U.S. Secret Service Issues Warning to Gas Pump Skimmer Operators

Discussion in 'HardForum Tech News' started by cageymaru, Nov 26, 2018.

  1. cageymaru

    cageymaru [H]ard as it Gets

    Messages:
    19,817
    Joined:
    Apr 10, 2003
    The U.S. Secret Service has launched Operation Deep Impact to crack down on gas pump skimmer operations. These cyber-criminals insert an illegal card reader device into gas pumps with the intent to 'skim' the credit card numbers of unwary consumers purchasing gas. The devices use Bluetooth so the criminal never has to come back to retrieve the stolen data. The thieves use the purloined credit card credentials to purchase expensive items online or sell the numbers on the black market. The U.S. Secret Service estimates that it has prevented $6 million in damages from skimming operations this holiday season so far.

    Fueling stations are a prime target for this type of crime due to the high volume of customers and the criminal's ability to install the devices and recover the stolen data undetected. Because today's gas pumps are typically unattended, developing suspects and making arrests in skimming cases is difficult, but not impossible. The Secret Service is leading the charge to protect U.S. consumers against this growing cyber-enabled financial crime.
     
    sgrinavi likes this.
  2. mysticdrew

    mysticdrew [H]Lite

    Messages:
    122
    Joined:
    Nov 22, 2005
    I always give a good tug on the card reader before putting my card in. Guess I will also check for bluetooth signals for the readers that are inside the pump.
     
    MavericK, Armenius and Esso like this.
  3. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,654
    Joined:
    Oct 29, 2000
    Just chip enable the damned pumps, and this problem goes away permanently.

    I can't wait until the magnetic strip is permanently removed from all cards.
     
    Last edited: Nov 26, 2018
  4. Nasty_Savage

    Nasty_Savage [H]ardForum Junkie

    Messages:
    15,256
    Joined:
    Mar 19, 2001
    Did they upgrade Bluetooth to transmit over long distances? They HAVE to at least be within a certain proximity at least to retrieve the data or come back to retrieve the skimmer
     
    MavericK, Kinestron, Armenius and 5 others like this.
  5. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    13,106
    Joined:
    Aug 16, 2004
    I'm sure body checking the pump to enable it is going to go over real well LOL.

    Guessing you meant "chip" and not hip.
     
    Dayaks, scojer and Zarathustra[H] like this.
  6. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,654
    Joined:
    Oct 29, 2000
    yes.
     
  7. MV75

    MV75 [H]ard|Gawd

    Messages:
    1,025
    Joined:
    Nov 13, 2007
    Screw every other card skim / phish / scam, there's government fuel tax money to protect!
     
    auntjemima and uberjon like this.
  8. M76

    M76 [H]ardForum Junkie

    Messages:
    9,704
    Joined:
    Jun 12, 2012
    Illegal card reader.

     
  9. SticKx911

    SticKx911 2[H]4U

    Messages:
    2,224
    Joined:
    Mar 14, 2004
    This is very cost prohibitive to the operator. A lot of private operators would go under instead convert. Hense all the delays. I can get technical if anyone cares.
    Also, all card readers have swipe as a fallback so the chip reader won’t matter as they’d still get the strip info.

    As someone who is in the industry and has seen some awesome advances in skimmer prevention...I rarely use my card outside at a pump. There are dozens of types and depending on the operations ability to monitor the inside of a dispenser, you’d never have an opportunity to see it.

    If you are set on using a card outside. Get a credit card ONLY for gas. It’s easier to monitor and if you have to cancel it, it’s not an inconvenience to change bill pay or whatever is tied to it.
     
    Armenius likes this.
  10. DrLobotomy

    DrLobotomy [H]ardness Supreme

    Messages:
    6,460
    Joined:
    May 19, 2016
    Knowing this is and has been an issue for a while I always go to my bank and withdraw cash and keep it on me for all gas purchases and anywhere I may think a skimmer might be such as shady non English speaking shop owners etc.

    I know you cant be 100% safe using a card but you can avoid the obvious risks.
     
    Armenius, Liver and Makaveli@BETA like this.
  11. iNViSiGOD

    iNViSiGOD Gawd

    Messages:
    596
    Joined:
    Apr 16, 2002
    I'll just keep going inside to pay for my gas.
     
    Armenius and Patton187 like this.
  12. YeuEmMaiMai

    YeuEmMaiMai [H]ardForum Junkie

    Messages:
    15,419
    Joined:
    Jun 11, 2004
    they are going to have to do it soon as VISA/MC will no longer accept fraud claims from non chip reading devices... those guidelines were in 2015

    https://www.creditcards.com/credit-card-news/understanding-EMV-fraud-liability-shift-1271.php
     
    Armenius likes this.
  13. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,654
    Joined:
    Oct 29, 2000
    I am actually curious. I don't understand why this would cost so much, when the likes of Square sells chip card readers for like $40 a pop. Sure, there is more to it for a gas pump, but still. It seems like someone is overinflating costs here, and trying to rip gas operators off...
     
    LightsOut41 likes this.
  14. SticKx911

    SticKx911 2[H]4U

    Messages:
    2,224
    Joined:
    Mar 14, 2004
  15. SticKx911

    SticKx911 2[H]4U

    Messages:
    2,224
    Joined:
    Mar 14, 2004
    Most CC data is transmitted over lines designed back when dial up was a thing. A CC # is cheap and easy to transmit inside for processing.
    Emv would be crazy slow. Running cat 6 plus networking dispensers isn’t a small endeavor. Slowly operators have been moving to more technical dispensers so the hardware outside is capable. But those are to the tune of 10 to 20 grand a pop depending on if they’re upgradable or having to replace. Emv card readers are nearly grand a piece. Just for the reader.
    There are retro kits coming out to utilize the old phone line style data lines, but there are only 2 major players in gas dispensers so they can charge whatever they want for it.

    Edit. Side rant. with the chip reader, card readers cannot be cleaned of debris or the emv pins will short or break so if someone sticks paper or forgets to take the glue off, the whole thing has to be replaced and sent back in hopes the mfg will give core credit and repair. (Again only 2 companies so they don’t give a F)
     
    omegatotal likes this.
  16. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,654
    Joined:
    Oct 29, 2000

    Sounds like there is an opportunity for someone to come in and really shake up this market undercutting the existing players.
     
    Armenius and LightsOut41 like this.
  17. Glock24

    Glock24 [H]Lite

    Messages:
    122
    Joined:
    Jan 2, 2005
    How come the card skimming devices use Bluetooth? Maybe it's cellular data instead of BT? If it's BT, then the devices have to connect to another nearby device to transmit the data, and that other device must have some kind on internet connection.
     
  18. drescherjm

    drescherjm [H]ardForum Junkie

    Messages:
    14,527
    Joined:
    Nov 19, 2008
    No internet is needed during the transfer. A thief can walk into the store and get the data from the pumps or just walk down the street.
     
  19. Glock24

    Glock24 [H]Lite

    Messages:
    122
    Joined:
    Jan 2, 2005
    And the article states "
    The devices use Bluetooth so the criminal never has to come back to retrieve the stolen data." as if BT was a long range communications protocol, but in reality you get like 20-30m range tops with line of sight.
     
  20. drescherjm

    drescherjm [H]ardForum Junkie

    Messages:
    14,527
    Joined:
    Nov 19, 2008
    Maybe they meant the criminal did not have to retrieve the device out of the pump to obtain the data.
     
    Armenius, Nasty_Savage and SticKx911 like this.
  21. termite

    termite [H]ardness Supreme

    Messages:
    4,884
    Joined:
    Aug 27, 2004

    20-30m is all you need to park across the street, out of view of any cameras. Or drive up to the pump get gas read the skimmer and take off.

    Gas pumps make a great target because most gas station owners and the attendant are not going to go and check the readers. Best case the state inspector sees it when they do their yearly inspection. Banks actively check their ATMvs pretty regularly.

    Also the good readers will sit inside the card slot, and fit well enough againt the exterior that just grabbing it and pulling it would pass the majority of the publics checking the pump.
     
    Armenius and Nasty_Savage like this.
  22. Nasty_Savage

    Nasty_Savage [H]ardForum Junkie

    Messages:
    15,256
    Joined:
    Mar 19, 2001
    Yeah thats more likely. Shitty writers are shitty
     
  23. oldmanbal

    oldmanbal 2[H]4U

    Messages:
    2,066
    Joined:
    Aug 27, 2010
    Most business owners already shudder at the costs of CC transactions they get the bill for. Running more secure transactions with encrypted data and additional checks/steps isn't going to lower those fees. I know a lot of people ONLY use their credit cards on site like amazon, and won't use it for anything else. Do these same people research what stores they are using them at, and avoid all the stores that have ever been effected by credit card breaches? No.
     
  24. Night_Hawk-19

    Night_Hawk-19 Gawd

    Messages:
    764
    Joined:
    Jun 20, 2004
    Easy to detect. Turn on your bluetooth on your phone see if signal comes up. If it does dont use.
     
  25. geok1ng

    geok1ng 2[H]4U

    Messages:
    2,132
    Joined:
    Oct 28, 2007
    The last time i swiped a card in Brazil my VGA was a geforce 5200.:rolleyes:. Guess USA are not the tech leaders on all fields...
     
  26. zkostik

    zkostik Gawd

    Messages:
    929
    Joined:
    Sep 17, 2009
    Pretty much what I always say, just use a separate credit card for such purchases and online. NEVER use debit card. As for scams, they happen all the time but banks offer a no liability on scam transactions. So pretty much if you monitor your card, it's extremely easy to dispute of get a new card should the info leak out. Some banks offer virtual card which is good for one purchase which is very handy and helps around vendors that just save your CC info anyway or keep it for longer than they should. It recall at some point there were horizontal readers where head moves over the card strip no you physically insert it and move over the herd. But like you said, it is very expensive for vendors to implement so they likely won't unless mandated by some law. Much easier to be smart about your card use and monitor them than be paranoid as physical skimming is a much lower risk than hacking of a vendor site where millions of records are stolen.
     
  27. Nasty_Savage

    Nasty_Savage [H]ardForum Junkie

    Messages:
    15,256
    Joined:
    Mar 19, 2001
    Does it come up ‘I steals your shiznat’ in the device manager?
     
    drescherjm, Compddd, dvsman and 3 others like this.
  28. jedijeb13

    jedijeb13 Limp Gawd

    Messages:
    302
    Joined:
    Feb 15, 2017
    I use the best solution, my card stays maxed out so if anyone steals the number and tries to use it they get a rejection notice for anything over about $30 :p
     
  29. WhoMe

    WhoMe Gawd

    Messages:
    827
    Joined:
    Jan 3, 2018
    I always pay cash, saves me about $1 / fill up. Not a big deal since I don't drive much, but WTF they make enough money anyway.
     
    Seelenlos and Armenius like this.
  30. dvsman

    dvsman 2[H]4U

    Messages:
    2,850
    Joined:
    Dec 2, 2009
    Does anyone know if you use Samsung / Android / Apple Pay whether you will face the same vulnerability? If not, maybe we should all switch to those?
     
    Anemone and SticKx911 like this.
  31. nutzo

    nutzo [H]ardness Supreme

    Messages:
    7,380
    Joined:
    Feb 15, 2004
    I almost always buy my gas at Costco, they have Costco seals on the reader slot/pump, so it would be obvious if it's tampered with.
     
    Compddd likes this.
  32. WhoMe

    WhoMe Gawd

    Messages:
    827
    Joined:
    Jan 3, 2018
    I'd have to drive an extra 60miles to get gas at Costco. But sounds like a reasonable thing to do (I mean sealing the slot).

    edit for clarity
     
  33. dvsman

    dvsman 2[H]4U

    Messages:
    2,850
    Joined:
    Dec 2, 2009
    Around me, my usual gas places still charge the same cash / credit, so no point in paying cash if you can collect points or cash back or whatever while getting gas but I'm glad to see the somebody doing something about this scam.
     
  34. SvenBent

    SvenBent 2[H]4U

    Messages:
    3,147
    Joined:
    Sep 13, 2008
    Need to stop supporting magnetic stripe it will reduce the reward from card skimmers tremendously.
     
  35. SticKx911

    SticKx911 2[H]4U

    Messages:
    2,224
    Joined:
    Mar 14, 2004
    a lot of card skimmers now are no longer outside skimmers. they either fit in the mag swipe slot or are stuffed in the dispenser. 99% of retailers never change the locks on the dispenser and are still using the stock factory key...(made up the 99% based on observation. I do not have proof of that. CH751 is a very common key and it is the default lock on at least one brands dispenser)
     
    Last edited: Nov 26, 2018
  36. WhoMe

    WhoMe Gawd

    Messages:
    827
    Joined:
    Jan 3, 2018
    And using Password as their password?
     
  37. Wolf_Tech

    Wolf_Tech Limp Gawd

    Messages:
    226
    Joined:
    Sep 19, 2010
    Yep Happened to me in NY skimmer got my card. We all have chip readers in Canada so no skimming at all. USA really needs to get rid of magnet strips.
     
  38. Zardoz

    Zardoz 2[H]4U

    Messages:
    3,251
    Joined:
    Aug 27, 2000
    I stopped paying at the pump a long time ago. I know I been skimmed in the past and they have found at least 3 times skimmers at the pumps in the area about 3 times last year.

    I now pay inside chip or use phone. people need to stop swiping at the pump.
     
    Armenius likes this.
  39. Skillz

    Skillz [H]ard DCOTY 2017

    Messages:
    21,999
    Joined:
    Aug 14, 2004
    Why is this the Secret Services job?
     
  40. SticKx911

    SticKx911 2[H]4U

    Messages:
    2,224
    Joined:
    Mar 14, 2004
    Armenius, Gamerdad and Laowai like this.