not THAT much. Particularly when amortized over all the cards in circulation.

    If you're going that far, you could also include the PIN entry keypad on the card and use a secure link to make it nearly impossible for an attacker to get your PIN via the capture device.

    And, if designed properly, they won't wear out as fast as the old style ones, and they are more secure, so don't have to expire as often. The real expiration is on the CC company servers anyway, and checked when you try to use the card.

    The really painful part isn't the cards really, it's the readers. And internet transactions, but that can be handled reasonably if you have a display on the card. It can show you a bunch of numbers to type into the computer after you tell it how much you want to allow the merchant to charge you. Generates a time limited code (one use, good for one minute?) that allows the transaction to process.

  13. Re:Get the chip by mbkennel · · Score: 2, Informative

    Banks do take liability for credit card fraud unless they can prove merchants did not obey the security precautions mandated by the acquiring bank's or card association's agreement.

  14. Re:Get the chip by Anonymous Coward · · Score: 4, Informative

    The system relies on the chip to tell the terminal that a valid PIN was used, rather than the terminal+chip+PIN creating a cryptographic message to the bank so the bank can verify that a valid PIN was used. End result: All you need is a fake chip that always tells the terminal a valid PIN was used.

    http://www.zdnet.co.uk/news/security-threats/2010/02/11/chip-and-pin-is-broken-say-researchers-40022674/1/

  15. ATMs by Y-Crate · · Score: 2, Interesting

    After several years of being told by banks to watch out for large plastic attachments to ATM card slots, I've noticed that an increasing number of bank-owned ATMs now have them as a part of their design. The simple, flush-mounted card slot on a grey plastic / metal bezel is now giving way to a protruding translucent green plastic bulge on grey plastic / metal bezel.

    Which makes less than zero sense.

    They look fake as can be, especially when paired with a slightly older ATM with the more sensible slot.

    Now, one might argue that the crazy card slots are a great theft deterrent because they preclude the attachment of a skimmer, but they also make it impossible for the machine to snap up a stolen card, nor do they really look legitimate enough to give the user peace of mind.

  16. It's usually the same key by Megane · · Score: 4, Informative

    I used to write code that talked to gas pumps, and I can tell you that most pumps take the same key for the printer door, a different same key for the terminal (Gilbarco CRIND/Wayne CAT) door, and I think another same key for the pump control door. That's the same keys for the entire model run of a pump, and maybe for more than one model, unless maybe a big oil chain installs a different same key. Even then, they're those round locks like the ones that some laptop cables use that can be picked with a part from a Bic pen. (Presumably they're better made than the laptop cable locks.)

    The card data is sent up to the station's control computer directly, usually both track 1 and track 2 data. I don't think it would be hard to insert a skimmer behind the door, whether a second mag reader head, or just splice the wires from the card reader. Or even rig the station control computer if you have access to that. (For that matter, all the card numbers may end up in a log file on that computer.)

    There's not much danger of a pin pad skimmer, however, because in the US, PINs are protected by each pinpad having a master key injected into RAM before shipping to the site. They are potted in epoxy and have a memory kill switch if you attempt to open them. This works differently from the European system, which is why the US hasn't had to go to "chip and pin". The PIN is encrypted in the pad, the pinpad's serial number is attached, and the result is only decrypted by the card clearing house computers, which have a list of all the decryption keys. Even if the guy who ran the station was doing the skimming, debit PINs couldn't be skimmed and still work properly. But that's just debit. Credit cards don't have a PIN.

    So unlike ATM skimmers, they could definitely hide the skimmer behind the door, but they would still need a camera of some sort to capture the PINs. Fortunately most gas pump terminals have a relatively flat front, so they can't just hide the camera on a different part of the panel.

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  17. Re:Get the chip by Zouden · · Score: 4, Informative

    Not since November 2009. The banks are now required to prove the customer was at fault.

    --
    "A week in the lab saves an hour in the library"
  18. Re:Get the chip by Insightfill · · Score: 4, Interesting

    ...the various issuing institutions, at least in Britain, have tried to use this to argue that theft/skimming losses should now be the fault of the "negligent" customer, rather than their problem.

    Yes, Slashdot covered a similar case a few years ago. "Stolen car!? That's impossible with our current state-of-the-art RFID keys! You must have negligently left your keys where someone could take them; no insurance for you!"

  19. Actual picture of one of these skimmers by esme · · Score: 4, Informative

    The local paper (Gainesville Sun) had a picture of the skimmer on the first day it was found:

    http://www.gainesville.com/article/20100707/ARTICLES/100709681

    Basically it looks like a thin bundle of electrical tape attached to the wire between the magstripe reader and the circuit board inside the gas pump -- completely hidden inside the pump cabinet unlike ATM skimmers.

    -Esme

  20. Who's making this gear? by Securityemo · · Score: 2, Interesting

    Where does this stuff come from? I've seen gear like this on sale on Russian underground sites, together with custom trojans etc..., but if it comes from inside the states couldn't you just nab the problem at the source?

    --
    Emotions! In your brain!
  21. miniscule Man in the Middle attack by Browzer · · Score: 4, Informative

    A link http://www.networkworld.com/community/blog/newest-attack-your-credit-card-atm-shims?t51hb&hpg1=mp in the original story, entitled "Newest Attack on your Credit Card: ATM Shims" has some interesting information:

    "The shim needs to be extremely thin and flexible. In fact it must be less than 0.1mm"

    "The shim is inserted using a "carrier card" that holds the shim, inserts it into the card slot and locks it into place on the internal reader contacts."

    "Once inserted, the shim is not visible from the outside of the machine. The shim then performs a man-in-the-middle attack between an inserted credit card and the circuit board of the ATM machine."

    "flexible shims are recently being mass produced and widely used in certain parts of Europe"

    "Diebold released five new anit-skimming protection levels for its ATM devices june 1st 2010...Unfortunately, none of these helps with the shim skimming attack. That problem has yet to be solved mechanically yet."

  22. Virtual # writer by hedley · · Score: 3, Insightful

    How about a way to magstripe the virtual # you get from Citi or equiv. Basically, you program the card before use at the station with a fresh virtual#. So, skim away! I couldn't care less if they skimmed a virtual#.

    Or have a $75 limit on the card and only use it for gas.