Mitigation Fail for Gas Pump Skimmers

Published: 2014-03-05
Last Updated: 2014-03-05 14:49:22 UTC
by Rob VandenBrink (Version: 1)
7 comment(s)

In late January we all heard about bluetooth enabled credit card skimmers on gas pumps.  Since that story broke, I've been seeing some attempts at reassuring the public on this issue - I'm seeing pumps at multiple chains having their card readers taped and initialed.


I suppose they figure crooks don't have red tape, or pens.  This really is more to reassure consumers, to say "yes, we do check these once in a while to make sure that your card isn't being skimmed".  Though that assumes the person checking can tell a reader cover from a skimmer.

I was surprised also to find that this "breaking story" on skimmers which hit the news in January 2014 was first posted by Brian Krebbs way back in 2010 -
http://krebsonsecurity.com/2010/07/skimmers-siphoning-card-data-at-the-pump/
http://krebsonsecurity.com/all-about-skimmers/

... but by the time my brain caught up with who's page I found this on, I wasn't surprised at all.

The main protection we have against skimmers is the moral fortitude of the attendant working at the station.  We're depending on that person doing the right thing when faced with a choice between a potentially very large bribe.  Skimmer operations can easily net tens of thousands per week, or millions in this recent case  https://krebsonsecurity.com/2014/01/gang-rigged-pumps-with-bluetooth-skimmers/.  So the risk / reward proposition is a large bribe, often in the tens-of-thousands range, against being aprehended and charged/convicted if the operation is caught and apprehended before they shut down and move on to the next set of target gas stations.

Please, weigh in using our comment form.  I'd be really interested if our readers might have solutions or preventitive measures that will work better than the red tape I described in this story!
 

==============
Rob VandenBrink
Metafore

Keywords:
7 comment(s)

Comments

Or how to hide that someone has installed a skimmer? Taping it in place to cover a sloppy install?
There is competition between the companies that manufacture the hardware for credit cards to be used to purchase gasoline. Gilbarco has market lead there in the USA. The cyber security community needs to work with such companies to help improve their security efforts. For example, there are hardware upgrades to improve security, which many gas station operators are slow to implement. If the public knew which gas chains were on old security technology, and which were up-to-date, do you suppose it would influence buying habits towards the chains with less security risks?

My name is Alister William Macintyre
I work in the industry that makes that hardware
I am limited by my employer what I may say about what is being done

I can however share some info about that industry, like identifying Gilbarco as #1 there, as a starting point for your independent research into what companies are making hardware attacked by skimmers, and the state-of-art of their efforts to combat vulnerabilities.
Manufacturing inspection techniques could be applied to anti-skimmer efforts.
The hardware, used for credit card attached to gas pump, comes in standard brand name model versions, which should match a standard picture, which a computer can compare. Operator unlocks the gas pumps, shines a cell phone camera at the tangled mess of hardware, wires, etc., sends the picture to a computer, which has access to what brand model version is supposed to be in there, for comparison, to identify any extra additions which should not belong. If any are found, alerts are sent to the police, chain HQ, other places, identifying the GPS of chain location where a suspected skimmer has been found, when.

From Alister Wm Macintyre
Here in Europe we have been seen the skimmers for years, of different quality. Mostly on unmanned gas stations, but also at ATMs.

We have also seen cases with simple theft of cards. One person in the supermarket line behind goes close to the victim, who turns and hides the pin entry from the Romainian, allowing his colleague in crime to lure the PIN from the other side of the supermarket line. Tnen simple pick-pocket to get the card.

We have also seen security cameras luring PIN, and then the shop says the card does not work, takes it, skims it, and says try again.

Magnetic stripes should be forbidden. It should be chip only like most cards in Europe. More difficult to clone
Here in Canada most gas pumps and all pumps at the major chains have moved to chip and pin readers so skimmers are not as issue.

We have had issues with people parking in vans and recording the pins as they are entered and then stealing the card, but those cases are limited and have not happened in years.
For a future low tech solution against stick on/cover over skimmers, couldn't they just make these pumps with an absolutely flat face in and around where you insert the card. Any skimmer a little thicker then paper would be obvious. While that does not protect from things being placed inside the machine, it would make it much harder for the vast majority of attacks we are seeing now. (Stick on/over covers) Placing things in the pump takes more effort and there is a lot more risk is involved. I will bet that most of these people would shy away from that level of risk.

A high tech solutions still will be needed, but this low tech solution should cost little to nothing to implement for new designs.

Tokenization anyone? = )

Thoughts?
The problem with Alister's photo technique is that the person taking the photos is probably the person who allowed the fitting of the skimmers... Easy to take a set of photos before fitting and then send one each time verification is required.

Diary Archives