I’m curious how often this sort of scam exists in places like Oregon where you’re required to have an attendant at the gas station pump for you, and are therefore unlikely to get unfettered access to the pumps. Does anyone have any data for that kind of thing?
As an aside, I’ve always thought that parking meters were the ideal target for this kind of attack. Nobody that I’ve seen has ever checked for skimmers when using a parking meter, and they all tend to look different anyway.
Heck, for that matter, just put up a bogus parking meter in a space that didn't have one to begin with. It's hard to believe that no one has ever tried that.
The Simpsons, Season 24 Episode 10, "A Test Before Trying" [1], has Homer try that.
> Meanwhile, Mr. Burns raises the price of electricity. As a result, Homer throws his domestic appliances in the dump, where he finds a parking meter that still functions. He decides to set it up at parking spaces around Springfield, moving to another as soon as someone pays.
Do you enter your PIN at a parking meter? I’ve never seen one that wasn’t contactless. You’d have to spending a hell of a lot on parking to have to use your PIN!
Exxon had contactless back in the 90's with a special keychain. I don't know if it still does.
When I go to 76 stations, there is an icon for something that looks contactless, but doesn't seem to do anything, and there's no instructions on the pump.
Even in "the middle of nowhere" (in the mountains, ~100 mi. to the nearest city with pop. > 100k), I've found gas stations that have digital pumps usually support Apple Pay
(some still use analog pumps that require you to tell them the total after you pump, even some of those support contactless payment, but much less often)
Credit card companies aren't requiring it until October 2020 (after this point, the retailer will be held responsible for fraud if they don't have contactless readers installed)
EMV is not synonymous with contactless, though that feature is part of most, if not all, EMV terminals. Nonetheless, it is optional. The liability shift requires you support EMV, but doesn't require you support contactless.
And as such, doesn't really protect you. The merchant may use the chip for the transaction, but the card numbers and PIN are still capturable via a camera.
It's still not much fun having to go through all of one's subscriptions and saved payment methods, and it costs us all in the aggregate. Repeatedly compromised cards can get your bank to consider you too much of a risk, as well.
The solution is quite simple: require contactless payments be accepted at the pump.
Too late to edit, but I guess I should have mentioned that I'm in Canada so chip + PIN is the standard, gas stations I go to typically have neither swipe nor contactless available.
I don't think most places let you swipe anymore anyway. But yeah, I'm also wondering why there are no contactless cards here. Probably the most annoying part of gassing up is getting all your cards out to get rewards, etc, putting your info in and how much gas you want.
I had my credit card scammed after using a full service gas station in New Jersey (by law there's no self-serve). They took my card inside the store to run it. There's no way to know they're going to do that when you pull into a new gas station.
Time to start requiring gas stations to permit contactless payments. I'll specifically drive a bit further to use one I can Apple Pay with.
The US seems to be one of the only nations that permits long outdated point-of-sale systems to remain in use. In Australia, you lease them, and the bank will force you to replace them when new tech is out. Pretty much everyone seems to use contactless payments there as a result.
PCI will require that gas stations accept EMV next year. It was supposed to happen like four years ago, but the stations protested. Hopefully it actually goes through this time.
The camera is to record your PIN, which is only useful in conjunction with the magstripe data. A camera to record the numbers physically printed on the card isn't going to be super effective. Yeah, it might get a few, but probably not enough to be worthwhile.
There's no reason a camera couldn't capture card number, expiration and CVV, especially if paired with a contact switch on a skimmer to trigger the photo.
My iPhone happily lets me add a card by taking a picture of the card and OCRing it; my Discover card has number, expiration, and CVV all on the same side even.
It doesn't solve the immediate problem, but once enough people are using chips you could disable the ability to do old-style magstrip transactions (or at least flag them for manual review / extra scrutiny).
I also try to only go to gas stations that take Apple Pay, or pay with a card that I know has excellent customer support (Chase, usually). I haven't had a card number stolen since I started doing this.
I always cover my hands and make it as hard as possible to detect my PIN even when there's no one around for this reason. Skimmers are already small enough that they can be fitted inside the machine, completely invisible from the outside. Cameras could be concealed in any number of places.
The only rational thing to do is never trust that the machine you're putting your card into hasn't been tampered with.
This was found in Las Vegas. It's worth noting that the head of Las Vegas Metro (the regional police force) was on TV last year telling people that card skimming is so rampant in Nevada that nobody should use a card at any gas station — they should always use cash.
That would imply that cash is preferred, but, cash at a gas station - or any shop - is an attractor for robberies. At least with a skimmer the damage is purely financial, with robberies, especially in the US, there's a big risk of gun violence on top of that.
Can't rob someone that doesn't have cash, is all I'm saying.
You can absolutely rob a person that does not have cash though. Even ignoring the value of personal electronic devices credit cards themselves can be a target. You might be able to eventually unwind the financial impact but that doesn't deter robbery.
What you're describing sounds more like a mugging. He was talking about armed robbery of a convenience store. Is it possible to hold them up at gunpoint, forcibly take some of their card-processing equipment, and exfiltrate some money or credit card numbers that way? Probably, but that's not exactly the path of least resistance.
It's possible to steal a box of candy bars, or a case of beer, or the iPad cash register and on and on. Cash is not the only valuable a robber can target. Having large amounts of it on hand may make you a more appealing target but it is only one type of valuable.
You can't be sure of that, it only takes seconds to install a skimmer or replace the whole unit, or the person behind the counter may just do it themselves.
Twelve years ago I had my card number and PIN logged at a point of sale inside a shop. The authorities caught the ring and determined what happened was the shop was burgled a week before and a week after. The first time the thieves took a few items and swapped the card reader out for a compromised one. Then they burgled it again and swapped it back, now laden with hundreds of card numbers and pins.
"What's your threat model?" In a perfect world, purchases in person are contactless, authenticated with a mobile device. Until then, don't sweat the small stuff: you're not liable for any fraudulent charges on credit cards (US centric advice), and I don't suggest using debit cards (keep an ATM card just for cash access at ATMs).
It's the same situation in the California desert communities by me. Joshua Tree, Yucca Valley, 29 Palms, skimmers abound.
One nearby gas station has affixed large warning stickers on the pumps saying something to the effect of "Warning: use of a card to pay at this pump may result in a 72-hour freeze of your card. Please contact your bank or creditor for more information."
I've interrupted a few folks in the process of paying with cards at those pumps, asking them if they saw the warning sign. None had seen it, people seem conditioned to no longer register such things. Also worth noting, none had cash to pay inside with. Some went inside to pay at the register with their card though, which seems less likely to be compromised than the pump.
My card was skimmed at a gas pump shortly after I first arrived in the CA desert, I've only paid with cash ever since.
It seems unlikely that this practice knows any boundaries, I'm suspicious of any gas pump or poorly maintained/monitored ATM at this point.
Both of these are only sketchy because the US refuses to modernize. Restaurants need to switch to portable readers that work with contactless/phones. Gas stations also need to accept general contactless and not just whatever special gas card they have.
I loved that card for the $1 off at any coffee shop until they changed it. It's still ok, but now you have to make 5 purchases with the card to get 5x$1 off.
A couple of months ago. On podcasts I listen to, I've heard other people talk about it changing. Basically the deals all get 'locked' until you make a certain number of purchases to unlock them again.
After 20 years of not having credit card problems, about four years ago my wife and I had to replace our card about twice a year due to the number getting stolen. This happened six or seven times. The best is when the credit card company asked us to confirm we had sent a payment of $200 to a prisoner in Venezuela.
Since then I have strictly paid with cash at gas stations, but haven't changed my credit card use anywhere else. We have had to replace the card exactly once in the past three years.
Fraud absolutely remains a problem. Not on a raw financial level, but there's still the time involved (disputing, providing evidence, follow-ups, switching the card number on 800 different services and hoping you didn't miss an important one), and the risk of losing your banking if you're regularly being compromised.
There's also a systemic cost to it, at the merchant and banking level. That's money being siphoned from all of us into the hands of criminals.
> risk of losing your banking if you're regularly being compromised
Hmm, I hadn't considered this, and it might very well be valid if it happens really outside the norm.
> but there's still the time involved
I've only ever had to call about fraudulent charges once, and that was because a restaurant double-billed me (once with tip, once without), so it wasn't outright fraud as much as it was a mistake/computer glitch. Every other time the credit card company has called me.
> There's also a systemic cost to it, at the merchant and banking level.
Not really an individual problem, just like shoplifting raises prices for us, and taxes, and regulations, etc.
I'm surprised there haven't been cases where criminals just mount two cameras with zoom lenses so that they capture both sides of the card as it enters the reader. You'd be able to reconstruct the number, the name and the 3 digit security code. Sure, you're not going to get 100% of the cards due to people blocking the cameras, but you also don't need to mount anything to the actual pump and can better avoid getting caught.
For things that are moving, you'll need a camera with a high framerate so you don't get a blur. We have cameras to do automatic licence plate reading of all the cars that come on our property and they were expensive (> $1500 + lens) and large-ish.
High frame rate is good, but to not get blur you just need a high shutter speed. Most digital cameras can do this easily. But simply having a high shutter speed isn't enough, as if it's fast enough no light will get it to get a proper exposure. That's why you'll need a supplemental light source, like infrared or a flash, a large aperture (aka large lens elements), or a lot of gain (ISO).
It's really a balancing act between the three. The more zoomed the lens, the bigger the lens elements need to be to maintain the same aperture ratio. That's why a 600mm f4 is absolutely massive compared to a 50mm f4 lens.
For something like this application though, the quality of the sensor doesn't need to be too high, you don't really that high of a shutter speed, nor do you need to worry about image noise. There's always light on at the pump, so you can easily calibrate for night time, if needed just bring a light meter (or use an app) to the spot at night and check.
Details printed on the card aren't enough to reconstruct the contents of the magstripe needed to do card-present transactions (and those are preferred as online transactions are subject to extra checks like 3D Secure and address verification).
If you only want card details for online/card-not-present transactions then getting them via malware is easier and even less risk of getting caught.
A few weeks ago filling up at Costco the attendant was inspecting the pump from top to bottom, I asked what he was doing and responded "looking for skimmers or alterations" to the pump. I asked how often do you do that, he said "every hour". I was impressed.
I was pretty excited when I found a gas station near my house that accepted apple pay at the pump. More often then not I will go there strictly for that reason.
I know not everyone has a credit card, but as someone once said to me, never enter your PIN into anything other than a bank ATM, i.e., an ATM physically attached to a bank lobby.
I was at a gas pump the other day with a never-before-seen-by-me card reader that I tried to physically remove (as I always tug on them to make sure they are not fake). After that I noticed, "Apple Pay Coming Soon". That is the first pump I have seen with such a notice, and I am very much encouraged to see that, hopefully someday soon, I won't even have to insert my card into one of these machines!
The card reader on the ATM is frightening (but I always hide my PIN with my hand, but even then, it can be guessed by muscle movements). But Apple Pay is another positive to not having to put your card in the door. If the door doesn't support Apple Pay, then I try my AAA card, which works a lot of the time. If I have to use my bank card, I really try to hide my PIN when I eventually get to the ATM.
Whenever I see reports about these skimmers, I always wonder how in the hell someone managed to install that thing into the pump without anyone seeing them do it. Every gas station that I've ever been to has had a direct line of sight from the cashier to the pumps, presumably in case of fire so they can hit the shutoff as quickly as possible.
Maybe a non-24 hour station and passersby just assumed it was maintenance? But do they not have security cameras?
This attack vector should not exist in 2019. i.e. card skimming should not still be a thing.
Chip/paywave is strong enough w/ online backed by a 2fa (3D secure?). It's just annoying companies don't want to replace their terminals because they own them (rented ones get replaced by force) so it costs money to do that. Thusly we're all stuck with this problem still being very real.
89 comments
[ 3.1 ms ] story [ 146 ms ] threadAs an aside, I’ve always thought that parking meters were the ideal target for this kind of attack. Nobody that I’ve seen has ever checked for skimmers when using a parking meter, and they all tend to look different anyway.
> Meanwhile, Mr. Burns raises the price of electricity. As a result, Homer throws his domestic appliances in the dump, where he finds a parking meter that still functions. He decides to set it up at parking spaces around Springfield, moving to another as soon as someone pays.
https://en.wikipedia.org/wiki/A_Test_Before_Trying
When I go to 76 stations, there is an icon for something that looks contactless, but doesn't seem to do anything, and there's no instructions on the pump.
(some still use analog pumps that require you to tell them the total after you pump, even some of those support contactless payment, but much less often)
https://business.hughes.com/resources/blog/outdoor-emv-liabi...
It's still not much fun having to go through all of one's subscriptions and saved payment methods, and it costs us all in the aggregate. Repeatedly compromised cards can get your bank to consider you too much of a risk, as well.
The solution is quite simple: require contactless payments be accepted at the pump.
The US seems to be one of the only nations that permits long outdated point-of-sale systems to remain in use. In Australia, you lease them, and the bank will force you to replace them when new tech is out. Pretty much everyone seems to use contactless payments there as a result.
My iPhone happily lets me add a card by taking a picture of the card and OCRing it; my Discover card has number, expiration, and CVV all on the same side even.
The only rational thing to do is never trust that the machine you're putting your card into hasn't been tampered with.
Can't rob someone that doesn't have cash, is all I'm saying.
Fewer and fewer people having anything on them to rob will deter robbery over time.
One nearby gas station has affixed large warning stickers on the pumps saying something to the effect of "Warning: use of a card to pay at this pump may result in a 72-hour freeze of your card. Please contact your bank or creditor for more information."
I've interrupted a few folks in the process of paying with cards at those pumps, asking them if they saw the warning sign. None had seen it, people seem conditioned to no longer register such things. Also worth noting, none had cash to pay inside with. Some went inside to pay at the register with their card though, which seems less likely to be compromised than the pump.
My card was skimmed at a gas pump shortly after I first arrived in the CA desert, I've only paid with cash ever since.
It seems unlikely that this practice knows any boundaries, I'm suspicious of any gas pump or poorly maintained/monitored ATM at this point.
Contactless can’t come soon enough!
It is not attached to my normal bank nor does it have any subscriptions/autopay so it is no big deal if it gets compromised (has happened once).
After 20 years of not having credit card problems, about four years ago my wife and I had to replace our card about twice a year due to the number getting stolen. This happened six or seven times. The best is when the credit card company asked us to confirm we had sent a payment of $200 to a prisoner in Venezuela.
Since then I have strictly paid with cash at gas stations, but haven't changed my credit card use anywhere else. We have had to replace the card exactly once in the past three years.
So I've just been going into the station and paying with ApplePay if the POS device supports it. Then cash
There's also a systemic cost to it, at the merchant and banking level. That's money being siphoned from all of us into the hands of criminals.
Hmm, I hadn't considered this, and it might very well be valid if it happens really outside the norm.
> but there's still the time involved
I've only ever had to call about fraudulent charges once, and that was because a restaurant double-billed me (once with tip, once without), so it wasn't outright fraud as much as it was a mistake/computer glitch. Every other time the credit card company has called me.
> There's also a systemic cost to it, at the merchant and banking level.
Not really an individual problem, just like shoplifting raises prices for us, and taxes, and regulations, etc.
It's really a balancing act between the three. The more zoomed the lens, the bigger the lens elements need to be to maintain the same aperture ratio. That's why a 600mm f4 is absolutely massive compared to a 50mm f4 lens.
For something like this application though, the quality of the sensor doesn't need to be too high, you don't really that high of a shutter speed, nor do you need to worry about image noise. There's always light on at the pump, so you can easily calibrate for night time, if needed just bring a light meter (or use an app) to the spot at night and check.
If you only want card details for online/card-not-present transactions then getting them via malware is easier and even less risk of getting caught.
I was at a gas pump the other day with a never-before-seen-by-me card reader that I tried to physically remove (as I always tug on them to make sure they are not fake). After that I noticed, "Apple Pay Coming Soon". That is the first pump I have seen with such a notice, and I am very much encouraged to see that, hopefully someday soon, I won't even have to insert my card into one of these machines!
While I agree with you, Krebs has documented several ways your ATM card can be skimmed even if you follow that advice:
Almost perfectly disguised skimmer on a Chase bank ATM: https://krebsonsecurity.com/2011/12/pro-grade-3d-printer-mad...
Skimmer on the vestibule door card reader: https://krebsonsecurity.com/2015/03/door-skimmer-hidden-came...
Maybe a non-24 hour station and passersby just assumed it was maintenance? But do they not have security cameras?
Chip/paywave is strong enough w/ online backed by a 2fa (3D secure?). It's just annoying companies don't want to replace their terminals because they own them (rented ones get replaced by force) so it costs money to do that. Thusly we're all stuck with this problem still being very real.