More Gas Station Credit-Card Skimmers

coondoggie notes a Network World piece on credit-card skimmers found installed in gas pumps, this time in Florida. Like the similar wave of attacks in Utah earlier this year, the latest crop uses Bluetooth to transmit the illicitly collected data. Does this mean an accomplice has to hang around within 3m of the pump? "The Secret Service has indicated there's a crime wave throughout the Southeast involving the gas-station pump card skimmers, and it may be traced back to a single gang that may be working out of Miami... St. Johns County in Florida has also been hit by the gas-pump card skimmers. [A local sheriff's department spokesman] says criminals wanting to hide the credit-card skimmers in gas pumps have to have a key to the pump, but in some cases a single key will serve to get into many gas pumps." Here's an insight from the banking industry on the skimming fraud.

bluetooth

[confused+one]

Does this mean an accomplice has to hang around within 3m of the pump?

No, a Class 1 Bluetooth device has a range of up to 100m.

Re:Hiders Keepers?

[atrus]

Or, in reality, every skimmer records numbers. The thief comes by with the "dumper", buys some gas while take a complete download of the current recorder memory. Its far less risky on the retrieval of the numbers, especially if the skimmers have already been identified and the cops are waiting around the corner for the guys to come back (unlikely, but you never know).

Re:Hiders Keepers?

[Stephenmg]

Bluetooth range can go up to 100 meters depending on the class of the transmitter. Class 1 ~100m, Class 2 ~10m, class 3 ~1m. A class 2 the recording device could be hidden in the trunk of the abandoned car at the place next door. Class 1 could be down the street.

insight from the banking industry

[flaming+error]

Interesting that this "insight from the banking industry" doesn't seem to indicate the banks have any responsibility for the problem.

There once was a time that people took their money to the bank for safekeeping. I think banks have partly weaseled themselves out of the security side of the business, and what used to be called "bank robbery" they now call "identity theft." Which works ok for the bank, seeing how it's the customer who lost the money and it must have been the customer's fault, or the gas station's, or the POS equipment vendor's.

The bank, which should act like a watchdog, portrays itself as something of an innocent bystander.

Re:Get the chip

[fuzzyfuzzyfungus]

There is one unpleasant downside to "chip & PIN"...

While it is certainly more secure than mag stripe, the various issuing institutions, at least in Britain, have tried to use this to argue that theft/skimming losses should now be the fault of the "negligent" customer, rather than their problem.

I have nothing against better security, I do have a problem with better security being tarted up as evidence that no intrusion could possibly have occurred without the connivance of the customer.

Re:ATM Skimmer

This is not new in Europe. Every ATM now has it. Also sine 3-4 years ago all cards have a chip in them. The transaction is authorized by the chip in a real-time two way communication, and you have to punch in the pin code. But that is never going to happen here in US, primary because it means no tips. But why bug gas stations - just go work as a waiter, or at any cash register desk and just routinely slide the card through a second reader. In EU the waiter at a restaurant has to bring the POS terminal to your table. You insert the card into the slot, while the card is in the slot the waiter puts in the amount, you check it, decide to tip or not, put the amount of tip in, then dial your pin code. Then the chip on the card already connected with the bank of the POS terminal starts to make the transaction, the bank proxies that transaction to your bank, the chip on the card talks with your bank, and it's done, money are wired from you account to the merchant account. Plain and simple, and in no more than 10 seconds you get an SMS on your cell phone - hey - merchant XXX, pos terminal ID YYY just withdrew 20 euro from your card ending in ..... If it's not you, you pick up the phone, call your bank and just tell them it is not you. And that's it.. the merchant cannot change the amount you were billed at a later time. Here in US you have to wait up to 5 days to have it posted and it could get changed a lot (usually because of the tips).

You have to decide whether you want a convenience of just waving your card in front of a cash register, or you want the security of actually allowing the transfer of funds from your account. As for the banks - it will always be easier and more profitable to have the people loose their money and go into debt. That is why only a strong government regulation can make them change something. On a little bit of side not - in Europe if you don;t have enough funds in your card the transaction is refused and no penalty is payed. Here, because of the delay in posting transactions you could easily overdraw your card, and get charged 50 for each transfer after the limit.

So.. decide.. convenience or security.

Re:What a skimmer actually looks like

[Rogerborg]

attackers don't have access to the inside of a gas pump either.

Y'all got some religious prohibition about Reading The Fine Article?

Unlike ATM skimming devices, which are attached to the exterior of a machine, over the card reader, the Shell skimming device was actually inside the terminal, wired between the card scanner and the computer board.

The entirety of human knowledge at your fingertips, and you still insist on wearing your ignorance like a badge.