Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Crime Wireless Networking News

More Gas Station Credit-Card Skimmers 251

coondoggie notes a Network World piece on credit-card skimmers found installed in gas pumps, this time in Florida. Like the similar wave of attacks in Utah earlier this year, the latest crop uses Bluetooth to transmit the illicitly collected data. Does this mean an accomplice has to hang around within 3m of the pump? "The Secret Service has indicated there's a crime wave throughout the Southeast involving the gas-station pump card skimmers, and it may be traced back to a single gang that may be working out of Miami... St. Johns County in Florida has also been hit by the gas-pump card skimmers. [A local sheriff's department spokesman] says criminals wanting to hide the credit-card skimmers in gas pumps have to have a key to the pump, but in some cases a single key will serve to get into many gas pumps." Here's an insight from the banking industry on the skimming fraud.
This discussion has been archived. No new comments can be posted.

More Gas Station Credit-Card Skimmers

Comments Filter:
  • Hiders Keepers? (Score:4, Informative)

    by LostCluster ( 625375 ) * on Tuesday July 13, 2010 @03:53PM (#32892914)

    Does this mean an accomplice has to hang around within 3m of the pump?

    No. What it means is that there's no need for there to be a wire that leads to the skimmer's recording device... which now can be hidden in the next pump over. This also means the mag reader could be placed in the pump without a recording device, therefore requiring the pump to be taken apart for inspection, adding to the cleanup costs.

    Remember, once a fraud becomes so expensive to clear up that the expenses are greater than the total loss, then it's almost allowed to continue unchecked.

    • Re:Hiders Keepers? (Score:5, Informative)

      by atrus ( 73476 ) <atrus AT atrustrivalie DOT org> on Tuesday July 13, 2010 @04:02PM (#32892992) Homepage
      Or, in reality, every skimmer records numbers. The thief comes by with the "dumper", buys some gas while take a complete download of the current recorder memory. Its far less risky on the retrieval of the numbers, especially if the skimmers have already been identified and the cops are waiting around the corner for the guys to come back (unlikely, but you never know).
      • Re:Hiders Keepers? (Score:4, Insightful)

        by dan_linder ( 84060 ) <dan.linder@org> on Tuesday July 13, 2010 @04:09PM (#32893100) Homepage

        ...and with the price of flash memory so low, it would be pretty easy to hide a little digital camera to snap photos of the person as they put the card in and/or stood in front of the machine. It would be easy to download those too and if they saw a few with the manager and a customer standing and pointing at the machine they would know that the gig was up and to just walk away.

        I'm really thinking the cash idea is the way to go from now on. :-(

        Dan

        • Re:Hiders Keepers? (Score:4, Informative)

          by BrokenHalo ( 565198 ) on Tuesday July 13, 2010 @10:16PM (#32895580)
          In any case, returning to the issue of range for a moment:

          I have a Belkin F8T012 USB Bluetooth dongle that works quite well at distances well over 100m. (The advertised maximum is 100m.) It wouldn't be hard to make yourself inconspicuous at that distance from the pump.
        • Re: (Score:3, Insightful)

          by TheLink ( 130905 )
          > I'm really thinking the cash idea is the way to go from now on. :-(

          Why? If I get mugged at (or on the way to) the gas station I lose my cash. If my card gets skimmed, I do not lose my money. If many people's cards get skimmed from the same place, I may not even have to dispute the transaction - the card company will just cancel the card, invalidate the transactions and issue me a new card.

          From the article:
          When a card is compromised, however, the card issuer has to reimburse the customer. If incidents o
      • Re: (Score:2, Insightful)

        by Thelasko ( 1196535 )
        Mod parent up!

        The recording device is in the pump. It records the card numbers internally. The thief then comes back and downloads the data off the skimmer with bluetooth (probably with a phone). Totally inconspicuous.
        • Re: (Score:2, Insightful)

          by mldi ( 1598123 )
          On the bright side, it's easily detectable by checking for BT radios.
          • Re:Hiders Keepers? (Score:4, Insightful)

            by fuzzyfuzzyfungus ( 1223518 ) on Tuesday July 13, 2010 @04:56PM (#32893482) Journal
            I doubt the skimmer-makers would bother, unless the cops have quietly been hunting bluetooth emissions for a while now; but it wouldn't exactly be rocket surgery to have a bluetooth device that just sits there, receiving but maintaining absolute radio silence unless it hears a particular transmission(from a particular bluetooth MAC, if you really want to get paranoid). The wireless analog of port knocking, more or less...

            Particularly with all the cellphones floating around, a BT radio, even one yelling its little amplifier out, is hardly automatically suspicious in a reasonably crowded area. Somebody who knew what they were doing, had the right set of antennas, and had some knowledge of what they were looking for(if, for instance, the skimmer-manufacturers produced a large batch, all with BT modules from the same manufacturer, or even with MACs in series, and some were captured by conventional physical inspection), could definitely hunt them down much more quickly, unless they are very short range units, or were using some stealth strategy like the above...
          • BT radios are common, but ones with easily accessible obex files would be even more suspicious. Cracking such things isn't difficult, as there are usually only a thousand association codes-- easily dictionary attacked and done by a simple script.

    • Re:Hiders Keepers? (Score:5, Informative)

      by Stephenmg ( 265369 ) on Tuesday July 13, 2010 @04:02PM (#32892994)
      Bluetooth range can go up to 100 meters depending on the class of the transmitter. Class 1 ~100m, Class 2 ~10m, class 3 ~1m. A class 2 the recording device could be hidden in the trunk of the abandoned car at the place next door. Class 1 could be down the street.
  • It seems that the sort of people dedicated enough to develop this attack would also be able to learn to pick locks. I don't know for sure, but I'd guess that a gas pump lock isn't very tough to pick. There's no reason that most people would want to open a gas pump, so there's no reason to use a very expensive, pick resistant lock on it.
    • by Aladrin ( 926209 ) on Tuesday July 13, 2010 @04:07PM (#32893052)

      Not many want to, no... But all those that want to do so illegally have really, really bad plans in store. It's enough to offset the relatively small number and need a good lock.

      I don't know that they DO have them, but they should.

    • I lold at this quote from TFA:

      "It's certainly a concern and an issue that's been around for a while," he says. "They're easy to get in to. One would think that each specific gas station would have a key," but that's the case.

    • There's no reason they have to even open the gas pump to pull it off though, and thats the problem. Pull up with a big SUV so that the Gas pump card reader isn't in view of any cameras. Next, pull your bluetooth reader, which can be smaller in size than a candy bar, put it on over the card reader and attach it with glue such that it is inconspicuous. Finish pumping gas. Go inside, Go to the bathroom. Hide your bluetooth reciever in the ceiling tiles. Come back every 3 days and be that creep that all the gas

  • No worries here. (Score:5, Insightful)

    by The MAZZTer ( 911996 ) <megazzt.gmail@com> on Tuesday July 13, 2010 @04:00PM (#32892968) Homepage
    I always pay for gas in cash. I think I will not change this personal policy in the near future.
    • by Nadaka ( 224565 )

      The only problem with paying cash for gas is that I generally like to fill up every time, and I don't have any buddies working the local gas station anymore, so there is no way anyone is going to let me fill up before I pay in cash.

      • You can often leave an ID with the clerk at the counter and they'll turn it on for you. At least they will around here.

    • efficiency issue (Score:3, Insightful)

      by peter303 ( 12292 )
      (1) Takes extra time to visit a clerk and pay cash.
      (2) Amount not recorded automatically. Have to mess around with receipts. During high price periods my gas usage approaches 5% of my budget and should be tracked.
      (3) Requires carrying around more cash, especially in periods when prices are high.
  • ATM Skimmer (Score:5, Interesting)

    by Thelasko ( 1196535 ) on Tuesday July 13, 2010 @04:01PM (#32892982) Journal
    I've noticed that my bank has introduced new ATM's to combat skimming. The card reader now has flashing lights, and the display shows a picture of what the card reader should look like.
    • Which bank?

    • Re:ATM Skimmer (Score:5, Interesting)

      by Anonymous Coward on Tuesday July 13, 2010 @04:57PM (#32893484)

      This is not new in Europe. Every ATM now has it. Also sine 3-4 years ago all cards have a chip in them. The transaction is authorized by the chip in a real-time two way communication, and you have to punch in the pin code. But that is never going to happen here in US, primary because it means no tips. But why bug gas stations - just go work as a waiter, or at any cash register desk and just routinely slide the card through a second reader. In EU the waiter at a restaurant has to bring the POS terminal to your table. You insert the card into the slot, while the card is in the slot the waiter puts in the amount, you check it, decide to tip or not, put the amount of tip in, then dial your pin code. Then the chip on the card already connected with the bank of the POS terminal starts to make the transaction, the bank proxies that transaction to your bank, the chip on the card talks with your bank, and it's done, money are wired from you account to the merchant account. Plain and simple, and in no more than 10 seconds you get an SMS on your cell phone - hey - merchant XXX, pos terminal ID YYY just withdrew 20 euro from your card ending in ..... If it's not you, you pick up the phone, call your bank and just tell them it is not you. And that's it.. the merchant cannot change the amount you were billed at a later time. Here in US you have to wait up to 5 days to have it posted and it could get changed a lot (usually because of the tips).

      You have to decide whether you want a convenience of just waving your card in front of a cash register, or you want the security of actually allowing the transfer of funds from your account. As for the banks - it will always be easier and more profitable to have the people loose their money and go into debt. That is why only a strong government regulation can make them change something. On a little bit of side not - in Europe if you don;t have enough funds in your card the transaction is refused and no penalty is payed. Here, because of the delay in posting transactions you could easily overdraw your card, and get charged 50 for each transfer after the limit.

      So.. decide.. convenience or security.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      According to my father, who is a Branch Manager at Citibank, the Citi ATMs now have a system that shuts down the ATM completely (ie. the screen goes blank, the CPU shuts off, and the cash gets locked down) if any metal/magnets are placed on/near the card reader. To reboot, the ATM has to be opened (usually from the inside of the building) and manually reset. All to help avoid skimmers.

      However, I've stuck my magnetic billfold right on top of the card reader and nothing happened, so YMMV.

    • The card reader display shows what the card reader should look like?

      And if someone is able to compromise both the card and that image of "what it should look like"?

      In this kind of situation it is better to have banks telling people — through another medium — what the terminals should look like. (But in some countries this might not be possible, if every bank/network has its own design)

      • Re: (Score:2, Insightful)

        by kaiidth ( 104315 )

        The point, as far as I can tell, is that there are many chances to bolt on external junk, whilst it's pretty difficult/unusual to be able to compromise the ATM itself. External devices are just opportunistic ways of reading the data off your card (ie. magnetic strip, maybe a camera to read out the PIN as the user inputs it). I suppose you could place an overlay on the screen, but it sounds like a lot of work compared to a little magnetic strip reader.

        If you'd managed to compromise the ATM (so as to be able

      • Re: (Score:3, Insightful)

        by spazdor ( 902907 )

        And if someone is able to compromise both the card and that image of "what it should look like"?

        If an attacker has sufficient access to change what's being displayed on the ATM screen, then they can probably skip the external card-reader and just yoink the customer's bank data out of RAM.

  • bluetooth (Score:5, Informative)

    by confused one ( 671304 ) on Tuesday July 13, 2010 @04:02PM (#32892986)

    Does this mean an accomplice has to hang around within 3m of the pump?

    No, a Class 1 Bluetooth device has a range of up to 100m.

  • by kaptink ( 699820 ) on Tuesday July 13, 2010 @04:03PM (#32893004) Homepage

    Why don't they make gas stations check their pumps once a day for skimmers? Perhaps when they set the price in the morning. Seems relatively simple.

    • Re: (Score:2, Informative)

      by Anonymous Coward
      Your gas station must have more initiative than mine. At the one closest to my job they let a dead cat sit by the side of the building until it smelled so bad they couldn't ignore it anymore.
    • by nizo ( 81281 ) * on Tuesday July 13, 2010 @04:06PM (#32893046) Homepage Journal

      I wonder how man skimmers are installed by the person with the key to the gas pump? Checking wouldn't do much good if the guy checking the pump is the one who installed the skimmer.

      • Re: (Score:3, Insightful)

        Even in situations where there isn't an inside man(and I'm sure that there sometimes is), a scheme that habituates the employees, anybody monitoring the CCTV cameras, and the public at large, to people frequently opening and poking at the pumps is likely to decrease security, rather than increase it.

        The uniforms of gas station employees aren't exactly secret, nor are clothes that look very much like them hard to get ahold of(given that they are generally just plaincloths, or mechanic-style coveralls, pos
    • Gas station employees. Not gas pump technicians.
      • Hmm, I had the key to the gas pumps - I'm no pump technician. Of course our pumps still had mechanical dials and the max price of fuel was 2.99/gal...

        Anyway, there is a key to the printer on current digital pumps, so the receiver could be stashed inside the pump without needing to be a tech.

    • by vlm ( 69642 )

      Why don't they make gas stations check their pumps once a day for skimmers? Perhaps when they set the price in the morning. Seems relatively simple.

      Being "in" on the scam is even simpler. Especially if you don't need management approval, merely minimum wage McJob worker approval.

    • Re: (Score:3, Informative)

      by blair1q ( 305137 )

      Because gas stations are no longer gas stations manned by trained mechanics. They are convenience stores, manned by people who generally don't have any control or technical knowledge of the pumps. Prices are set over the internet. About all the cashier can do is put a yellow bag over the handle if there's a complaint about a pump, and call it in.

      • Re: (Score:2, Funny)

        by Anonymous Coward
        Hey now, don't insult gas station attendants. Some of them are Slashdot's most prolific posters. I think a couple are even editors here.
    • Because the type of person who works at a gas station is hardly the type of person who can be trained to identify sophisticated electronics. Also, if, like previous commenters suggest, the bluetooth addition forces the pump to be dissasembled, you are talking about adding significantly to the cost of the gas station owner. It's another reincarnation of the old formula: if (cost to fix problem - cost of letting problem go unfixed > 0) then don't fix problem, else hire lobbyists.
      • by Nadaka ( 224565 ) on Tuesday July 13, 2010 @04:37PM (#32893354)

        I was a gas station attendant for 3 years while getting my college degrees.

        It was a nice easy job with fringe benefits like the ability to do homework on the job, free soda fountain mountain dew and access to jailbait.

        At one time we had me - a CS major doing AI research and a Nuclear Physics major on her way to the Air Force Academy running the night shift.

        Most of the people who can't handle the gas station clerk position think exactly like you do,
        except they don't realize that they have to do paperwork at the end of each shift and quit because division is to hard.

        • by socsoc ( 1116769 )
          Closing out your drawer requires division?
        • by Monkeedude1212 ( 1560403 ) on Tuesday July 13, 2010 @05:23PM (#32893704) Journal

          Most of the people who can't handle the gas station clerk position think exactly like you do,
          except they don't realize that they have to do paperwork at the end of each shift and quit because division is to hard.

          The problem is that not every gas station is structured like that. I worked at a Gas station for 2 and a half years, and they basically had 3 people on duty at all times. 2 to run the tills, maintain the cleanliness of the store, and watch the pumps. 1 would be in the back office, doing that paperwork and occaisonally watching security cams. The only paperwork the front line people had to do was count out their till to $100 each time their shift began and ended. Anyone with a pulse could have worked that job. The only way to keep that job was to NOT steal money.)

          And while I wouldn't expect much from even those people, I think they could identify a card reader if taught how. It's as easy as saying "Look at this specific part of the pump. Remember how it looks. Every morning I want you to look at it. If it ever looks different, inform me."

    • Why don't they make gas stations check their pumps once a day for skimmers? Perhaps when they set the price in the morning. Seems relatively simple.

      Trusting sort, aren't you?

      If a gas station employee is going to go through all the trouble of installing a skimmer, then what's to prevent him/her from lying about whether one is installed?

      What's needed is an end-to-end validation system. My card needs to tell me if I'm connected over a secure, untampered channel to my bank; maybe some LEDs along with th
      • one time pad? better an RSA key
        Of course then you have to build processing power into the card to use that key

      • by xaxa ( 988988 )

        Using public key cryptography your card can know it's communicating with a real terminal, and the bank can know it's a real card. You card can then "sign" the transaction.

        All my cards have chips. They all have magnetic stripes too, so they work in the USA, although maybe it'd be cheaper for my bank if the standard card didn't have one, and I had to ask for a card with a magstripe if I wanted to use it outside much of Europe and a few other places. People stealing the magstripe data still happens here, altho

        • I have yet to see a card that indicates whether the reader is valid. Do your cards have any sort of display or indicator on your card?
          • Re: (Score:3, Interesting)

            by xaxa ( 988988 )

            No, although I saw a picture of a card with a tiny LCD screen somewhere. That would be useful to verify the amount -- someone could tamper with a terminal's display to show one amount, but ask the card to authenticate a different amount.

            I don't know whether there's a key in the terminal that the card can validate...

            There's been a case where tampered readers [wikipedia.org] have led to fraud (see "Successful attacks"), but that relied on using non-EMV transactions.

            I also have one of these [wikipedia.org], which so far my bank only uses to

      • Re: (Score:3, Informative)

        by molecular ( 311632 )

        What's needed is an end-to-end validation system. My card needs to tell me if I'm connected over a secure, untampered channel to my bank; maybe some LEDs along with the chip (that's right, ditch the magnetic stripe). My bank needs to know that it is a valid card; perhaps some sort of one time pad that's burned into the card at time of issuance.

        you mean a cryptographic smartcard that has the private key on chip and never tell it like this: http://en.wikipedia.org/wiki/Smart_card#Cryptographic_smart_cards [wikipedia.org] ?

      • by fuzzyfuzzyfungus ( 1223518 ) on Tuesday July 13, 2010 @05:17PM (#32893654) Journal
        While a CC system that doesn't utterly suck, and trust pretty much every link in the chain like it would its own mother, after she had been notarized and presented two forms of photo ID, I suspect that we could be waiting a while for that...

        In the meantime, I'm curious why the "card path" of any exposed payment system would be designed such that it has internal voids where 3rd party hardware can be stashed. A mag-stripe reader is just a surface, with a few mm of electronics behind it. Generally, because people aren't too good at keeping their card at just the right distance, you mount the reader parallel to a passive plate a few mm away, through which the card is run. With a surface channel design, the attacker has to stick their skimmer onto the surface, where it can be detected by visual inspection(made easier if the card slot has blinkenlights, a highly specific shape, certain color/pattern, etc.)

        If, for some reason, an internal card path must be used, so that the card can be held on to during the transaction or whatever, one could still make sure that the internal chamber is small enough to admit only a card, and that the eject mechanism doesn't just pop the card halfway out; but actually completely scrapes out the internal chamber each cycle(in order to remove, say, a thin-film reader fabricated on a sticky backed piece of flexible circuit board)...

        Good mechanical design won't stop all skimmers; because people may not notice even a fairly blatant one just taped on top of the actual reader; but it should be fairly easy, with good design of the card path, to make it impossible to mount an internal reader without doing some in-situ metalworking.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      They only need to have the card scanner in place for a short period (say an hour or two) to get enough credit cards, then they move on to the next target.

    • Gas stations generally aren't required to protect your info though, the only laws regarding that are that any reciepts which print the card # have to be *'d out.

  • I'm usually paranoid about such things, but I didn't even notice. Chase was really on the ball with it though. The crooks who stole my card weren't able to charge a damn thing, because their first attempt tripped the alarm bells.

    These skimmer gangs are pervasive, though. They have people working on the inside at retailers everywhere. When mine was skimmed, they tried to use the card to buy several DVD players at a Walgreens nearby within minutes of me buying gas. As it turned out, they had skimmed several d

  • The US really needs to get on board with EMV chip & PIN. Once Canada finishes it's conversion America will be the last major mag-stripe holdout. ZIP-confirmation and other two-factor authentication hacks aren't going to cut it. Chip isn't 100% perfect, but it is 1,000x more secure than an unencrypted mag stripe and has yet to be compromised in the wild. Combined with EMV-compliant contactless payments and PIN-less low value transactions (so that PINs aren't captured en masse), the situation could be gre
    • by jfengel ( 409917 )

      ZIP-confirmation and other two-factor authentication hacks aren't going to cut it.

      ZIP confirmation has always seemed spectacularly useless. If you've got somebody's card, the ability to get their address seems trivial. The card comes with the name on it (including on the mag stripe), and Google will give you an address much of the time from that.

      Is there some secret advantage here that I'm missing, or is it just the credit card company's lazy way of pretending to add security?

      • pun not intended. Seriously, a lot of crooks are stopped cold by simple measures, and it's a cheap solution.
      • "Hey boss, marketing and/or legal say we have to have 'two factor authentication' in our product. We could adapt the smartcard chips they use in sims and...."

        "Jesus fuck, man, that sounds expensive! We mail out those cards, sometimes unsolicited and pre-activated to poorly validated addresses, like goddamn candy. If your next scheme involves a per-card hardware cost, you might as well go pack your desk, to save security the trouble..."

        "Well, we could just change the software and add a scary-looking sc
      • The advantage is if you drop your card and a crackhead steals it. It's not security.. it's more just a roadblock for very basic theft. Fraud and more complicated stuff isn't actually prevented by it.

    • Re:Get the chip (Score:5, Insightful)

      by fuzzyfuzzyfungus ( 1223518 ) on Tuesday July 13, 2010 @04:35PM (#32893330) Journal
      There is one unpleasant downside to "chip & PIN"...

      While it is certainly more secure than mag stripe, the various issuing institutions, at least in Britain, have tried to use this to argue that theft/skimming losses should now be the fault of the "negligent" customer, rather than their problem.

      I have nothing against better security, I do have a problem with better security being tarted up as evidence that no intrusion could possibly have occurred without the connivance of the customer.
      • Re:Get the chip (Score:5, Informative)

        by Zouden ( 232738 ) on Tuesday July 13, 2010 @05:48PM (#32893974)

        Not since November 2009. [wikipedia.org] The banks are now required to prove the customer was at fault.

        • Good that the situation was legally rectified(for the moment); but an illustration of the problem.

          They, successfully, used the technological change to pass the buck for a number of years, until outrage and the law eventually caught up with them. Clearly, since the law had to force their hand, their intention was to keep the buck passed forever.

          Given the, er, robust state of American democracy, and its laudable freedom from corruption and corporate influence at all levels, I for one am certain that thi
      • Re:Get the chip (Score:5, Interesting)

        by Insightfill ( 554828 ) on Tuesday July 13, 2010 @05:52PM (#32894018) Homepage

        ...the various issuing institutions, at least in Britain, have tried to use this to argue that theft/skimming losses should now be the fault of the "negligent" customer, rather than their problem.

        Yes, Slashdot covered a similar case [slashdot.org] a few years ago. "Stolen car!? That's impossible with our current state-of-the-art RFID keys! You must have negligently left your keys where someone could take them; no insurance for you!"

    • by Mashiki ( 184564 )

      The chip isn't secure. We're already seeing cases in Canada where chipped cards are being copied.

  • by kryptKnight ( 698857 ) on Tuesday July 13, 2010 @04:08PM (#32893092)
    Since none of the articles linked to by the summary felt it was relevant to mention what these skimmers actually look like, here's an article from Consumerist [consumerist.com].
    • These skimmers are in the pump. You won't see anything different in the appearance of the pump.
    • by whoever57 ( 658626 ) on Tuesday July 13, 2010 @04:35PM (#32893328) Journal

      Since none of the articles linked to by the summary felt it was relevant to mention what these skimmers actually look like, here's an article from Consumerist.

      That's an ATM skimmer, which are different to gas pump skimmers. Because the attackers don't have access to the inside of the ATM, everything is done by sticking gizmos on the outside of the ATM. With gas pumps, I don't think there are any signs that a user can see that a skimmer has been installed -- it's all internal to the gas pump.

      • The article mentioned shim attacks, which I took to mean a mini-reader stuck into the real reader. Are they comming in pretending to be maintenance and getting to crack open the pump that way?
  • What we need to do is make every debit and credit card use something like an RSA Secure ID token and make the user type in the pseudo random synced 6 digit code for every purchase. And then allow only one transaction for a card in that ~1 minute timeframe that the code is valid.

    That would cut down on 99.99% of all opportunity for credit card fraud. You would either need the card/token on hand or have the algorithm and enough instance data to derive the key through brute force means.

    The only downside to this

    • by Burdell ( 228580 )

      The problem with RSA tokens is that the system doesn't scale. I have two credit cards, an ATM/debit card, several bank website logins, etc. I don't want those accounts tied together for security and privacy, and I certainly don't want to carry around a half-dozen tokens. Also, doesn't RSA claim a patent on the token setup (so they'd be a sole-source and raise costs across the board)?

      • by Big Boss ( 7354 )

        Embed the token into the cards. They don't have a significant cost these days, and it would make the cards significantly more secure. Yes, it makes the cards more expensive than a piece of plastic and a magstripe, but really, it's not THAT much. Particularly when amortized over all the cards in circulation.

        If you're going that far, you could also include the PIN entry keypad on the card and use a secure link to make it nearly impossible for an attacker to get your PIN via the capture device.

        And, if designed

      • by jjhall ( 555562 )

        I already carry an RSA device with me for my PayPal account's online access. It has a serial number on it which links my particular device back to the algorithm and seed to generate the numbers. Why would it not be feasible for me to enter that serial number into my banks' systems so I have a single OTP that works for all of my cards? It would take some massive cooperation between the card companies to do so, but it sure would give them some nice good-will towards their customers.

        And before we head dow

    • if my touchscreen cellphone can't keep synced to my wall clock (+/- 1 minute) I wouldn't bet much on something stuck into a cheap card managing it reliably.

    • Credit/debit companies make money on volume. They balance a certain level of fraud against the ease of obtaining credit. Thats why there is pin-less debit and signature-less credit below certain threshholds.
  • If the system was designed in such a way as to allow the generation of 1 time keys, instead of an embedded 16 digit number, this wouldn't be a problem. This could have been fixed 10 or maybe even 20 years ago... but we have the lowest possible cost system in place, and fraud is just a cost of business instead of a crime.

  • by flaming error ( 1041742 ) on Tuesday July 13, 2010 @04:32PM (#32893298) Journal

    Interesting that this "insight from the banking industry" doesn't seem to indicate the banks have any responsibility for the problem.

    There once was a time that people took their money to the bank for safekeeping. I think banks have partly weaseled themselves out of the security side of the business, and what used to be called "bank robbery" they now call "identity theft." Which works ok for the bank, seeing how it's the customer who lost the money and it must have been the customer's fault, or the gas station's, or the POS equipment vendor's.

    The bank, which should act like a watchdog, portrays itself as something of an innocent bystander.

    • Re: (Score:3, Informative)

      by mandelbr0t ( 1015855 )
      No, an individual card issuer does not have any responsibility, nor should they. It is the responsibility of the financial network to mandate minimum security requirements of each card issuer, and all terminals under their control. (e.g. Interac, Cirrus, Visa). It is only the card issuer's responsibility to adhere to the policy set out by their network.
    • by fuzzyfuzzyfungus ( 1223518 ) on Tuesday July 13, 2010 @05:26PM (#32893736) Journal
      Sinclair said: "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"

      When dealing with PR flacks, their salary depends on you not understanding it, which is likely even worse...
  • ATMs (Score:3, Interesting)

    by Y-Crate ( 540566 ) on Tuesday July 13, 2010 @05:24PM (#32893708)

    After several years of being told by banks to watch out for large plastic attachments to ATM card slots, I've noticed that an increasing number of bank-owned ATMs now have them as a part of their design. The simple, flush-mounted card slot on a grey plastic / metal bezel is now giving way to a protruding translucent green plastic bulge on grey plastic / metal bezel.

    Which makes less than zero sense.

    They look fake as can be, especially when paired with a slightly older ATM with the more sensible slot.

    Now, one might argue that the crazy card slots are a great theft deterrent because they preclude the attachment of a skimmer, but they also make it impossible for the machine to snap up a stolen card, nor do they really look legitimate enough to give the user peace of mind.

  • by Megane ( 129182 ) on Tuesday July 13, 2010 @05:26PM (#32893734)

    I used to write code that talked to gas pumps, and I can tell you that most pumps take the same key for the printer door, a different same key for the terminal (Gilbarco CRIND/Wayne CAT) door, and I think another same key for the pump control door. That's the same keys for the entire model run of a pump, and maybe for more than one model, unless maybe a big oil chain installs a different same key. Even then, they're those round locks like the ones that some laptop cables use that can be picked with a part from a Bic pen. (Presumably they're better made than the laptop cable locks.)

    The card data is sent up to the station's control computer directly, usually both track 1 and track 2 data. I don't think it would be hard to insert a skimmer behind the door, whether a second mag reader head, or just splice the wires from the card reader. Or even rig the station control computer if you have access to that. (For that matter, all the card numbers may end up in a log file on that computer.)

    There's not much danger of a pin pad skimmer, however, because in the US, PINs are protected by each pinpad having a master key injected into RAM before shipping to the site. They are potted in epoxy and have a memory kill switch if you attempt to open them. This works differently from the European system, which is why the US hasn't had to go to "chip and pin". The PIN is encrypted in the pad, the pinpad's serial number is attached, and the result is only decrypted by the card clearing house computers, which have a list of all the decryption keys. Even if the guy who ran the station was doing the skimming, debit PINs couldn't be skimmed and still work properly. But that's just debit. Credit cards don't have a PIN.

    So unlike ATM skimmers, they could definitely hide the skimmer behind the door, but they would still need a camera of some sort to capture the PINs. Fortunately most gas pump terminals have a relatively flat front, so they can't just hide the camera on a different part of the panel.

  • by esme ( 17526 ) on Tuesday July 13, 2010 @06:29PM (#32894306) Homepage

    The local paper (Gainesville Sun) had a picture of the skimmer on the first day it was found:

    http://www.gainesville.com/article/20100707/ARTICLES/100709681 [gainesville.com]

    Basically it looks like a thin bundle of electrical tape attached to the wire between the magstripe reader and the circuit board inside the gas pump -- completely hidden inside the pump cabinet unlike ATM skimmers.

    -Esme

  • by Securityemo ( 1407943 ) on Tuesday July 13, 2010 @06:45PM (#32894392) Journal
    Where does this stuff come from? I've seen gear like this on sale on Russian underground sites, together with custom trojans etc..., but if it comes from inside the states couldn't you just nab the problem at the source?
  • by Browzer ( 17971 ) on Tuesday July 13, 2010 @07:01PM (#32894462)

    A link http://www.networkworld.com/community/blog/newest-attack-your-credit-card-atm-shims?t51hb&hpg1=mp [networkworld.com] in the original story, entitled "Newest Attack on your Credit Card: ATM Shims" has some interesting information:

    "The shim needs to be extremely thin and flexible. In fact it must be less than 0.1mm"

    "The shim is inserted using a "carrier card" that holds the shim, inserts it into the card slot and locks it into place on the internal reader contacts."

    "Once inserted, the shim is not visible from the outside of the machine. The shim then performs a man-in-the-middle attack between an inserted credit card and the circuit board of the ATM machine."

    "flexible shims are recently being mass produced and widely used in certain parts of Europe"

    "Diebold released five new anit-skimming protection levels for its ATM devices june 1st 2010...Unfortunately, none of these helps with the shim skimming attack. That problem has yet to be solved mechanically yet."

  • Virtual # writer (Score:4, Insightful)

    by hedley ( 8715 ) <hedley@pacbell.net> on Tuesday July 13, 2010 @07:05PM (#32894502) Homepage Journal

    How about a way to magstripe the virtual # you get from Citi or equiv. Basically, you program the card before use at the station with a fresh virtual#. So, skim away! I couldn't care less if they skimmed a virtual#.

    Or have a $75 limit on the card and only use it for gas.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...