Mitigation Fail for Gas Pump Skimmers
In late January we all heard about bluetooth enabled credit card skimmers on gas pumps. Since that story broke, I've been seeing some attempts at reassuring the public on this issue - I'm seeing pumps at multiple chains having their card readers taped and initialed.
I suppose they figure crooks don't have red tape, or pens. This really is more to reassure consumers, to say "yes, we do check these once in a while to make sure that your card isn't being skimmed". Though that assumes the person checking can tell a reader cover from a skimmer.
I was surprised also to find that this "breaking story" on skimmers which hit the news in January 2014 was first posted by Brian Krebbs way back in 2010 -
http://krebsonsecurity.com/2010/07/skimmers-siphoning-card-data-at-the-pump/
http://krebsonsecurity.com/all-about-skimmers/
... but by the time my brain caught up with who's page I found this on, I wasn't surprised at all.
The main protection we have against skimmers is the moral fortitude of the attendant working at the station. We're depending on that person doing the right thing when faced with a choice between a potentially very large bribe. Skimmer operations can easily net tens of thousands per week, or millions in this recent case https://krebsonsecurity.com/2014/01/gang-rigged-pumps-with-bluetooth-skimmers/. So the risk / reward proposition is a large bribe, often in the tens-of-thousands range, against being aprehended and charged/convicted if the operation is caught and apprehended before they shut down and move on to the next set of target gas stations.
Please, weigh in using our comment form. I'd be really interested if our readers might have solutions or preventitive measures that will work better than the red tape I described in this story!
==============
Rob VandenBrink
Metafore
Comments
Anonymous
Mar 5th 2014
1 decade ago
My name is Alister William Macintyre
I work in the industry that makes that hardware
I am limited by my employer what I may say about what is being done
I can however share some info about that industry, like identifying Gilbarco as #1 there, as a starting point for your independent research into what companies are making hardware attacked by skimmers, and the state-of-art of their efforts to combat vulnerabilities.
Anonymous
Mar 5th 2014
1 decade ago
The hardware, used for credit card attached to gas pump, comes in standard brand name model versions, which should match a standard picture, which a computer can compare. Operator unlocks the gas pumps, shines a cell phone camera at the tangled mess of hardware, wires, etc., sends the picture to a computer, which has access to what brand model version is supposed to be in there, for comparison, to identify any extra additions which should not belong. If any are found, alerts are sent to the police, chain HQ, other places, identifying the GPS of chain location where a suspected skimmer has been found, when.
From Alister Wm Macintyre
Anonymous
Mar 5th 2014
1 decade ago
We have also seen cases with simple theft of cards. One person in the supermarket line behind goes close to the victim, who turns and hides the pin entry from the Romainian, allowing his colleague in crime to lure the PIN from the other side of the supermarket line. Tnen simple pick-pocket to get the card.
We have also seen security cameras luring PIN, and then the shop says the card does not work, takes it, skims it, and says try again.
Magnetic stripes should be forbidden. It should be chip only like most cards in Europe. More difficult to clone
Anonymous
Mar 6th 2014
1 decade ago
We have had issues with people parking in vans and recording the pins as they are entered and then stealing the card, but those cases are limited and have not happened in years.
Anonymous
Mar 6th 2014
1 decade ago
A high tech solutions still will be needed, but this low tech solution should cost little to nothing to implement for new designs.
Tokenization anyone? = )
Thoughts?
Anonymous
Mar 6th 2014
1 decade ago
Anonymous
Mar 9th 2014
1 decade ago