U.S. Secret Service Issues Warning to Gas Pump Skimmer Operators

Discussion in 'HardForum Tech News' started by cageymaru, Nov 26, 2018.

  1. Skillz

    Skillz [H]ard DCOTY 2017

    Messages:
    21,749
    Joined:
    Aug 14, 2004
    Damn, learn something new every day.
     
  2. aaronspink

    aaronspink [H]ard|Gawd

    Messages:
    1,802
    Joined:
    Jun 7, 2004
    Also many dispensors aren't fully alarmed and keys have always been easy to duplicate pick. If they are actually using CH751, then lol (for those that don't know, this isn't a type of key, but specific pre-cut key that is used for cost cutting reasons by stupid manufacturers who want the appearance of a lock without any of the security of a lock).
     
  3. aaronspink

    aaronspink [H]ard|Gawd

    Messages:
    1,802
    Joined:
    Jun 7, 2004
    All of these use one or more variation of the encrypted chip + pin systems and are fully resistant. As a reminder, these are already OTA protocols and therefore by design had to be hardened from skimming.
     
    Anemone likes this.
  4. Tsumi

    Tsumi [H]ardForum Junkie

    Messages:
    12,994
    Joined:
    Mar 18, 2010
    Blame the manufacturers of the hardware for delaying implementation. Apparently they can't agree on a common protocol or some other BS.

    That is exactly what is happening. A duopoly charging $5000 for things that should cost $50. As for why there isn't more competition... I would wager it's the exact same reason why internet monopolies exist. The regulations make it prohibitively expensive to enter the market, especially in California.

    Gas station operators do not make a lot of money. Credit card charges are about 3%, which at $3 a gallon is 9 cents. When the typical margin on gas is 20-30 cents a gallon, 9 cents a gallon is a significant part of your profits. At best we're making a middle class living.
     
  5. Oldmodder

    Oldmodder Gawd

    Messages:
    679
    Joined:
    Aug 24, 2018
    Too much hassle using a card Vs using cash.
    Shopping i often notice that the person before me paying with a card take longer than me paying with cash and not even having my wallet ready when its my turn.
    I only have a card to shop online, but i did have skimmer scanner on my phone at one time just to see if i could find a devise, which i couldn't as i pretty much use the same gas station over and over.
     
    Seelenlos and Armenius like this.
  6. WhoMe

    WhoMe Gawd

    Messages:
    827
    Joined:
    Jan 3, 2018
    I was thinking more of the big guys (the drillers and refiners) than franchise or independent owners. But anyway by your figure they are making more from me since the discount is $.05/gal (off of about $3.60). And er totally coincidently the two stations here always have the same price and same discount (and they were investigated for that).
     
  7. Tsumi

    Tsumi [H]ardForum Junkie

    Messages:
    12,994
    Joined:
    Mar 18, 2010
    Cash is king for more reasons than one.

    The discount is area dependent. Here in California, the typical discount is 10 cents and can even be higher in certain areas.
     
  8. WhoMe

    WhoMe Gawd

    Messages:
    827
    Joined:
    Jan 3, 2018
    I am in CA :) but very rural often highest gas in the state though not just now as that seems to be in SoCal. Maybe the local stations just bought at the right time for once ;). But with two stations there isn't much competition. Of course if anyone tried skimming here they'd probably get caught fast (hey whose car is that across the street? Never seen it before, maybe just take a pic or two...).
     
  9. Patton187

    Patton187 Gawd

    Messages:
    670
    Joined:
    Feb 12, 2012
    Well take the Pepsi challenge on infrastructure....mostly.
     
  10. dreadcthulhu

    dreadcthulhu [H]Lite

    Messages:
    122
    Joined:
    Apr 10, 2017
    Armenius likes this.
  11. ccityinstaller

    ccityinstaller 2[H]4U

    Messages:
    4,022
    Joined:
    Feb 23, 2007
    I always check the pumps in the past when I pumped my own gaS. Sadly, here in OR you have to pay more money so that someone can pump it for you (it is illegal to pump your gas unless you live in one of the eastern counties with less then 50K residents which is just stupid AF) and it costs more money at every station to use a CC by $.10~15.

    Because of these facts, we usually try to buy gas only at Costco or the local Fred Myer.
     
  12. lightsout

    lightsout Gawd

    Messages:
    869
    Joined:
    Mar 15, 2014
    Ha Grants Pass resident here.

    I assume we are less prone to this sort of thing. Unless the skimmer was an employee or maybe put it on at night during off hours.
     
  13. Seventyfive

    Seventyfive [H]ard|Gawd

    Messages:
    1,346
    Joined:
    Jul 14, 2004
    My sister is a lawyer at a prepaid credit card company and basically said to never use your physical card if they offer apple or android pay. When you use one of the NFC phone payment systems, it creates a unique encrypted session ID for that one charge so even if someone copied it, it would be useless to have the info. Also it is 100x faster than the chip.

    She said the chips are going to get hacked soon too so don't rely on that either. I believe her.
     
    Anemone, Armenius and SticKx911 like this.
  14. TAP

    TAP Limp Gawd

    Messages:
    236
    Joined:
    Mar 29, 2016
    Meanwhile Wall Street made $6mil through insider trading and stock manipulation using HFT in the time it took the secret service to take their morning dump.
     
  15. likeman

    likeman Gawd

    Messages:
    606
    Joined:
    Aug 17, 2011
    the simpler fix is just disable the pay at pump until they can get Chip and pin (very stupid to allow mag swipe at pump any way, never seen pay at pump in EU until we had Chip and pin) most places don't take contactless for over £30 (or whatever it is in USA even they even have it)

    also that stupid woman at the end of the video, did you see what she did when she pulled the nozzle out she empted what was left in it on the floor, Don't do that, empty it into your car and then lift it out
     
  16. likeman

    likeman Gawd

    Messages:
    606
    Joined:
    Aug 17, 2011
    apart from once when some banks Goofed with making chip and pin token generation with increments of 2-4s every time a transaction was used (so 1004 1006 1008 and so on) some people accounts was been emptied, the token should be randomly generated (that was fixed but that was bank issue not the chip EMV it self as the bank made it insecure by doing something stupid), we been using chip and pin in the EU/UK for over 10 years not been an issue

    i never use a normal mag swipe card in USA, credit card only as then its not my issue if you won't bother to move to chip and pin within 5 years

    its a 5 year process as i have posted before,
    all new issued cards have chip and pin EMV support (no chip and sign rubbish) with mag on there still (even my card has swipe but i have to give a lot of info to the card machine and possibly a call to my bank to use it)
    over 5 years merchants will have replaced there machines or enabled it on there currant card reader (most merchants will already have a EMV supported card reader its just disabled by your stupid card machines companies that sold you it so they can sell it to you as an extra cost when its already there)
    after 5 years you flip the switch to make EMV mandatory (you try and swipe it forces you to insert and pin) shops can actively reject cards if they say my "Chip and pin does not work" excuse or they intentionally broke it (they norm have another card)

    the people who will reject this are generally older mom and dad people, but it does not last and they accept it
     
  17. Armenius

    Armenius I Drive Myself to the [H]ospital

    Messages:
    17,390
    Joined:
    Jan 28, 2014
    I just use cash every time I get gas.
     
  18. omegatotal

    omegatotal Gawd

    Messages:
    672
    Joined:
    Mar 15, 2002
    I dont like having to wait for ever at the pump, I liked the idea of the mobil speedpass till it got hacked as it was easy to copy basic RFID info they put out.

    What we need is a complete overhaul of how the systems are processing data since in this age there is no need for someone in some back office to stamp ok on the transaction like banks used to.

    with algorithms banks are already doing proactive fraud protection (BOA blocks unusually high transactions at places you dont normally goto, if ever, and if you buy gas in Orlando, FL it wont let you buy a tv from walmart in Miami, FL 2 hours later because they know you wont make it that far in that amount of time w/o flying a Cessna into the parking lot at the miami walmart...

    And if you did, its a 2-3 minute call, or a reply to a text message and you are good to go.

    For reference the flight time from Orlando to Miami is about 1:10 w/o the security checks so best case is about 2 hours from a gas station to a walmart if you include driving and checkin/etc.

    There is no reason a bank can use an app on a cell phone, automated text service, or automated call to help confirm if a charge made a huge distance or over the normal amount is legit BEFORE authorizing it at the other end..

    This effectively removes the need for the complicated and slow transaction process of chip/EMV AND puts the account holder in control as they can literally give someone else the card number/details and if it stands out to the bank, they can still approve that transaction...



    Its possible with some simple hackery on the remote end, gotta keep the skimmer low power and hidden but you can put a massive antenna in a van across the highway and probably still get into it. same idea as long range wifi links with old dish network satellite dishes.
     
    Anemone likes this.
  19. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,023
    Joined:
    Oct 29, 2000

    Chip transactions don't have to be slow. I know many implementations are, but that's just because they are poor implementations.

    Target used to ahve a pretty bad implementation. The wait when using their chip system was LONG. As of a few weeks ago though, my local target has upgraded. Chip transactions are super fast. No wait at all.

    Personally I don't trust any of the Apple/Google/Samsung phone pay systems. Now that is just a disaster waiting to happen if you ask me, especially considering how infrequently most OEM's patch their phones for security.
     
  20. aaronspink

    aaronspink [H]ard|Gawd

    Messages:
    1,802
    Joined:
    Jun 7, 2004
    actually, the phone systems are pretty robust. The reality is that the actual ones liable for the transactions trust the phone implementations more than many of the POS models (the phone systems are using the more secure versions of the protocols well beyond what most of the POS chip systems are using). I think you are vastly over estimating the POS security people.
     
    Anemone likes this.
  21. omegatotal

    omegatotal Gawd

    Messages:
    672
    Joined:
    Mar 15, 2002
    doesn't really matter, it uses your real card only for setup, then the bank/card backer generates a digital only card for contactless payments that has different numbers. and generally its faster than even the fastest chip setup I have run into, the problem is support from the retail/processor is pretty terrible these days even tho the basic tap and pay tech has been around for so fucking long (amex/visa/mc had it like 13 years ago)


    yeah most POS systems are just running windows... I have seen companies that literally ship out a dell box with web/java/sql point of sale software loaded on top of a standard windows install... and then there are the people that have to support them.. probably keeping the logins simple to allow for people who have no tech/computer skills access for getting support via a phone call..
     
  22. rudy

    rudy [H]ardForum Junkie

    Messages:
    8,577
    Joined:
    Apr 4, 2004
    I am surprised at how many people in this thread seem to go to great lengths to try and avoid this. I am not going to use a different credit card or any of that I just swipe or whatever at most pumps its the job of the retailer and the credit processors to get their ducks in a row, keep their systems clean and if they don't well its up to them to decide what is worth it. A lot of people mentioned that they should just force everyone to chips, lets make it real simple the USA is the world leader in credit despite what people think the most credit is given and used here. The reality is all those small gas pump operators who don't have chip readers are still accepting swipes because the credit companies are still making money off them. If the fraud was causing them to lose money they would incentivize them to upgrade in such a way it would be worth it. So clearly they have determined the losses they take are acceptable enough for them to keep doing it, and that goes for a lot of places and even things like paypal here and square.
     
  23. aaronspink

    aaronspink [H]ard|Gawd

    Messages:
    1,802
    Joined:
    Jun 7, 2004
    That speed difference will always be true. Beyond the fact that the actual readers are pretty substandard hardware, there is the issue that lots of the protocol runs on the card chip. OTOH, the phones have massive processing power, even an order of magnitude more on their secure enclave than the card chip has.

    Also, at least in the bay area, apple pay has pretty good penetration at things like corner stores, etc. Most actually prefer apple pay over everything else as they pay less with it.
     
    Anemone likes this.
  24. Tsumi

    Tsumi [H]ardForum Junkie

    Messages:
    12,994
    Joined:
    Mar 18, 2010
    1. It's not that we don't want to upgrade the pumps to chip readers, it's that we can't.
    2. Most of the time we get forced to pay the fraudulent charges.
    3. The credit card companies don't pay for the upgrades to the readers. We do.
     
    SticKx911 likes this.
  25. tangoseal

    tangoseal [H]ardness Supreme

    Messages:
    7,295
    Joined:
    Dec 18, 2010
    You can do that with a yagi antenna on the recieving device and sit 50 meters away.

    Easy
     
    Nasty_Savage likes this.
  26. c3k

    c3k 2[H]4U

    Messages:
    2,094
    Joined:
    Sep 8, 2007
    How about 20 year of hard labor for anyone engaged in these scams? Buying, using, selling, whatever. Dry up the market...
     
    LightsOut41 likes this.
  27. likeman

    likeman Gawd

    Messages:
    606
    Joined:
    Aug 17, 2011
    the phone way is more secure as its token based after the phone has been setup you get a Virtual card number (not your real one) and 5 offline tokens thats stored in the TPM chip of the phone,, the 5 tokens get topped back up everytime you unlock your phone, as long as you don't use fingerprint to unlock your phone on android, if you do after the 5th go it will force pin to get new tokens, does not seem to happen on pixel phones and with apple phones you have to use the fingerprint or pin to allow any payments to begin with so there is no requirement to use pin (unless you have no data then 5 times use still applies when you have no data)

    and any way your not liable for the loss any way if contactless is used

    debit and credit card contactless that uses a static RFID so you have to replace the card if they somehow work out how to clone the RFID (with IOS or android the phone/card reader its an active authenticated before it lets the token to be passed on over NFC so there is nothing to clone when android screen is off or apple phone is not unlocked, even if there is the phone is not likely going to give away the token, if it does it invalidates it after a very short time if its not used and they cant take more then the max allowed any way)

    chip and pin cards work like contactless tokens where they use tokens after the correct pin is entered, the card reader at no point sees your card info so there is nothing to skim
     
    Anemone likes this.
  28. likeman

    likeman Gawd

    Messages:
    606
    Joined:
    Aug 17, 2011
    why do you even accept mag at paypump any way then, just disable it, must be making a killing if your accepting the loss at the pump
     
  29. Tsumi

    Tsumi [H]ardForum Junkie

    Messages:
    12,994
    Joined:
    Mar 18, 2010
    We would lose probably 50% of our customers if we don't, if not more. We would love to force people to come inside every time, because they're more likely to buy snacks and drinks, and we actually do have a chip reader inside. Unfortunately, that can't happen. We don't make a killing, we make enough to cover the occasional fraud. Fortunately it doesn't happen often in our area.
     
    SticKx911 likes this.
  30. omegatotal

    omegatotal Gawd

    Messages:
    672
    Joined:
    Mar 15, 2002
    This is why I have a separate spending and bills card/account, and a paypal account/card tied to those as well so if one card is copied, I have another card for a few weeks and they wont screw up my bills account preventing the extra frustration.

    So I only ever swipe one card while out, if for some reason there aren't any contactless options

    Doesn't matter what contactless payment system is in use, what makes it faster, is the lack of prompting questions at the terminal and inconsistent process for choosing 'credit' when many gas stations offer cash back, or default to asking for pins.

    With the contactless options, it just runs as credit instantly and takes all of 10 seconds to process most times. where as a chip+pin can take a minute sometimes.


    Gas stations never make shit for profit on pumps, its all the stuff in the store.

    They would lose more money if they did this vs the shrink(loss) from fraud/chargebacks because people would remember a store wouldn't take payments at the pump and effectively never go there, unless you are that one store at the corner of the neighborhood and the next closest one is 5 mi+ or 10min+ away
     
    Tsumi likes this.
  31. likeman

    likeman Gawd

    Messages:
    606
    Joined:
    Aug 17, 2011
    no its the part where its Actually processing the transaction that is slow on some card readers that have Chip and pin because they did not use broadband option to do the transaction (2G GSM connect on demand or worse phone dial up that can take some time to do 2G one is not to bad as long as it actually connects on demand correctly)

    if it supports contactless it Typicky requires a constant connection but can be run in offline mode if the card company supports it but the transaction is not Verified until the end of day ~not recommended~ (3G or Ethernet/Wifi least ISDN/ADSL broadband) so the transaction will be processed right away 1-3 seconds and most of that will be the Till delay, Chip and pin requires verification

    if its going slow it's the first one and they should replace there card machine and get one that runs on 3G (if its standalone card machine) or ethernet connection (standalone or till system)
     
  32. Tsumi

    Tsumi [H]ardForum Junkie

    Messages:
    12,994
    Joined:
    Mar 18, 2010
    We have a chip reader connected to Ethernet, always on. The chip reader takes 30 seconds to 1 minute to authenticate. On the same chip reader with Apple pay, the transaction was literally instantaneous.
     
  33. Anemone

    Anemone Gawd

    Messages:
    892
    Joined:
    Apr 5, 2004
    Gas is the one place where I have trouble getting Apple pay to work but I'll have to give it a more careful try. I use it almost everywhere because the banks themselves prefer it as a transaction type - in part because it is more secure. And it just keeps growing everywhere. CVS started taking it a short while back for example. I simply "try it first" everywhere, making it clear to the seller that it (or something similar in the Android/Samsung space) is what I'd prefer to use. I think they are even trying to make it useful for bank machines as well - which is another gigantic area of weakness. Even getting cash as a "solution" introduces another set of weaknesses.
     
  34. likeman

    likeman Gawd

    Messages:
    606
    Joined:
    Aug 17, 2011
    Then something is setup wrong then once you press enter after the pin been entered it's same time as contactless it's the more or less the same system, should take no longer then 5 seconds if it's actually a online card reader (30sec -1 minute sounds like dial up time, maybe payment processor is doing the dial up at there end for chip and pin witch be stupid way to do it, or you have dial up there) chip and pin is token based like contactless and NFC pay (samsung/apple/ google pay)

    Unless they are doing contactless/magswipe in offline mode so transactions are verified like old mag swipe cards system at end of day (some 2g contactless readers I have observed are operating in this way in the UK , as they instantly take the token and don't bring the gprs data up to verify it till end of banking has been done or someone els does a chip and pin transaction )
     
    Last edited: Dec 3, 2018
  35. Tsumi

    Tsumi [H]ardForum Junkie

    Messages:
    12,994
    Joined:
    Mar 18, 2010
    Takes approximately 15-30 seconds to authenticate the chip. Swiping and Apple pay are significantly faster, authentication is only a few seconds.
     
  36. omegatotal

    omegatotal Gawd

    Messages:
    672
    Joined:
    Mar 15, 2002

    Actually it is a combination of the POS, the pinpad, and the Internet.. If I use my watch in the same subway as my chip card, its roughly 3 times faster with the watch.

    If I do the same test at a gas station, inside, where they offer cash back, and I'm paying attention for the prompts it can be 3-5 times faster to use my watch....
    It can easily be as short as 10 seconds from the time the cashier hits 'credit' and I get my receipt using my watch vs like a minute for a chip card(when I even have the chip card touching the slot)...

    lets not even get started on the pinpad/pos vendors that wont let you swipe/insert/tap your payment method until after the cashier hits 'charge' and the pinpad receives the data from the slow ass 486 pos via a 300 baud data line /s
     
  37. omegatotal

    omegatotal Gawd

    Messages:
    672
    Joined:
    Mar 15, 2002
    A. we aren't in the UK

    B. The only 'time' that matters is the time from when we insert/tap/swipe the payment method to getting an approved message/receipt. as customers this is important.

    /end
     
  38. likeman

    likeman Gawd

    Messages:
    606
    Joined:
    Aug 17, 2011
    Still silly it should not take that long, card reader shows right away from the moment you press card on the till and more or less instant after pin used (in uk/EU)

    If it supports contactless, chip and pin should be same speed after pin entered taking longer then 5 seconds would be annoying
     
    omegatotal likes this.