French Gas Stations Robbed After Forgetting To Change Gas Pump PINs

An anonymous reader quotes a report from ZDNet: French authorities have arrested five men who stole over 120,000 liters (26,400 gallons) of fuel from gas stations around Paris by unlocking gas pumps using a special remote. The five-man team operated with the help of a special remote they bought online and which could unlock a particular brand of gas pumps installed at Total gas stations. The hack was possible because some gas station managers didn't change the gas pump's default lock code from the standard 0000. Hackers would use this simple PIN code to reset fuel prices and remove any fill-up limits.

Crooks would operate in small teams of two to three individuals who visited gas stations at night using two vehicles. A man in a first car would use the remote to unlock the gas station, and then a second car, usually a van, would come along seconds later to fill a giant tanker installed in the back of the vehicle with as much as 2,000 or 3,000 liters in one go. The group advertised the fuel they stole on social media, providing a time and place where customers could come and refuel their vehicles or pick up orders for gasoline and diesel at smaller prices. Police uncovered the scheme in April 2018, when they arrested a suspect in possession of a remote used in the hack. "Five men, part of the same gang, were arrested on Monday, according to Le Parisien, who first reported the scheme last November," the report adds.

Please do not call them hackers

[Squiddie]

There is nothing clever about this. This is just security failing because of the incompetency of the gas station managers. Nothing about this could be called a hack.

Re:Please do not call them hackers

[hcs_$reboot]

So, the guys bought a remote (like this one [good product btw]), had the remote learn the protocol, and then tried the default '0000' ; quite a hack actually.

Re:Please do not call them hackers

[Immerman]

Not even that - script kiddies are still trying to bypass security - these guys were just following the instructions on the box to see if the manager had been stupid enough to not change the factory-default passcode.

Seems to me that default passwords not being changed is a common enough security threat, across a wide range of devices, that any programmer should defend against it as a standard security precaution. Perhaps simply have the device refuse to operate at all until the password/code is changed, instead simply displaying a message demanding that the passcode be changed before proceeding.

You probably want initial setup and diagnostics to work normally, but refuse to actually pump any gas, forward any packets, or whatever else the device is supposed to do, until the code is changed.

Re:Please do not call them hackers

[AmiMoJo]

I think it was a special RF remote. In Europe petrol pumps usually won't dispense until authorized by a staff member who sits in the payment kiosk watching what is happening on CCTV. When someone pulls up to the pump they check they are not on the banned list or trying to fill up 20 jerry cans and use an RF remote to turn on the pump.

Most people don't even realize it's happening.

Re:Please do not call them hackers

You have lists of people who are banned from buying petrol?

What's wrong with filling up 20 jerry cans? ...So many rules that you just swallow unquestioningly...

Re: Please do not call them hackers

[yakatz]

Thankfully, devices that require you to change the default code are becoming more common. Our brand new copy machines don't force you to change the admin password, but every time someone with admin rights logs in, the system reminds you that the default admin account still has the default password. In truth, even better are devices that don't have a default password at all, but make you set one the first time you connect them.

Re:Please do not call them hackers

[stealth_finger]

There is nothing clever about this. This is just security failing because of the incompetency of the gas station managers. Nothing about this could be called a hack.

But what is the car analogy? It's like filling your car with stolen fuel....wait.

Re:Please do not call them hackers

[stealth_finger]

What's wrong with filling up 20 jerry cans? ...So many rules that you just swallow unquestioningly...

Nothing, until you jump back in the car and speed off.

Re:Please do not call them hackers

[stealth_finger]

quite a hack actually.

HACK THE PLANET!!!!

Re:Please do not call them hackers

[tinkerton]

There has been a car analogy where the entry code (in the remote control) for the alarm system was unmodified allowing the default code to disable the alarm on many cars of the same model.

And as the late Richard Feynman once recounted about his time at Los Alamos working on the atomic bomb, 20% of the safes he verified were still on factory settings,

Re:Please do not call them hackers

[PPH]

What's wrong with filling up 20 jerry cans?

Fire regulations. Imagine the inferno when some Canadian fills up 20 jerry cans at Costco and gets in a wreck on I-5 heading back to Vancouver.

Re:Please do not call them hackers

[nadass]

There is nothing clever about this. This is just security failing because of the incompetency of the gas station managers. Nothing about this could be called a hack.

You literally just described a security hack. The failing on one behalf allows another behalf to take advantage of by way of adopting an additional tool or device. The scenario is literally a "hack," unless you're referring to yourself as being a "hack" of a security expert.

Re: Please do not call them hackers

[Immerman]

An excellent solution. Makes production slightly more complicated, but it shouldn't be by much.

I like the "physical button" security model for most internet-connected things as well - make sure someone has to be physically present to confirm any potentially harmful action. It seems to me that that's the single most cost-effective layer of security you can add. If it's *really* important, then you make it physically impossible to take a harmful action without that button being pushed. Then you only have to worry about physical security.

Re: Please do not call them hackers

[Kopp]

Don 't worry, people in Europe thought of it. And they even use credit card with pin code security to authenticate the payment.

you don't set them from inside the store?

[Joe_Dragon]

you don't set them from inside the store? But an RF or IR remote? that some can easily clone

Re:you don't set them from inside the store?

You used to have to have cables and set them from inside. Most of the old hardware is this way. These remote ones are "new", "better" and "improved" version that the manufacturers push on customers. Much like amazon pushing remotes with an always on microphone and moving from bluetooth to wifi

More human security

[AHuxley]

1. Have human staff on duty when the gas station is operational.
2. Have human staff look at the "van" and the amount of fuel and the price of that fuel.
3. Make people walk from the gas pumps to a cashier with a computer display showing pump used, price and amount of fuel.
4. Pay for the fuel.
5. Human staff on duty will see huge numbers never seen before from any average "van" on the computer display? Thats not normal.
Have the computer alert to totally unexpected numbers.
6. Lots of quality CCTV for face, passengers face and gait.
7. Remove anything automated that can allow your gas station to pump fuel for free at any time.

Re:More human security

[oldgraybeard]

You maybe assuming to much. Is the staff on hand actually paying attention and keeping tabs on operations?
They are most likely sitting in the corner, bathroom where ever playing games or on social media on their phones. And completely oblivious to everything around them.
These smart phones for some are better than drugs or alcohol..

Just my 2 cents ;)

Re:More human security

[ShanghaiBill]

1. Have human staff on duty when the gas station is operational.

This makes no sense. Any given gas station has about a 1% chance of being exploited, and figure one euro per liter and 3000 liters per hit, that is an expected loss of 30 euros. There is no way that is worth an extra full time worker just to monitor the pumps.

Here's a more cost effective solution: Change the code to something other than 0000.

Re:More human security

[AHuxley]

Re "keeping tabs on operations?"
Would be selling newspapers, magazines. Hats and sunglasses.
Food and making hot fresh coffee. Bread and snacks.
All that fuel.
Making sure vans don't steal large amounts of fuel.. would be another great reason.

Re:More human security

[AHuxley]

1. ....
7. Remove anything automated that can allow your gas station to pump fuel for free at any time.

Re:More human security

[thegarbz]

Easier solution:

1. Have basic competence.

Done. No need for more people. In fact I'm perfectly happy with "express" petrol stations which is just a pump somewhere and no need to interact with anyone.

Re:More human security

[AHuxley]

The need to interact with people could have stopped that van crime.
A human looking down to see the amount of fuel getting pumped in real time.
The police told of a method of crime in real time.

Re:More human security

[ArsenneLupin]

Have human staff on duty when the gas station is operational.

This was done at night when the station was not operational in manual mode, but rather automatic.

People can still fill up using a credit card inserted into a slot next to the pump.

Using their magic remote, the thieves switched station into daytime mode (where you're supposed to pay inside after filling up...) , filled up the van, and switched it back to night-time mode.

Only protection here would be to give up the night business, but then the station would lose (paying) night-time customers to their neighbor who do have open 24/24.

Re:More human security

[ArsenneLupin]

Once electric cars take over the world, stealing gasoline might be less of a concern :-D

yeah, because then stealing electricity might be more of a concern :-)

Re:More human security

[ArsenneLupin]

figure one euro per liter and 3000 liters per hit, that is an expected loss of 30 euros.

Wouldn't that be 3000 Euros? And in France, gas is more expensive than 1€/l...

Re:More human security

[Sique]

Setting the PIN to 1234 instead of 0000 would also have stopped that van crime. And it would have cost much less.

Re:More human security

[ArsenneLupin]

The need to interact with people could have stopped that van crime.

The theft happened at night. When filling stations are typically not manned, but operate with automatic credit card readers.

This allows the station's operator to capture the business at night without the staff expense.

Re: More human security

[Nidi62]

Theres the problem. Here in the US, ever since the Iraq War when gas shot up to double what it is currently is, every station makes you pay before you pump. Too many people were stealing gas.

Re: More human security

[ArsenneLupin]

every station makes you pay before you pump

In Europe, filling stations have cameras. When you just drive off when done, you'll be caught pretty quickly...

I'm not sure what happens if somebody would pull this stunt in a stolen car... never heard of any such occurrence

At night, when the card readers are in operation, you do indeed have to insert card before you start pumping (but amount is booked after you're done, obviously, as quantity pumped is not known before).

Re: More human security

[AmiMoJo]

In Europe you can pre-authorize your credit card for, say, up to 100 Euro of fuel and then fill up, after which you are billed for the exact amount.

But these guys got around that by setting the price of fuel to 0.01 Euro/litre instead of the usual ~1.40 Euro/litre.

Re: More human security

[houghi]

Many people are not aware of this, but the same happens in Europe. The moment you puty in the card, there will be a 125 EUR amount in autorisation. You then take your fuel for e.g. 75 EUR. The 125EUR is realeased and the 75EUR is billed.

If you have e.g. only 100 EUR available on your card, you will not be able to get fuel at an unatended station. You could get one on a manned one where you take fuel and pay afterwards. You could also drive away and then wait home for the bill to arrive, together with the courtorder stuff, as 99% of them have camera's.

The majority of the people will never realize the 125EUR in autorisation, because it will never show up on the bill and the majority of people in Europe will pay they credit card at the end of the month and their debit card will have enough to cover it.

The people who might notice it is if there is an issue with the correction of the amount in authorisation (will sort itself out after a month) and the amount is not available.

So, yeah. That is not the issue. The issue was that the price they paid was 0.00 EUR per liter (That is around 0.00 USD per gallon. You are welcome).

Re: More human security

[mtmra70]

By every station, you mean not every station right? In major cities yes, but go to any small town in any state, they accept post-pumping payment.

Re:More human security

[stealth_finger]

Re "keeping tabs on operations?" Would be selling newspapers, magazines. Hats and sunglasses. Food and making hot fresh coffee. Bread and snacks. All that fuel. Making sure vans don't steal large amounts of fuel.. would be another great reason.

Well if you want your till monkeys to be security they should be paid/trained/equipped accordingly. But they want to pay some kid minimum wage and expect them to notice, give a shit or even do anything about it other than a cursory phone call to the police/manager to let them know what's happened.

Re: More human security

[Creepy]

Definitely still pay inside stores in the US, as I often fill at one. The security system takes a clear shot at your plate and there are several fines for not paying including jail time. I do it when I get pre-paid gas cards from low income people I shuttle around. Usually I get 6-8 $5 or $10 cards a month and the pump readers make me insert, fill, wait, insert next card which fails if you haven't driven off but resets the reader, insert, fill another $5-10, repeat until done. Walking in they scan all I need in about 3 seconds (multiple minutes the other way).

Re:More human security

[bobbied]

1. Have human staff on duty when the gas station is operational. 2. Have human staff look at the "van" and the amount of fuel and the price of that fuel. 3. Make people walk from the gas pumps to a cashier with a computer display showing pump used, price and amount of fuel. 4. Pay for the fuel. 5. Human staff on duty will see huge numbers never seen before from any average "van" on the computer display? Thats not normal. Have the computer alert to totally unexpected numbers. 6. Lots of quality CCTV for face, passengers face and gait. 7. Remove anything automated that can allow your gas station to pump fuel for free at any time.

Or change the default pin used in the equipment and force customers to "prepay" for a reasonable amount of fuel by clearing the credit card in advance or requiring prepayment in cash.

Re:More human security

[PPH]

Change the code to something other than 0000.

So you are the station manager and you do this. Given the caliber of employee you are able to hire for a minimum wage job like pump attendant, you are going to be called on a daily basis, "Uh, I forgot the code."

Until one of them gets smart and writes it on the side of the pump with a Sharpie.

Re:More human security

[ShanghaiBill]

Wouldn't that be 3000 Euros?

€3000 * 1% probability = €30 expected loss

And in France, gas is more expensive than 1€/l...

Gas stations don't pay the full retail price.

Re:More human security

[desdinova+216]

1234 sounds like an idiot's luggage combination

Re:More human security

[desdinova+216]

here's an unusual idea, why not do all of the above?

Re:More human security

[Sique]

It is. But it would have been sufficient in this case, as any not-0000 would have foiled the plan.

But...

[xlsior]

With a 4 digit pincode as only 'security' it barely matters if they changed the default - in all likelihood they could try all pin options in a matter of minutes anyway

Re:But...

[hcs_$reboot]

With a lock / alarm after 3 incorrect attempts

Re:But...

[stealth_finger]

in all likelihood they could try all pin options in a matter of minutes anyway

10,000 codes in minutes? I feel bad for your thumb.

Re:But...

[hcs_$reboot]

10,000 codes in minutes? I feel bad for your thumb.

No. The guys assume the default 0000 was changed, so they tried only 9999.

Re:Petrol Station

[hcs_$reboot]

Excuse my French, but where did you see "petrol" in this apge?

That's IoT for you.

[Qbertino]

Well, ok, it's not exactly IoT, but IoT is in smack-center exact the same position.

Point in case:
Just the other day I saw an elaborate public-space add for a bluetooth operated brother strip-.label printer. Totally bizar. Expensive, complicated, error prone and obsolete in 5 years. Mine is 15 years old and has a keyboard built in and doesn't need a smartphone with a certain type of bluetooth connection and accompaning software to operate. It will last longer, is cheaper, easyer to operate (I only use it once a year or so) and works wether I have my smartphone or not.

IoT and this gas-pump thing and every other new fad that comes along and thinks that everything should be connected wirelessly and the net if applicable in any way, shape or form is prone to exactly this problem.

IoT is a fad and will come with tons of problems all very simliar to what cased this hilarious joke of a gasoline-heist.

My 2 cents.

Re:That's IoT for you.

[thegarbz]

this gas-pump thing and every other new fad

Look, I'm all for reading a good anti IoT rant, but there's nothing "IoT", "new", or "fad" in using IR communications to configure equipment in the oil industry. This is literally the way it's been done for 40 years.

That's the kind of PIN...

...an idiot would have on his luggage!

Re: That's the kind of PIN...

[Creepy]

Factory defaults are designed to be easy so the manual can say 'enter 0000, then press change PIN).' It is also usually designed with a factory reset in mind in case the PIN is lost or forgotten (which would require direct hardware access, usually behind an alarmed key lock).

Re:Petrol Station

[phayes]

No it’s not, it’s a Station d’Essence, just like it says in the linked Parisien article. That Total publishes Brit oriented marketing materials does not force translators in the USA to use UK expressions. — let me guess: You voted Brexit, right?

They'll do EVERYTHING for CLICKS

Idiot "editors", that is. So it's hackers! Hacking! With hacks! Even if this is patently false. Because hackers! Hacking! With hacks! The clicks are the reward.

5guys?

[mark_reh]

I'd say something about "hamberders" and Trump here, but I think I won't.

Types of electricity

[DrYak]

Engaging "Captain Obvious" mode, ruiner of quick jokes since birth of forums:

yeah, because then stealing electricity might be more of a concern :-)

Charging an e-vehicle requires at least some voltage and amps.

More than what's available on, e.g.: street lights. (Europe, that would usually be 250V with quickly is hard requirement for a heist )

The household connector (Europe, that would be 250V, between 10A and 16A depending on regions and type of connector) would be a rather slow trickle.
It's okay if you leave a vehicle *over-night* or even a couple of days. It's okay-ish if your battery is near dead and you want to get just a little bit more so you can manage to reach a better charging option (you must not be in a hurry. be ready to be patient)

US household connector are basically junk (If memory serves me well, 120V with 10A to 15A depending on connector). You should leave your car plugged in for probably a week to steal any meaning full amount of electricity. And such a slow "theft" is going to be painfully obvious.

So either you need to stay for impractically long time connected to your stealing spot.
Or you need to steal from a specific rare spot with better voltage/amps, most of which arent easily accessible:
- in houses, they would be located in kitchen/cellar
- out door they would be only available at special industrial spots: e.g. where construction workers or market's food tucks needs to connect. They are either better guarded (if nothing else, because they would be a safety liability if something goes wrong), or are freely accessible to begin with for the specific purpose to attract customers to the venue (some public car chargers).

Also electricity is incredibly cheap compared to gas (hence the whole idea of business trying to attract you with cheap or free charging).
So the whole procedure would help make as much money as stealing candy.

---

*: i.e. 250V on each phase, but 400 between phases.

Re:Types of electricity

[dehachel12]

I thought it was 230-240V

The gas station owner must be fined severely

[140Mandak262Jamuna]

If some thief steals donuts and coffee it is a simple theft. But here the gas station lost control of a hazardous substance and there were rickety vans with leaky tanks with 3000 liters of gasoline sloshing about. These crooks most likely do not understand the effects of fluid being transported in un-baffled tanks. It was a disater waiting to happen. Safety of hundreds of people has been endangered.

Re: The gas station owner must be fined severely

Lots of fluids are transported in unbaffed tanks you just need to drive carefully, furthermore if you had it completely fill I would think it would be reasonably safe as it would be incompressible and therefore wouldn't act like a mass with a changing center of mass

Re:The gas station owner must be fined severely

[140Mandak262Jamuna]

If you really want to know, diesel has a lower ignition temperature than gasoline. Thats why diesel engines dont need spark plugs.

Re:Petrol Station

[stealth_finger]

its France so its called a fucking petrol station.

https://www.total.fr/pro/carburants/essences-sans-plomb

It might be if they didn't speak french.

I can only imagine

[Only+Time+Will+Tell]

how those fuel exchanges on the side of the road went. "So, where'd you get the cheap fuel?" "It, uh, fell off the back of a truck?"

Fast and Furious Plot

[neoRUR]

I guess we have the Plot for the next Fast and Furious Movie!

Re:Fast and Furious Plot

[hcs_$reboot]

Ok so you're mocking FnF, and yet your posts show that you watched the movies...

Re: Not a hack! Jeez!

[Creepy]

To be fair, it is little different than illegally entering modem sites in the early 1980s because they left the user/password as admin/admin (which still happens with routers today).

At least it was just gasoline and not nuclear launch codes (the infamous 00000000).

Only a moron uses "0000" as a pin!

[bobbied]

Quick, change my pin to "1234"!

Re:Only a moron uses "0000" as a pin!

[Scarred+Intellect]

Quick, change my pin to "1234"!

I use 9999, because it's the most secure PIN because it's the last one to get guessed.

You start with 0000, then 0001, 0002 and so on...9999 will be the last one the haxxors get to!

Did police recover any yellow vests?

[mnemotronic]

Did the perps spend the week stealing gasoline, the spend weekends protesting gas taxes? That would be ballsy.

WHAT!?!?!

[grep+-v+'.*'+*]

OMG, really? But I went thru the procedure and changed the it *TO* 0000, my favorite number. Let's force the manufacturer to change the default to something else so that *I* can use *MY* number without fear.

Forgetting?

[aglider]

Idocy cannot be hidden like that!