More Gas Station Credit-Card Skimmers 251
coondoggie notes a Network World piece on credit-card skimmers found installed in gas pumps, this time in Florida. Like the similar wave of attacks in Utah earlier this year, the latest crop uses Bluetooth to transmit the illicitly collected data. Does this mean an accomplice has to hang around within 3m of the pump? "The Secret Service has indicated there's a crime wave throughout the Southeast involving the gas-station pump card skimmers, and it may be traced back to a single gang that may be working out of Miami... St. Johns County in Florida has also been hit by the gas-pump card skimmers. [A local sheriff's department spokesman] says criminals wanting to hide the credit-card skimmers in gas pumps have to have a key to the pump, but in some cases a single key will serve to get into many gas pumps." Here's an insight from the banking industry on the skimming fraud.
ATM Skimmer (Score:5, Interesting)
Re:Doesnt sound overly hard to (Score:4, Interesting)
I wonder how man skimmers are installed by the person with the key to the gas pump? Checking wouldn't do much good if the guy checking the pump is the one who installed the skimmer.
insight from the banking industry (Score:5, Interesting)
Interesting that this "insight from the banking industry" doesn't seem to indicate the banks have any responsibility for the problem.
There once was a time that people took their money to the bank for safekeeping. I think banks have partly weaseled themselves out of the security side of the business, and what used to be called "bank robbery" they now call "identity theft." Which works ok for the bank, seeing how it's the customer who lost the money and it must have been the customer's fault, or the gas station's, or the POS equipment vendor's.
The bank, which should act like a watchdog, portrays itself as something of an innocent bystander.
Re:Doesnt sound overly hard to (Score:4, Interesting)
I was a gas station attendant for 3 years while getting my college degrees.
It was a nice easy job with fringe benefits like the ability to do homework on the job, free soda fountain mountain dew and access to jailbait.
At one time we had me - a CS major doing AI research and a Nuclear Physics major on her way to the Air Force Academy running the night shift.
Most of the people who can't handle the gas station clerk position think exactly like you do,
except they don't realize that they have to do paperwork at the end of each shift and quit because division is to hard.
Re:ATM Skimmer (Score:5, Interesting)
This is not new in Europe. Every ATM now has it. Also sine 3-4 years ago all cards have a chip in them. The transaction is authorized by the chip in a real-time two way communication, and you have to punch in the pin code. But that is never going to happen here in US, primary because it means no tips. But why bug gas stations - just go work as a waiter, or at any cash register desk and just routinely slide the card through a second reader. In EU the waiter at a restaurant has to bring the POS terminal to your table. You insert the card into the slot, while the card is in the slot the waiter puts in the amount, you check it, decide to tip or not, put the amount of tip in, then dial your pin code. Then the chip on the card already connected with the bank of the POS terminal starts to make the transaction, the bank proxies that transaction to your bank, the chip on the card talks with your bank, and it's done, money are wired from you account to the merchant account. Plain and simple, and in no more than 10 seconds you get an SMS on your cell phone - hey - merchant XXX, pos terminal ID YYY just withdrew 20 euro from your card ending in ..... If it's not you, you pick up the phone, call your bank and just tell them it is not you. And that's it.. the merchant cannot change the amount you were billed at a later time. Here in US you have to wait up to 5 days to have it posted and it could get changed a lot (usually because of the tips).
You have to decide whether you want a convenience of just waving your card in front of a cash register, or you want the security of actually allowing the transfer of funds from your account. As for the banks - it will always be easier and more profitable to have the people loose their money and go into debt. That is why only a strong government regulation can make them change something. On a little bit of side not - in Europe if you don;t have enough funds in your card the transaction is refused and no penalty is payed. Here, because of the delay in posting transactions you could easily overdraw your card, and get charged 50 for each transfer after the limit.
So.. decide.. convenience or security.
Re:Doesnt sound overly hard to (Score:4, Interesting)
In the meantime, I'm curious why the "card path" of any exposed payment system would be designed such that it has internal voids where 3rd party hardware can be stashed. A mag-stripe reader is just a surface, with a few mm of electronics behind it. Generally, because people aren't too good at keeping their card at just the right distance, you mount the reader parallel to a passive plate a few mm away, through which the card is run. With a surface channel design, the attacker has to stick their skimmer onto the surface, where it can be detected by visual inspection(made easier if the card slot has blinkenlights, a highly specific shape, certain color/pattern, etc.)
If, for some reason, an internal card path must be used, so that the card can be held on to during the transaction or whatever, one could still make sure that the internal chamber is small enough to admit only a card, and that the eject mechanism doesn't just pop the card halfway out; but actually completely scrapes out the internal chamber each cycle(in order to remove, say, a thin-film reader fabricated on a sticky backed piece of flexible circuit board)...
Good mechanical design won't stop all skimmers; because people may not notice even a fairly blatant one just taped on top of the actual reader; but it should be fairly easy, with good design of the card path, to make it impossible to mount an internal reader without doing some in-situ metalworking.
ATMs (Score:3, Interesting)
After several years of being told by banks to watch out for large plastic attachments to ATM card slots, I've noticed that an increasing number of bank-owned ATMs now have them as a part of their design. The simple, flush-mounted card slot on a grey plastic / metal bezel is now giving way to a protruding translucent green plastic bulge on grey plastic / metal bezel.
Which makes less than zero sense.
They look fake as can be, especially when paired with a slightly older ATM with the more sensible slot.
Now, one might argue that the crazy card slots are a great theft deterrent because they preclude the attachment of a skimmer, but they also make it impossible for the machine to snap up a stolen card, nor do they really look legitimate enough to give the user peace of mind.
Re:ATM Skimmer (Score:3, Interesting)
According to my father, who is a Branch Manager at Citibank, the Citi ATMs now have a system that shuts down the ATM completely (ie. the screen goes blank, the CPU shuts off, and the cash gets locked down) if any metal/magnets are placed on/near the card reader. To reboot, the ATM has to be opened (usually from the inside of the building) and manually reset. All to help avoid skimmers.
However, I've stuck my magnetic billfold right on top of the card reader and nothing happened, so YMMV.
Re:Get the chip (Score:5, Interesting)
Yes, Slashdot covered a similar case [slashdot.org] a few years ago. "Stolen car!? That's impossible with our current state-of-the-art RFID keys! You must have negligently left your keys where someone could take them; no insurance for you!"
Re:Doesnt sound overly hard to (Score:3, Interesting)
No, although I saw a picture of a card with a tiny LCD screen somewhere. That would be useful to verify the amount -- someone could tamper with a terminal's display to show one amount, but ask the card to authenticate a different amount.
I don't know whether there's a key in the terminal that the card can validate...
There's been a case where tampered readers [wikipedia.org] have led to fraud (see "Successful attacks"), but that relied on using non-EMV transactions.
I also have one of these [wikipedia.org], which so far my bank only uses to validate money transfers on online banking, but could be used to validate web purchases too.
Re:ATM Skimmer (Score:3, Interesting)
If you aren't already versed in the finer points of duck-fucking, you shouldn't ask.
Who's making this gear? (Score:3, Interesting)
Re:Hiders Keepers? (Score:2, Interesting)
The English don't have Counts, they have Earls. The wife of an Earl is a Countess, go figure. If they made their Earls Counts, then there would not be a shortage in the Counts.
Re:Hiders Keepers? (Score:4, Interesting)
and if one get a directional antenna, things get really interesting. Iirc, there is at least one guy thats built something he called a bluetooth sniper rifle with a range of a kilometer or more.
Re:Hiders Keepers? (Score:2, Interesting)
White folks just do it differently - often legally and out in the open. Goldman Sachs, Morgan Stanley, Bank of America, Chase, etc.
Fannie Mae: "As WND reported, an Enron-like accounting scandal enabled Raines to earn $90 million in his five years as Fannie Mae CEO, from 1999 to 2004." [wnd.com]
Is this the exception that proves the rule? Don't know, but I'm not a racist like you, Mister Whirly (964219). Did your father teach you that black people aren't smart enough to commit multi-million dollar financial fraud?