Visa Warns That Hackers Are Scraping Card Details From Gas Pumps (engadget.com) 88
Visa has issued a statement warning consumers that cybercriminals are actively exploiting a weakness in gas station point-of-sale (POS) networks to steal credit card data. Engadget reports: The company's fraud disruption teams are investigating several incidents in which a hacking group known as Fin8 defrauded fuel dispenser merchants. In each case, the attackers gained access to the POS networks via malicious emails and other unknown means. They then installed POS scraping software that exploited the lack of security with old-school mag stripe cards that lack a PIN code.
The hack doesn't appear to affect more secure chip-and-pin cards, but not all consumers have those, so service stations often work with mag stripe readers, too. The data is apparently sent in an unencrypted form to the vendor's main network, where the thieves have figured out how to intercept it. The other problem is that the POS systems aren't firewalled off from other, less critical parts of the network, allowing thieves to gain lateral access once the network is breached. There's not much cardholders can do to avoid the attacks, but Visa has advised fuel merchants to encrypt data while it's transferred or use a chip-and-PIN policy.
The hack doesn't appear to affect more secure chip-and-pin cards, but not all consumers have those, so service stations often work with mag stripe readers, too. The data is apparently sent in an unencrypted form to the vendor's main network, where the thieves have figured out how to intercept it. The other problem is that the POS systems aren't firewalled off from other, less critical parts of the network, allowing thieves to gain lateral access once the network is breached. There's not much cardholders can do to avoid the attacks, but Visa has advised fuel merchants to encrypt data while it's transferred or use a chip-and-PIN policy.
Crap network design (Score:4, Insightful)
I haven't worked with PCI stuff in a while, but I do recall the need to properly segment AND firewall your PCI network from everything else.
Even if not though...wow, talk about incompetence. You should always segment even medium sized networks, if only to limit the damage a breach can do.
Re: (Score:2)
Indeed. Lowest skill and insight was at work here. The reason why you separate your payment network is exactly this. The attack was apparently exceptionally easy to do ("malicious email") and then the attackers were in. Apparently one of the many IT installation that only did not get hacked in the past because nobody halfway competent did try.
Huh? (Score:2)
Re: (Score:1)
TFA doesn't say "chip-and-pen", just "chip", though I guess that might have been changed after the story was submitted.
Re: (Score:2)
Re: (Score:2)
Considering the signature is usually on a touch screen, you are more right than you know.
Re: Huh? (Score:2)
Re: (Score:2)
I wonder if this "advice" is centered around older debit cards?
Re: (Score:1)
What the fuck are you talking about? My card has a chip and I have to input a PIN for almost every transaction I do. I am in the USA. I've had that for well over half a decade.
Re: (Score:2)
You have a debit card, which uses a PIN. In the US,only a handful of banks, none of them major, issue credit cards that have a profile requiring a PIN, whereas in most of the rest of the world, Chip-and-PIN is ubiquitous.
A major difference is that in the US, the liability for fraudulent transactions falls on the merchant or the card issuer, not on the card user. It is different elsewhere.
Re: (Score:2)
Really, I once had a fraudulent transaction on my statement. I rang up my credit card company and disputed the transaction (aka not me). They issued me with a new card and told me over the phone my new adjusted bill that I needed to pay, and send out a replacement bill.
That was over a decade ago in the UK. I believe it is the same in the rest of the EU.
Why is visa warning customers? (Score:2)
What is my granny expected to do?
Re:Why is visa warning customers? (Score:5, Insightful)
She is supposed to hand over $20 per month to the financial industry for some kind of protection scheme that may or may not protect her from the incompetence of the financial industry, obviously.
Re: Why is visa warning customers? (Score:2)
People are moderating this insightful, it's a joke.
Identity protection services don't have anything to do with fraudulent transactions or card skimming, and are not even provided by the financial services industry. LifeLock is owned by Norton. You know, the anti virus company...
And financial institutions already have to pay for fraud transactions. Believe it or not, they pay a LOT for fraud prevention systems - or... fraud. They don't have any incentive to lose money to fraud. If they spend their entir
Re: (Score:3)
She could pay cash for gas like she used to do. What a nightmare!
BAD ADVICE from VISA ! (Score:2)
seriously bad advice from visa...
NEVER use pin unless in a situation your sure the terminal is legitimate... pretty much only ATM (and even then I would exclude a large majority of them)
always tap since it uses rolling codes
if you use pin often they record the entry and get your mag stripe details which means they can use a ATM...
would love to know who at VISA gave out this advice ?
Re: (Score:2)
The pin pad is supposed to be potted, with a key injected into battery-backed RAM. At least in the US, the pin pad (both on the pumps and inside the store) is supposed to encrypt with a key that was installed by whoever does the credit clearing for the site. Unless the bad guys have a camera set up (they do happen), they can't get the PIN. The really important part now is having a chip reader, because the chip has its own rolling codes. The difference is that you still need to enter a PIN with the chip, in
Re: (Score:2)
Yeah, thing about that:the keypad is only secure when it's is used to input a PIN, not for other reasons. So hackers have always put it in unencrypted mode, displayed an error message when you enter your PIN the first time and the harvest it, then put it in encrypted mode for the retry. They've been doing that with ATMs for at least a decade now.
But, yeah, it's time for magstripes to go. Anyone know when the deadline is? I know there was a carveout for gas pumps, but it was just an extension.
Lack of physical security (Score:2)
Re: Lack of physical security (Score:2)
Re: (Score:2)
The smarter companies put tamper stickers over the main door. (Printer paper is a separate door, usually with a common key, and shouldn't let you reach anything else inside.) That's the main reason why skimmers and cameras exist.
And the main door isn't just about skimmers, they could mess with the pump configuration too, which is completely separate from the card terminal. They could, say, make it report an incorrect dispensed fuel quantity, which might not be noticed unless someone looks at the mechanical
Re: (Score:2)
Ah, yes. And if the device detects that it will both lock the cash unit and call the police. I have seen such a response (somebody rammed a trashcan next to the ATM), triggering the sensors.
Re: (Score:2)
It depends on how sophisticated the ATM is. Some ATMs have zero security in this regard, other than physical protection of the cash box (since here in the US, most ATM thefts are mindless addicts with crowbars, as opposed to something deliberate.) Others actually have cash boxes with relocking mechanisms that are triggered by glass plates or signals from the electronics. Most have a circuit going to an alarm zone on the building, at least for the safe, but some have multiple zones, one for the electronics,
Re: (Score:2)
It does. But the amount of cash in the machine also varies wildly. I got a look at that some years back when doing a related security analysis. A lone, free-standing ATM somewhere may have as little at 5k in it while a highly frequented one (here, they often place 2 or even 3 in such locations) may have 50k and more in it. Usually they do not put in more, instead the ATM calls for more cash and a security company delivers that. That was a while ago, but I doubt procedures have changed much or are massively
Re: (Score:1, Offtopic)
Yup, take 10-15 buses to get from where I can afford to live to where I work.
Obviously can't telecommute because they stuffed us into that open floor plan for some office synergy bullshit.
I agree 100% that's the modern world.
Re: (Score:2)
I haven't been to a gas station in over 6 months since I bought my EV. Just in time I guess.
It's all about the PINs (Score:5, Informative)
I used to write code to talk to gas pumps 20 years ago, and I don't think much has changed with the way card readers and pin pads work since then. Basically your swiped card mag stripe data is pretty much in the clear, whether with a skimmer or over the RS-485 comms for the terminal side (as opposed to the pump side; pump data goes over a different link). The pin pad, for those designed for debit (US credit doesn't use PINs), which is going to be all of them these days, are potted and have an injected battery-backed crypto key that only the bank end knows. Or at least that's how it's supposed to work. The pin pad, when put into PIN entry mode, encrypts it internally, and that is sent up to the bank. This is how it was 20 years ago, and I doubt it has changed much.
So that means the main problems are credit cards having no PIN, and cameras or overlays to capture key strokes for debit cards. Quite a few years ago the credit transactions all started asking for your billing zip code (all numeric here, sorry Europe and Canada!) and I presume that gets encrypted as the pin. It's something that a skimmer wouldn't know, even though it's a relatively public number.
And then there's chip cards, but they would require replacing the card reader, an upgrade to the terminal firmware for chip support, and maybe the main board too if it didn't already have a chip reader port. Then there's the user side, where users are used to a quick swipe. I've only encountered one chip reader in a pump so far, maybe two years ago, and it asked me to leave the card in the reader during fueling.
They then installed POS scraping software that exploited the lack of security with old-school mag stripe cards that lack a PIN code.
And this clearly why they ask for your zip code now, because it goes through the encryption process just like a PIN. I mostly only go to Walmart/Sam's Club pumps (FYI, I think Walmart stations are usually Murphy), but I'm sure there are a lot of small-time stations which aren't using the zip code trick and are quite vulnerable to exposure. TFA also sounds like they may be getting the info from the POS system, from people who pay inside with a card. Of course if they can find a way to use the info somewhere with only the stripe data, fraud could still happen. Do note that the POS system still needs to know the card number, so that it can identify different credit networks and gift cards, as well as possibly specially-coded maintenance cards.
Earlier this year, Visa announced that fuel merchants must deploy chip readers by October 2020. After that, any service stations without the new tech will be liable for any fraud. The problem is, many such businesses have very old technology and must replace the entire pump at an estimated cost of up to $250,000 per station.
They should only need to replace the card reader and maybe the keypad too if they already have a terminal in the pumps. If they're using older pumps that don't have a terminal, then they may indeed have to replace everything. It should be interesting to see the scramble to replace millions of card readers in ten months, because I haven't seen any evidence of it happening yet other than one test site.
Re:It's all about the PINs (Score:4, Interesting)
Earlier this year, Visa announced that fuel merchants must deploy chip readers by October 2020. After that, any service stations without the new tech will be liable for any fraud. The problem is, many such businesses have very old technology and must replace the entire pump at an estimated cost of up to $250,000 per station.
When given the choice between upgrading to chip readers that actually prevent fraud or installing video terminals that play advertisements to generate even more money, you know all these jack asses added the revenue generating video while complaining that it would cost too much money to install chip readers.
Idiots.
Re: (Score:3)
Re: (Score:2)
The majority of gas pumps I see with color TV screens playing ads, also include a chip reader. There is 1 I can think of that doesn't have the chip reader, which I think was installed ca. 2008, before the cards were really deployed.
The bigger issue for me with the new pumps is not being able to run my card as credit. My card works both ways, but they force a debit transaction, potentially exposing my PIN to scrapers. Also with debit I don't have the protection of being able to reverse the transactions. I
Re: (Score:2)
As for credit vs debit, I took my debit card out of my wallet just over a year ago. It is all credit cards now:
6% cash back at grocery stores with Amex
5% cash back at gas stations (including food inside) with Sams Club Mastercard
3% cash back on travel and dining with Sams Club Mastercard
3% cash back on online purchases with Bank of
Re: (Score:2)
Re: (Score:2)
I wonder what a spring loaded center punch would do?
Re: (Score:1)
European here! When using my Amex I can use my European 4-digit ZIP code successfully if I pad a zero at the beginning, so like 01234. The letters of my ZIP can be ignored.
And yeah, I have a PIN, which I do have to use in most other places, except restaurants for some reason. In some places like in Puerto Rico I had to use the merchant terminal to input the PIN instead of the customer terminal. Which forced me to actually say my PIN out loud to a merchant who was behind glass, en Español.
Someone told m
Re: (Score:2)
VISA/MC resist anything that might reduce transaction fees, as they make their money on legitimate and fraudulent transactions. The banks don't want PINs because of the customer support overhead and the chaos of rolling them out to the millions of Americans who simply would be stumped by needing a PIN for their credit card.
I'm not sure about whether the banks worry about fraud much, they usually charge that back to merchants (when customers complain at all). I don't know what PINs do to alleviate merchant
Re: (Score:2)
European with a numeric-only ZIP here. It doesn't work either. Neither does using the "debit" option and entering the PIN. It just gets rejected.
Compared to paying using Google Pay / NFC over here, using U.S. gas stations feels like a tour back in time...
Or . . . (Score:4, Insightful)
There's a much safer way to pay for gas which absolutely, positively ensures your card will never be compromised. It's quite radical which is why only myself and a few others use it, so it's probably not for everyone.
Pay. With. Cash.
Re: (Score:2)
Pay. With. Cash.
But then I have to go and interact with a human. The horror!
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
I can top that - I drive an EV. So unless I want junk food or to use the bathroom, I have no need to go to a gas station.
Re: (Score:2)
I can top that - I drive an EV. So unless I want junk food or to use the bathroom, I have no need to go to a gas station.
Excellent point. I don't own one but probably will eventually.
In the next 10-15 years as electrics start to take over, what are the gas stations going to do as demand goes down for fuel?
Re: (Score:2)
Almost nobody has chip and PIN in the US (Score:2)
Most of us have chip by now, but still chip and signature which is asnine. Chip and PIN is pretty much standard throughout the rest of the world. The stupid US banks.
Re: (Score:1)
As of April 2018 the major credit card companies no longer require (i.e., care about) signatures. If they're being required, it's by the individual companies we deal with. They probably just haven't bothered to update their POS terminals.
Re:Almost nobody has chip and PIN in the US (Score:4, Insightful)
Gas pumps these days usually require your zip code as a PIN for credit sales. I remember when it first saw it many years ago, I tried to be a wise guy and entered 00000. My card got locked right away and I had to call to get it reset. So they really do check it, and I'm rather certain it gets encrypted too. Why is the zip code not stupid? Skimmers don't know who you are or where you live, and it's a number you know that isn't on the card... just like a PIN.
Re: (Score:1)
This is kind of worthless in small towns with one or two zipcodes. It might stop someone from using your card if you lost it while traveling, but otherwise this does nothing other than waste our time.
Worse yet, most of the stations have rewards programs that require a PIN already. Why they can't skip the zip code part when I've already verified myself with my rewards card is also stupid.
Re: (Score:2)
Re: (Score:2)
.
I've heard arguments that "users get annoyed at typing in a PIN and the process takes too long" but I'm not sure I agree with that. Entering a 4 digit PIN for any purchase over 25 Euro is not, in fact, a hassle. It's a reassurance that someone out there is trying to prote
Re: (Score:2)
Even better is to hold my phone to the reader and payment is completed is no more than 2 seconds without a PIN. It's already at most places in the US and everywhere when I visited Australia.
Re: (Score:2)
In 2015, there was a mandate to move to chip-and-PIN by all merchants, otherwise they would accept liability for all credit card fraud. However, this was relented, and retailers don't really care to make the move unless forced to.
Ideally, all cards would be contactless, similar to Visa's cards, and there would be some more pay methods rather than Apple/Google/Samsung Pay.
Re: (Score:2)
Skimmers don't know who you are or where you live, and it's a number you know that isn't on the card... just like a PIN.
They don't? Surely the majority of customers for a station that's not right off the interstate are in the local zip code?
Gas Station Skimmers (Score:5, Interesting)
Skimmers and underpaid employees are why I carry cash.
While some will tell me this is downright stupid in 2019, I seriously get tired of dealing with the hassle.
It usually goes something like this:
I either get a call from the bank asking if I'm currently trying to purchase $500 in Diesel fuel or I get a text
message in the middle of the night congratulating me on my new subscription to Bacon Wrapped Euro Fetish
Porn or something similar. ( Or my new $random_item purchase off of $random_website ). Instant text alerts
on any purchase are your friend here. . . . .
I then have to tell the bank to cancel the card ( again ), wait for the new one to arrive, then update all the bills :|
that are setup to auto-bill to the card every month. My record is one week. I had a new chip card exactly one
week before it was compromised
Gas pump skimmers and / or shady wait-staff are usually to blame. My rule of thumb is simple: Gas stations are
cash, period. Restaurants and anywhere my card leaves my sight are also cash only as well.
Thus, I carry enough cash on me now to cover a full tank of gas and / or my meals for the day if I'm out and about.
Re: (Score:3)
Skimmers and underpaid employees are why I carry cash.
While some will tell me this is downright stupid in 2019, I seriously get tired of dealing with the hassle.
It usually goes something like this:
I either get a call from the bank asking if I'm currently trying to purchase $500 in Diesel fuel or I get a text message in the middle of the night congratulating me on my new subscription to Bacon Wrapped Euro Fetish Porn or something similar. ( Or my new $random_item purchase off of $random_website ). Instant text alerts on any purchase are your friend here. . . . .
I then have to tell the bank to cancel the card ( again ), wait for the new one to arrive, then update all the bills that are setup to auto-bill to the card every month. My record is one week. I had a new chip card exactly one week before it was compromised :|
Gas pump skimmers and / or shady wait-staff are usually to blame. My rule of thumb is simple: Gas stations are cash, period. Restaurants and anywhere my card leaves my sight are also cash only as well.
Thus, I carry enough cash on me now to cover a full tank of gas and / or my meals for the day if I'm out and about.
Holy carp, where do you live/shop? I've been using cards for everything (including gas) forever and have never once had one compromised.
Re: (Score:2)
Re: (Score:2)
You are not wrong.
I do a lot of animal rescue transport in my spare time. I have to carry a lot of cash anyway in case of a veterinary emergency along the way (some more rural emergency vets only take cash for the initial admission), so if I do need diesel fuel I also buy it wish cash. I used to have a card that I used only for rescue trips (which also helped manage deductions) but it would get skimmed at least once or twice a year.
One time I actually saw an employee at the Wendy's on I-85 exit 106 in South
Re: (Score:3)
Skimmers and underpaid employees are why I carry cash.
Mod up.
Yea, I'm right there with you and for the same reasons, in addition to, I find if I use cash instead of cards, I spend less.
I love the feeling of giving someone a $20 and knowing:
1. It isn't tracked
2. I know how much is still in my wallet
3. No concern for 'skimming' or any other digital shenanigans
Thank heaven for electric cars (Score:3)
Yet another reason I am glad that I drive an electric car.
No need (Score:2)
I'm so glad I live in a country where you're not expected to pay at the pump - you fill up, go into the shop/kiosk, pay there, then head on your way.
Re: (Score:2)
Lazyness (Score:2)
Re: (Score:1)
I'm convinced that US card companies have decided not to assign PINs to credit cards because it would lower customer spend more than it would lower the $ amount of fraud.
Another problem may be that if VISA decides to do this, MC and Amex might not follow, and people would start preferring to use MC/Amex cards...
Re: (Score:2)
Re: (Score:2)
Visa could make it an option - then the security-conscious would prefer Visa, and the idiots would still default to "easy mode". Where's bravery when you need it? Nowhere in finance, apparently.
Don't use that bank debit card (Score:3)
Per usual I will long on to my credit card accounts & keep an eye on them for fraud. If there is a problem, I call them, get a new account number & they stop the transactions. I suppose the vendor gets screwed. However, not so fast with a bank debit card. I stopped using them years ago for anything but using the bank's ATM to get cash or make a deposit. No such protections from the bank because the money is already gone. Once the transaction is completed, the vendor has their money.
What's this about a pin? All my cards have a chip. Most vendors (not gas stations) have chip readers now. I never made a pin for any cards as it's only needed for getting cash advances, one of the more stupid ways to borrow money. So chip-and-pin is not a thing in my part of the world.
These gas stations obviously need chip readers. A friend of mine has a takeout restaurant & was slow to get the chip readers. After a few transactions where fraud was claimed (he did not get paid) he got new countertop chip readers ASAP. Getting these for gas pumps is likely quite pricey.
Yesteryear's News (Score:1)
This has only been a thing for at least a decade. Visa is now just "discovering" this?
I Only go to Stations with Google / Apple Pay (Score:2)
We have skimmer problems in my area... my usual cautions were to 1) never use a debit card so if I got ripped off I wouldn't be out money while I wait on resolution, and 2) always use a pump within easy view of the station employees, the thought being the ones farther away and out of view would be the most likely hit by skimmers.
And then some stations began supporting mobile payments through Google / Apple / Samsung Pay... no card to skim and no PIN for a camera to pick up, so I mostly go to those now. The
Re: (Score:2)
I do this too. I wish there were more NFC payment systems than just GPay/Apple Pay/Samsung Pay.
NFC systems make this whole circus about chip and PIN, chip and signature, swiping, skimming, card present all absolutely pointless. Of course, nothing is 100% secure, but it raises the bar to attackers requiring more sophisticated circuits which have to be in a very close physical proximity to the reader and doing active MITM attacks, as opposed to just slurping some numbers for use later.
Re: (Score:2)
Costco pumps are the least likely to be skimmed. There's always lots of people and there is an attendant at the pumps not 50 feet away in a building.
I will never... (Score:2)
Austin, TX (Score:2)
Re: (Score:2)
The only pumps I use in Austin are the ones with NFC authentication. If you look around, almost no pumps have a security seal, and what is left is either peeled off or just slit, perhaps taped over to make it look like it still is intact.
To boot, why do gas pumps use a cheap, wafer tumbler lock, like what is found on file cabinets and cheap locks? Even the cheapest vending machine at least has a lock on there that is pick resistant, or at least won't wrench out if someone jams a screwdriver in the lock an
What a POS (Score:1)
Re: (Score:2)
3 Fraud Warnings and Canceled Cards in 3 Months (Score:2)
I had 3 Credit Cards canceled due to fraud warnings after visiting gas stations, in particular Chevron gas stations. At the time I couldn't pin down what transactions were causing it but I suspected it was gas. In September, October and November was when it happened. I also visited Chevrons while traveling for Thanksgiving and had no issues so it might only be certain stores, payment processors or something else or they might have fixed the issue..
I should note, at each location I checked for skimmers by pu
Re: (Score:1)
They're not usually externally mounted now. They're inside, on the ribbon cable between the reader and the board. That said, Visa did release two alerts around that time, hackers had compromised two or three fuel vendors' networks and installed malware on the POS system. The malware was sniffing CC#s en-route for auth, apparently.
Let me guess (Score:1)
Software is running on a Windows 95 machine.
It's funny because it's true. I know of a major supermarket chain that used windows 95 until I think it was 2018. Then they switched over to something else.