Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Gas Station Credit-Card Skimmers

Posted by kdawson on from the look-for-the-guy-with-the-blue-tooth dept.

coondoggie notes a Network World piece on credit-card skimmers found installed in gas pumps, this time in Florida. Like the similar wave of attacks in Utah earlier this year, the latest crop uses Bluetooth to transmit the illicitly collected data. Does this mean an accomplice has to hang around within 3m of the pump? "The Secret Service has indicated there's a crime wave throughout the Southeast involving the gas-station pump card skimmers, and it may be traced back to a single gang that may be working out of Miami... St. Johns County in Florida has also been hit by the gas-pump card skimmers. [A local sheriff's department spokesman] says criminals wanting to hide the credit-card skimmers in gas pumps have to have a key to the pump, but in some cases a single key will serve to get into many gas pumps." Here's an insight from the banking industry on the skimming fraud.

22 of 251 comments (clear)

  1. Hiders Keepers? by LostCluster · · Score: 4, Informative

    Does this mean an accomplice has to hang around within 3m of the pump?

    No. What it means is that there's no need for there to be a wire that leads to the skimmer's recording device... which now can be hidden in the next pump over. This also means the mag reader could be placed in the pump without a recording device, therefore requiring the pump to be taken apart for inspection, adding to the cleanup costs.

    Remember, once a fraud becomes so expensive to clear up that the expenses are greater than the total loss, then it's almost allowed to continue unchecked.

    1. Re:Hiders Keepers? by atrus · · Score: 5, Informative

      Or, in reality, every skimmer records numbers. The thief comes by with the "dumper", buys some gas while take a complete download of the current recorder memory. Its far less risky on the retrieval of the numbers, especially if the skimmers have already been identified and the cops are waiting around the corner for the guys to come back (unlikely, but you never know).

    2. Re:Hiders Keepers? by Stephenmg · · Score: 5, Informative

      Bluetooth range can go up to 100 meters depending on the class of the transmitter. Class 1 ~100m, Class 2 ~10m, class 3 ~1m. A class 2 the recording device could be hidden in the trunk of the abandoned car at the place next door. Class 1 could be down the street.

    3. Re:Hiders Keepers? by dan_linder · · Score: 4, Insightful

      ...and with the price of flash memory so low, it would be pretty easy to hide a little digital camera to snap photos of the person as they put the card in and/or stood in front of the machine. It would be easy to download those too and if they saw a few with the manager and a customer standing and pointing at the machine they would know that the gig was up and to just walk away.

      I'm really thinking the cash idea is the way to go from now on. :-(

      Dan

    4. Re:Hiders Keepers? by Beardo+the+Bearded · · Score: 4, Funny

      In England, it's always Albanians or Romanians. Counts, the lot of them.

      FTFY

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    5. Re:Hiders Keepers? by BrokenHalo · · Score: 4, Informative

      In any case, returning to the issue of range for a moment:

      I have a Belkin F8T012 USB Bluetooth dongle that works quite well at distances well over 100m. (The advertised maximum is 100m.) It wouldn't be hard to make yourself inconspicuous at that distance from the pump.

  2. No worries here. by The+MAZZTer · · Score: 4, Insightful

    I always pay for gas in cash. I think I will not change this personal policy in the near future.

  3. ATM Skimmer by Thelasko · · Score: 4, Interesting

    I've noticed that my bank has introduced new ATM's to combat skimming. The card reader now has flashing lights, and the display shows a picture of what the card reader should look like.

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
    1. Re:ATM Skimmer by Anonymous Coward · · Score: 5, Interesting

      This is not new in Europe. Every ATM now has it. Also sine 3-4 years ago all cards have a chip in them. The transaction is authorized by the chip in a real-time two way communication, and you have to punch in the pin code. But that is never going to happen here in US, primary because it means no tips. But why bug gas stations - just go work as a waiter, or at any cash register desk and just routinely slide the card through a second reader. In EU the waiter at a restaurant has to bring the POS terminal to your table. You insert the card into the slot, while the card is in the slot the waiter puts in the amount, you check it, decide to tip or not, put the amount of tip in, then dial your pin code. Then the chip on the card already connected with the bank of the POS terminal starts to make the transaction, the bank proxies that transaction to your bank, the chip on the card talks with your bank, and it's done, money are wired from you account to the merchant account. Plain and simple, and in no more than 10 seconds you get an SMS on your cell phone - hey - merchant XXX, pos terminal ID YYY just withdrew 20 euro from your card ending in ..... If it's not you, you pick up the phone, call your bank and just tell them it is not you. And that's it.. the merchant cannot change the amount you were billed at a later time. Here in US you have to wait up to 5 days to have it posted and it could get changed a lot (usually because of the tips).

      You have to decide whether you want a convenience of just waving your card in front of a cash register, or you want the security of actually allowing the transfer of funds from your account. As for the banks - it will always be easier and more profitable to have the people loose their money and go into debt. That is why only a strong government regulation can make them change something. On a little bit of side not - in Europe if you don;t have enough funds in your card the transaction is refused and no penalty is payed. Here, because of the delay in posting transactions you could easily overdraw your card, and get charged 50 for each transfer after the limit.

      So.. decide.. convenience or security.

  4. bluetooth by confused+one · · Score: 5, Informative

    Does this mean an accomplice has to hang around within 3m of the pump?

    No, a Class 1 Bluetooth device has a range of up to 100m.

  5. Doesnt sound overly hard to by kaptink · · Score: 4, Insightful

    Why don't they make gas stations check their pumps once a day for skimmers? Perhaps when they set the price in the morning. Seems relatively simple.

    --
    Those who can, do. Those who cannot, sue.
  6. What a skimmer actually looks like by kryptKnight · · Score: 4, Informative

    Since none of the articles linked to by the summary felt it was relevant to mention what these skimmers actually look like, here's an article from Consumerist.

    --
    Facts do not cease to exist because they are ignored. -Aldous Huxley
    1. Re:What a skimmer actually looks like by whoever57 · · Score: 4, Informative

      Since none of the articles linked to by the summary felt it was relevant to mention what these skimmers actually look like, here's an article from Consumerist.

      That's an ATM skimmer, which are different to gas pump skimmers. Because the attackers don't have access to the inside of the ATM, everything is done by sticking gizmos on the outside of the ATM. With gas pumps, I don't think there are any signs that a user can see that a skimmer has been installed -- it's all internal to the gas pump.

      --
      The real "Libtards" are the Libertarians!
    2. Re:What a skimmer actually looks like by Rogerborg · · Score: 5, Informative

      attackers don't have access to the inside of a gas pump either.

      Y'all got some religious prohibition about Reading The Fine Article?

      Unlike ATM skimming devices, which are attached to the exterior of a machine, over the card reader, the Shell skimming device was actually inside the terminal, wired between the card scanner and the computer board.

      The entirety of human knowledge at your fingertips, and you still insist on wearing your ignorance like a badge.

      --
      If you were blocking sigs, you wouldn't have to read this.
  7. insight from the banking industry by flaming+error · · Score: 5, Interesting

    Interesting that this "insight from the banking industry" doesn't seem to indicate the banks have any responsibility for the problem.

    There once was a time that people took their money to the bank for safekeeping. I think banks have partly weaseled themselves out of the security side of the business, and what used to be called "bank robbery" they now call "identity theft." Which works ok for the bank, seeing how it's the customer who lost the money and it must have been the customer's fault, or the gas station's, or the POS equipment vendor's.

    The bank, which should act like a watchdog, portrays itself as something of an innocent bystander.

  8. Re:Get the chip by fuzzyfuzzyfungus · · Score: 5, Insightful

    There is one unpleasant downside to "chip & PIN"...

    While it is certainly more secure than mag stripe, the various issuing institutions, at least in Britain, have tried to use this to argue that theft/skimming losses should now be the fault of the "negligent" customer, rather than their problem.

    I have nothing against better security, I do have a problem with better security being tarted up as evidence that no intrusion could possibly have occurred without the connivance of the customer.

  9. Re:Get the chip by Anonymous Coward · · Score: 4, Informative

    The system relies on the chip to tell the terminal that a valid PIN was used, rather than the terminal+chip+PIN creating a cryptographic message to the bank so the bank can verify that a valid PIN was used. End result: All you need is a fake chip that always tells the terminal a valid PIN was used.

    http://www.zdnet.co.uk/news/security-threats/2010/02/11/chip-and-pin-is-broken-say-researchers-40022674/1/

  10. It's usually the same key by Megane · · Score: 4, Informative

    I used to write code that talked to gas pumps, and I can tell you that most pumps take the same key for the printer door, a different same key for the terminal (Gilbarco CRIND/Wayne CAT) door, and I think another same key for the pump control door. That's the same keys for the entire model run of a pump, and maybe for more than one model, unless maybe a big oil chain installs a different same key. Even then, they're those round locks like the ones that some laptop cables use that can be picked with a part from a Bic pen. (Presumably they're better made than the laptop cable locks.)

    The card data is sent up to the station's control computer directly, usually both track 1 and track 2 data. I don't think it would be hard to insert a skimmer behind the door, whether a second mag reader head, or just splice the wires from the card reader. Or even rig the station control computer if you have access to that. (For that matter, all the card numbers may end up in a log file on that computer.)

    There's not much danger of a pin pad skimmer, however, because in the US, PINs are protected by each pinpad having a master key injected into RAM before shipping to the site. They are potted in epoxy and have a memory kill switch if you attempt to open them. This works differently from the European system, which is why the US hasn't had to go to "chip and pin". The PIN is encrypted in the pad, the pinpad's serial number is attached, and the result is only decrypted by the card clearing house computers, which have a list of all the decryption keys. Even if the guy who ran the station was doing the skimming, debit PINs couldn't be skimmed and still work properly. But that's just debit. Credit cards don't have a PIN.

    So unlike ATM skimmers, they could definitely hide the skimmer behind the door, but they would still need a camera of some sort to capture the PINs. Fortunately most gas pump terminals have a relatively flat front, so they can't just hide the camera on a different part of the panel.

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  11. Re:Get the chip by Zouden · · Score: 4, Informative

    Not since November 2009. The banks are now required to prove the customer was at fault.

    --
    "A week in the lab saves an hour in the library"
  12. Re:Get the chip by Insightfill · · Score: 4, Interesting

    ...the various issuing institutions, at least in Britain, have tried to use this to argue that theft/skimming losses should now be the fault of the "negligent" customer, rather than their problem.

    Yes, Slashdot covered a similar case a few years ago. "Stolen car!? That's impossible with our current state-of-the-art RFID keys! You must have negligently left your keys where someone could take them; no insurance for you!"

  13. Actual picture of one of these skimmers by esme · · Score: 4, Informative

    The local paper (Gainesville Sun) had a picture of the skimmer on the first day it was found:

    http://www.gainesville.com/article/20100707/ARTICLES/100709681

    Basically it looks like a thin bundle of electrical tape attached to the wire between the magstripe reader and the circuit board inside the gas pump -- completely hidden inside the pump cabinet unlike ATM skimmers.

    -Esme

  14. miniscule Man in the Middle attack by Browzer · · Score: 4, Informative

    A link http://www.networkworld.com/community/blog/newest-attack-your-credit-card-atm-shims?t51hb&hpg1=mp in the original story, entitled "Newest Attack on your Credit Card: ATM Shims" has some interesting information:

    "The shim needs to be extremely thin and flexible. In fact it must be less than 0.1mm"

    "The shim is inserted using a "carrier card" that holds the shim, inserts it into the card slot and locks it into place on the internal reader contacts."

    "Once inserted, the shim is not visible from the outside of the machine. The shim then performs a man-in-the-middle attack between an inserted credit card and the circuit board of the ATM machine."

    "flexible shims are recently being mass produced and widely used in certain parts of Europe"

    "Diebold released five new anit-skimming protection levels for its ATM devices june 1st 2010...Unfortunately, none of these helps with the shim skimming attack. That problem has yet to be solved mechanically yet."