U.S. Secret Service Issues Warning to Gas Pump Skimmer Operators

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,062
The U.S. Secret Service has launched Operation Deep Impact to crack down on gas pump skimmer operations. These cyber-criminals insert an illegal card reader device into gas pumps with the intent to 'skim' the credit card numbers of unwary consumers purchasing gas. The devices use Bluetooth so the criminal never has to come back to retrieve the stolen data. The thieves use the purloined credit card credentials to purchase expensive items online or sell the numbers on the black market. The U.S. Secret Service estimates that it has prevented $6 million in damages from skimming operations this holiday season so far.

Fueling stations are a prime target for this type of crime due to the high volume of customers and the criminal's ability to install the devices and recover the stolen data undetected. Because today's gas pumps are typically unattended, developing suspects and making arrests in skimming cases is difficult, but not impossible. The Secret Service is leading the charge to protect U.S. consumers against this growing cyber-enabled financial crime.
 
Just chip enable the damned pumps, and this problem goes away permanently.

I can't wait until the magnetic strip is permanently removed from all cards.
This is very cost prohibitive to the operator. A lot of private operators would go under instead convert. Hense all the delays. I can get technical if anyone cares.
Also, all card readers have swipe as a fallback so the chip reader won’t matter as they’d still get the strip info.

As someone who is in the industry and has seen some awesome advances in skimmer prevention...I rarely use my card outside at a pump. There are dozens of types and depending on the operations ability to monitor the inside of a dispenser, you’d never have an opportunity to see it.

If you are set on using a card outside. Get a credit card ONLY for gas. It’s easier to monitor and if you have to cancel it, it’s not an inconvenience to change bill pay or whatever is tied to it.
 
Knowing this is and has been an issue for a while I always go to my bank and withdraw cash and keep it on me for all gas purchases and anywhere I may think a skimmer might be such as shady non English speaking shop owners etc.

I know you cant be 100% safe using a card but you can avoid the obvious risks.
 
This is very cost prohibitive to the operator. A lot of private operators would go under instead convert. Hense all the delays. I can get technical if anyone cares.
Also, all card readers have swipe as a fallback so the chip reader won’t matter as they’d still get the strip info.

As someone who is in the industry and has seen some awesome advances in skimmer prevention...I rarely use my card outside at a pump. There are dozens of types and depending on the operations ability to monitor the inside of a dispenser, you’d never have an opportunity to see it.

If you are set on using a card outside. Get a credit card ONLY for gas. It’s easier to monitor and if you have to cancel it, it’s not an inconvenience to change bill pay or whatever is tied to it.
they are going to have to do it soon as VISA/MC will no longer accept fraud claims from non chip reading devices... those guidelines were in 2015

https://www.creditcards.com/credit-card-news/understanding-EMV-fraud-liability-shift-1271.php
 
This is very cost prohibitive to the operator. A lot of private operators would go under instead convert. Hense all the delays. I can get technical if anyone cares.

I am actually curious. I don't understand why this would cost so much, when the likes of Square sells chip card readers for like $40 a pop. Sure, there is more to it for a gas pump, but still. It seems like someone is overinflating costs here, and trying to rip gas operators off...
 
I am actually curious. I don't understand why this would cost so much, when the likes of Square sells chip card readers for like $40 a pop. Sure, there is more to it for a gas pump, but still. It seems like someone is overinflating costs here, and trying to rip gas operators off...
Most CC data is transmitted over lines designed back when dial up was a thing. A CC # is cheap and easy to transmit inside for processing.
Emv would be crazy slow. Running cat 6 plus networking dispensers isn’t a small endeavor. Slowly operators have been moving to more technical dispensers so the hardware outside is capable. But those are to the tune of 10 to 20 grand a pop depending on if they’re upgradable or having to replace. Emv card readers are nearly grand a piece. Just for the reader.
There are retro kits coming out to utilize the old phone line style data lines, but there are only 2 major players in gas dispensers so they can charge whatever they want for it.

Edit. Side rant. with the chip reader, card readers cannot be cleaned of debris or the emv pins will short or break so if someone sticks paper or forgets to take the glue off, the whole thing has to be replaced and sent back in hopes the mfg will give core credit and repair. (Again only 2 companies so they don’t give a F)
 
Most CC data is transmitted over lines designed back when dial up was a thing. A CC # is cheap and easy to transmit inside for processing.
Emv would be crazy slow. Running cat 6 plus networking dispensers isn’t a small endeavor. Slowly operators have been moving to more technical dispensers so the hardware outside is capable. But those are to the tune of 10 to 20 grand a pop depending on if they’re upgradable or having to replace. Emv card readers are nearly grand a piece. Just for the reader.
There are retro kits coming out to utilize the old phone line style data lines, but there are only 2 major players in gas dispensers so they can charge whatever they want for it.


Sounds like there is an opportunity for someone to come in and really shake up this market undercutting the existing players.
 
How come the card skimming devices use Bluetooth? Maybe it's cellular data instead of BT? If it's BT, then the devices have to connect to another nearby device to transmit the data, and that other device must have some kind on internet connection.
 
and that other device must have some kind on internet connection

No internet is needed during the transfer. A thief can walk into the store and get the data from the pumps or just walk down the street.
 
No internet is needed during the transfer. A thief can walk into the store and get the data from the pumps or just walk down the street.

And the article states "
The devices use Bluetooth so the criminal never has to come back to retrieve the stolen data." as if BT was a long range communications protocol, but in reality you get like 20-30m range tops with line of sight.
 
And the article states "
The devices use Bluetooth so the criminal never has to come back to retrieve the stolen data." as if BT was a long range communications protocol, but in reality you get like 20-30m range tops with line of sight.


20-30m is all you need to park across the street, out of view of any cameras. Or drive up to the pump get gas read the skimmer and take off.

Gas pumps make a great target because most gas station owners and the attendant are not going to go and check the readers. Best case the state inspector sees it when they do their yearly inspection. Banks actively check their ATMvs pretty regularly.

Also the good readers will sit inside the card slot, and fit well enough againt the exterior that just grabbing it and pulling it would pass the majority of the publics checking the pump.
 
Most business owners already shudder at the costs of CC transactions they get the bill for. Running more secure transactions with encrypted data and additional checks/steps isn't going to lower those fees. I know a lot of people ONLY use their credit cards on site like amazon, and won't use it for anything else. Do these same people research what stores they are using them at, and avoid all the stores that have ever been effected by credit card breaches? No.
 
This is very cost prohibitive to the operator. A lot of private operators would go under instead convert. Hense all the delays. I can get technical if anyone cares.
Also, all card readers have swipe as a fallback so the chip reader won’t matter as they’d still get the strip info.

As someone who is in the industry and has seen some awesome advances in skimmer prevention...I rarely use my card outside at a pump. There are dozens of types and depending on the operations ability to monitor the inside of a dispenser, you’d never have an opportunity to see it.

If you are set on using a card outside. Get a credit card ONLY for gas. It’s easier to monitor and if you have to cancel it, it’s not an inconvenience to change bill pay or whatever is tied to it.

Pretty much what I always say, just use a separate credit card for such purchases and online. NEVER use debit card. As for scams, they happen all the time but banks offer a no liability on scam transactions. So pretty much if you monitor your card, it's extremely easy to dispute of get a new card should the info leak out. Some banks offer virtual card which is good for one purchase which is very handy and helps around vendors that just save your CC info anyway or keep it for longer than they should. It recall at some point there were horizontal readers where head moves over the card strip no you physically insert it and move over the herd. But like you said, it is very expensive for vendors to implement so they likely won't unless mandated by some law. Much easier to be smart about your card use and monitor them than be paranoid as physical skimming is a much lower risk than hacking of a vendor site where millions of records are stolen.
 
Does anyone know if you use Samsung / Android / Apple Pay whether you will face the same vulnerability? If not, maybe we should all switch to those?
 
I always pay cash, saves me about $1 / fill up. Not a big deal since I don't drive much, but WTF they make enough money anyway.

I almost always buy my gas at Costco, they have Costco seals on the reader slot/pump, so it would be obvious if it's tampered with.
 
I almost always buy my gas at Costco, they have Costco seals on the reader slot/pump, so it would be obvious if it's tampered with.
I'd have to drive an extra 60miles to get gas at Costco. But sounds like a reasonable thing to do (I mean sealing the slot).

edit for clarity
 
Around me, my usual gas places still charge the same cash / credit, so no point in paying cash if you can collect points or cash back or whatever while getting gas but I'm glad to see the somebody doing something about this scam.
 
Need to stop supporting magnetic stripe it will reduce the reward from card skimmers tremendously.
 
I almost always buy my gas at Costco, they have Costco seals on the reader slot/pump, so it would be obvious if it's tampered with.
a lot of card skimmers now are no longer outside skimmers. they either fit in the mag swipe slot or are stuffed in the dispenser. 99% of retailers never change the locks on the dispenser and are still using the stock factory key...(made up the 99% based on observation. I do not have proof of that. CH751 is a very common key and it is the default lock on at least one brands dispenser)
 
Last edited:
a lot of card skimmers now are no longer outside skimmers. they either fit in the mag swipe slot or are stuffed in the dispenser. 99% of retailers never change the locks on the dispenser and are still using the stock factory key...
And using Password as their password?
 
Yep Happened to me in NY skimmer got my card. We all have chip readers in Canada so no skimming at all. USA really needs to get rid of magnet strips.
 
I stopped paying at the pump a long time ago. I know I been skimmed in the past and they have found at least 3 times skimmers at the pumps in the area about 3 times last year.

I now pay inside chip or use phone. people need to stop swiping at the pump.
 
Back
Top