19 May 2011

"Skimmers" found INSIDE hacked gasoline pumps

One of the early posts I wrote for this blog was about why you should favor using cash on a vacation (to avoid credit card data being captured by portable skimmers in the pockets of restaurant servers).  A little over a year ago I showed photos of a skimmer attached to a bank ATM machine.

Now the Mountain View (California) Voice reports on the arrest of two men who had installed skimmers INSIDE gasoline pumps at service stations:
Police were initially tipped off on Dec. 6, 2010, when a gas station attendant discovered a small skimmer -- capable of harvesting credit card numbers from unwitting customers -- attached to the circuit board inside a gas pump...

After searching the duo's van, police found keys that opened the gas pump as well as address information for other stations in the area. An investigation... recovered six identical skimming devices installed at five gas stations...

A specialist in prosecuting high tech crimes, Flattery said it only takes "a matter of seconds" to install the skimming devices, which are made from modified commercial credit card scanners used by retailers. Skimmers record everything needed to produce an exact replica of a credit card.

The ease with which counterfeiters can produce and install the skimmers is exacerbated by the fact that many gas pumps can be opened with the same key, regardless of the brand, Flattery said.

He said this type of scheme is "especially frustrating to consumers," because it is impossible to know from the outside which pumps have been hacked. Law enforcement has to rely on the diligence of individual gas station owners.
This is really quite scary, and undoubtedly more widespread than just California.  These guys had stolen 3,600 credit card numbers.  As the article notes, the only way a consumer could be guaranteed of safety would be to pay the attendant inside the station.

8 comments:

  1. In EU, just because skimming is so easy, the cards have started to come with a chip; a little computer on the card, that needs the right pin and confirmation from the bank to work. It can't be copied, and it can't be used without the PIN. Are you starting to see those over there as well? (See https://secure.wikimedia.org/wikipedia/en/wiki/Chip_and_PIN)

    ReplyDelete
  2. only in very, very few places (I have seen ONE in my whole life) in Germany, can you pay at the pump, and then with a EC card, that needs pin verification.

    Many people don't even have credit cards, and I'd say the majority just uses them for buying stuff on the internet, or when traveling.

    ReplyDelete
  3. Note that the more sophisticated skimmers incorporate a camera that detects the user's fingertaps on the keypad to decipher and record the PIN as well...

    ReplyDelete
  4. Going into pay the cashier may not be all that safe either. Back in the early 80's I worked at a Gas Station, and discovered that the cashier on the previous shift had run the customer's card through the imprinter twice, once with the real number and once with a higher price. The customer would then sign the real one and leave with a copy of the real price, but the cashier was then forging the signature onto the fake (possibly by having the customer unwittingly sign it as well), and place the fake into the cash box, and helped himself to the difference in the cash box.

    You just can't trust people.

    ReplyDelete
  5. I live .5 mile from one of those machines in Mountain View, and my card number was stolen some how a few months ago (but the thieves used it on a shopping spree in San Francisco, about 40 miles away). I wonder if this was the link!?

    ReplyDelete
  6. Hi, from Latvia.
    We too have chip and pin credit cards here (you can not get one without chip for 5 years or so). But chip and pin cards are not a panacea as you can see for yourselves here:
    http://www.lightbluetouchpaper.org/2010/12/25/a-merry-christmas-to-all-bankers/

    They make the attack much harder, though.

    Here is a nice picture of camera setup in gasoline sef service station somewhere in Finland
    https://twitpic.com/4w667k

    ReplyDelete
  7. I can't see the camera, unless it's behind that pinhole directly above.

    ReplyDelete
  8. You are correct - the tiny square pinhole at the center of plastic is all that is needed.

    ReplyDelete