More Gas Station Credit-Card Skimmers 251
coondoggie notes a Network World piece on credit-card skimmers found installed in gas pumps, this time in Florida. Like the similar wave of attacks in Utah earlier this year, the latest crop uses Bluetooth to transmit the illicitly collected data. Does this mean an accomplice has to hang around within 3m of the pump? "The Secret Service has indicated there's a crime wave throughout the Southeast involving the gas-station pump card skimmers, and it may be traced back to a single gang that may be working out of Miami... St. Johns County in Florida has also been hit by the gas-pump card skimmers. [A local sheriff's department spokesman] says criminals wanting to hide the credit-card skimmers in gas pumps have to have a key to the pump, but in some cases a single key will serve to get into many gas pumps." Here's an insight from the banking industry on the skimming fraud.
Hiders Keepers? (Score:4, Informative)
Does this mean an accomplice has to hang around within 3m of the pump?
No. What it means is that there's no need for there to be a wire that leads to the skimmer's recording device... which now can be hidden in the next pump over. This also means the mag reader could be placed in the pump without a recording device, therefore requiring the pump to be taken apart for inspection, adding to the cleanup costs.
Remember, once a fraud becomes so expensive to clear up that the expenses are greater than the total loss, then it's almost allowed to continue unchecked.
bluetooth (Score:5, Informative)
Does this mean an accomplice has to hang around within 3m of the pump?
No, a Class 1 Bluetooth device has a range of up to 100m.
Re:Hiders Keepers? (Score:5, Informative)
Re:Hiders Keepers? (Score:5, Informative)
Re:Doesnt sound overly hard to (Score:2, Informative)
My card got skimmed in Iowa (Score:2, Informative)
I'm usually paranoid about such things, but I didn't even notice. Chase was really on the ball with it though. The crooks who stole my card weren't able to charge a damn thing, because their first attempt tripped the alarm bells.
These skimmer gangs are pervasive, though. They have people working on the inside at retailers everywhere. When mine was skimmed, they tried to use the card to buy several DVD players at a Walgreens nearby within minutes of me buying gas. As it turned out, they had skimmed several dozen cards that morning and had people working in retail stores all around the area trying to buy mostly electronics merchandise with the card numbers. It was a pretty large theft ring...
What a skimmer actually looks like (Score:5, Informative)
Re:Doesnt sound overly hard to (Score:3, Informative)
Because gas stations are no longer gas stations manned by trained mechanics. They are convenience stores, manned by people who generally don't have any control or technical knowledge of the pumps. Prices are set over the internet. About all the cashier can do is put a yellow bag over the handle if there's a complaint about a pump, and call it in.
Re:What a skimmer actually looks like (Score:5, Informative)
That's an ATM skimmer, which are different to gas pump skimmers. Because the attackers don't have access to the inside of the ATM, everything is done by sticking gizmos on the outside of the ATM. With gas pumps, I don't think there are any signs that a user can see that a skimmer has been installed -- it's all internal to the gas pump.
Re:No worries here. (Score:1, Informative)
are you an idiot? you can always pay like $60 or whatever, and if the tank is full before the money runs out you go back and they give you change!!!
Re:insight from the banking industry (Score:3, Informative)
Re:Get the chip (Score:3, Informative)
Banks do take liability for credit card fraud unless they can prove merchants did not obey the security precautions mandated by the acquiring bank's or card association's agreement.
Re:Doesnt sound overly hard to (Score:3, Informative)
What's needed is an end-to-end validation system. My card needs to tell me if I'm connected over a secure, untampered channel to my bank; maybe some LEDs along with the chip (that's right, ditch the magnetic stripe). My bank needs to know that it is a valid card; perhaps some sort of one time pad that's burned into the card at time of issuance.
you mean a cryptographic smartcard that has the private key on chip and never tell it like this: http://en.wikipedia.org/wiki/Smart_card#Cryptographic_smart_cards [wikipedia.org] ?
Re:What a skimmer actually looks like (Score:5, Informative)
Y'all got some religious prohibition about Reading The Fine Article [bankinfosecurity.com]?
The entirety of human knowledge at your fingertips, and you still insist on wearing your ignorance like a badge.
Re:Get the chip (Score:4, Informative)
The system relies on the chip to tell the terminal that a valid PIN was used, rather than the terminal+chip+PIN creating a cryptographic message to the bank so the bank can verify that a valid PIN was used. End result: All you need is a fake chip that always tells the terminal a valid PIN was used.
http://www.zdnet.co.uk/news/security-threats/2010/02/11/chip-and-pin-is-broken-say-researchers-40022674/1/ [zdnet.co.uk]
It's usually the same key (Score:5, Informative)
I used to write code that talked to gas pumps, and I can tell you that most pumps take the same key for the printer door, a different same key for the terminal (Gilbarco CRIND/Wayne CAT) door, and I think another same key for the pump control door. That's the same keys for the entire model run of a pump, and maybe for more than one model, unless maybe a big oil chain installs a different same key. Even then, they're those round locks like the ones that some laptop cables use that can be picked with a part from a Bic pen. (Presumably they're better made than the laptop cable locks.)
The card data is sent up to the station's control computer directly, usually both track 1 and track 2 data. I don't think it would be hard to insert a skimmer behind the door, whether a second mag reader head, or just splice the wires from the card reader. Or even rig the station control computer if you have access to that. (For that matter, all the card numbers may end up in a log file on that computer.)
There's not much danger of a pin pad skimmer, however, because in the US, PINs are protected by each pinpad having a master key injected into RAM before shipping to the site. They are potted in epoxy and have a memory kill switch if you attempt to open them. This works differently from the European system, which is why the US hasn't had to go to "chip and pin". The PIN is encrypted in the pad, the pinpad's serial number is attached, and the result is only decrypted by the card clearing house computers, which have a list of all the decryption keys. Even if the guy who ran the station was doing the skimming, debit PINs couldn't be skimmed and still work properly. But that's just debit. Credit cards don't have a PIN.
So unlike ATM skimmers, they could definitely hide the skimmer behind the door, but they would still need a camera of some sort to capture the PINs. Fortunately most gas pump terminals have a relatively flat front, so they can't just hide the camera on a different part of the panel.
Re:Get the chip (Score:5, Informative)
Not since November 2009. [wikipedia.org] The banks are now required to prove the customer was at fault.
Actual picture of one of these skimmers (Score:5, Informative)
The local paper (Gainesville Sun) had a picture of the skimmer on the first day it was found:
http://www.gainesville.com/article/20100707/ARTICLES/100709681 [gainesville.com]
Basically it looks like a thin bundle of electrical tape attached to the wire between the magstripe reader and the circuit board inside the gas pump -- completely hidden inside the pump cabinet unlike ATM skimmers.
-Esme
miniscule Man in the Middle attack (Score:4, Informative)
A link http://www.networkworld.com/community/blog/newest-attack-your-credit-card-atm-shims?t51hb&hpg1=mp [networkworld.com] in the original story, entitled "Newest Attack on your Credit Card: ATM Shims" has some interesting information:
"The shim needs to be extremely thin and flexible. In fact it must be less than 0.1mm"
"The shim is inserted using a "carrier card" that holds the shim, inserts it into the card slot and locks it into place on the internal reader contacts."
"Once inserted, the shim is not visible from the outside of the machine. The shim then performs a man-in-the-middle attack between an inserted credit card and the circuit board of the ATM machine."
"flexible shims are recently being mass produced and widely used in certain parts of Europe"
"Diebold released five new anit-skimming protection levels for its ATM devices june 1st 2010...Unfortunately, none of these helps with the shim skimming attack. That problem has yet to be solved mechanically yet."
Re:ATM Skimmer (Score:1, Informative)
Canada has the same setup. More transactions are done through debit in this country than are done through cash.
Re:What a skimmer actually looks like (Score:3, Informative)
While I'm sure the author of that article is well intentioned, they get a few facts wrong. In addition to naming the wrong city, they have a incorrect picture. A correct picture can be found at the local newspaper [gainesville.com].
Re:Hiders Keepers? (Score:4, Informative)
I have a Belkin F8T012 USB Bluetooth dongle that works quite well at distances well over 100m. (The advertised maximum is 100m.) It wouldn't be hard to make yourself inconspicuous at that distance from the pump.
Re:No worries here. (Score:3, Informative)
I haven't been to a gas station where this was possible...ever. Every pump I've ever used had to be authorized by the attendant, you couldn't just pump and go.
Re:ATM Skimmer (Score:2, Informative)
On my few trips to the US, there's something I've always been a bit wary of, yet it seems common practice... When I pay for things at the checkout, I hand over my credit card, they give it back to me, then I sign for it without having my signature checked to see if it matches the card.
Over here (UK), I know we have Chip & Pin now, but before then, the cashier would keep your card and check your signature against the one on the card before handing it back .I used to do that job, once had a guy sign nothing like the one on the card, claimed it was his boyfriend's card. As per company policy, I rang the bank's authorisation phone number, they told me to destroy and return the card to the bank!
Re:No worries here. (Score:3, Informative)
Where you live (some place in Canada) is not the same as everywhere in (Canada). In Toronto and likely most of Ontario, you only have to prepay when it's late at night or a bad area of the city (or both).