89 comments

[ 3.1 ms ] story [ 146 ms ] thread
I’m curious how often this sort of scam exists in places like Oregon where you’re required to have an attendant at the gas station pump for you, and are therefore unlikely to get unfettered access to the pumps. Does anyone have any data for that kind of thing?

As an aside, I’ve always thought that parking meters were the ideal target for this kind of attack. Nobody that I’ve seen has ever checked for skimmers when using a parking meter, and they all tend to look different anyway.

In that situation is it still a pump that accepts cards but the attendant is operating it?
Yes, but you’d definitely get questioned for interacting with the pump directly.
Assuming the station is open 24 hours
Heck, for that matter, just put up a bogus parking meter in a space that didn't have one to begin with. It's hard to believe that no one has ever tried that.
Best of all, nobody is going to question the transactions.
The Simpsons, Season 24 Episode 10, "A Test Before Trying" [1], has Homer try that.

> Meanwhile, Mr. Burns raises the price of electricity. As a result, Homer throws his domestic appliances in the dump, where he finds a parking meter that still functions. He decides to set it up at parking spaces around Springfield, moving to another as soon as someone pays.

https://en.wikipedia.org/wiki/A_Test_Before_Trying

Do you enter your PIN at a parking meter? I’ve never seen one that wasn’t contactless. You’d have to spending a hell of a lot on parking to have to use your PIN!
Why don't gas stations I go to ever support contactless? My gas tank isn't large enough to even go over my contactless limit.
Exxon had contactless back in the 90's with a special keychain. I don't know if it still does.

When I go to 76 stations, there is an icon for something that looks contactless, but doesn't seem to do anything, and there's no instructions on the pump.

Even in "the middle of nowhere" (in the mountains, ~100 mi. to the nearest city with pop. > 100k), I've found gas stations that have digital pumps usually support Apple Pay

(some still use analog pumps that require you to tell them the total after you pump, even some of those support contactless payment, but much less often)

Credit card companies aren't requiring it until October 2020 (after this point, the retailer will be held responsible for fraud if they don't have contactless readers installed)

https://business.hughes.com/resources/blog/outdoor-emv-liabi...

EMV is not synonymous with contactless, though that feature is part of most, if not all, EMV terminals. Nonetheless, it is optional. The liability shift requires you support EMV, but doesn't require you support contactless.
And as such, doesn't really protect you. The merchant may use the chip for the transaction, but the card numbers and PIN are still capturable via a camera.
It then becomes much easier for the bank to deny transactions that don't use the chip. Swiped transactions become suspicious.
Sure, if the victim never purchases anything online.
You are not liable for card-not-present fraud (without 3D-Secure) so feel free to dispute the transaction and get your money back.
I'm well aware of the recourse available.

It's still not much fun having to go through all of one's subscriptions and saved payment methods, and it costs us all in the aggregate. Repeatedly compromised cards can get your bank to consider you too much of a risk, as well.

The solution is quite simple: require contactless payments be accepted at the pump.

Too late to edit, but I guess I should have mentioned that I'm in Canada so chip + PIN is the standard, gas stations I go to typically have neither swipe nor contactless available.
I don't think most places let you swipe anymore anyway. But yeah, I'm also wondering why there are no contactless cards here. Probably the most annoying part of gassing up is getting all your cards out to get rewards, etc, putting your info in and how much gas you want.
They did this for chip years ago, and even brand new gas pumps are swipe only.
(comment deleted)
If you go inside, most stations have been replacing their POS device with a newer one that'll take ApplePay, etc
I had my credit card scammed after using a full service gas station in New Jersey (by law there's no self-serve). They took my card inside the store to run it. There's no way to know they're going to do that when you pull into a new gas station.
Speaking of puffins... I've had my credit card skimmed in Iceland, at a pretty remote gas station on the ring road.
Time to start requiring gas stations to permit contactless payments. I'll specifically drive a bit further to use one I can Apple Pay with.

The US seems to be one of the only nations that permits long outdated point-of-sale systems to remain in use. In Australia, you lease them, and the bank will force you to replace them when new tech is out. Pretty much everyone seems to use contactless payments there as a result.

PCI will require that gas stations accept EMV next year. It was supposed to happen like four years ago, but the stations protested. Hopefully it actually goes through this time.
That just means they have to use the chip (or accept the liability on their end). Doesn't protect you from a skimmer or a camera.
you can't skim a chip though
Sure, but when you dip your card, the magstripe on that chip card gets skimmed and the camera captures your card number and PIN entry.
If it's implemented properly, the card shouldn't go all the way into the reader, just the smartcard contact
None of which saves you from a camera looking at the numbers on the card while you insert it.
The camera is to record your PIN, which is only useful in conjunction with the magstripe data. A camera to record the numbers physically printed on the card isn't going to be super effective. Yeah, it might get a few, but probably not enough to be worthwhile.
There's no reason a camera couldn't capture card number, expiration and CVV, especially if paired with a contact switch on a skimmer to trigger the photo.

My iPhone happily lets me add a card by taking a picture of the card and OCRing it; my Discover card has number, expiration, and CVV all on the same side even.

It doesn't solve the immediate problem, but once enough people are using chips you could disable the ability to do old-style magstrip transactions (or at least flag them for manual review / extra scrutiny).
I also try to only go to gas stations that take Apple Pay, or pay with a card that I know has excellent customer support (Chase, usually). I haven't had a card number stolen since I started doing this.
I always cover my hands and make it as hard as possible to detect my PIN even when there's no one around for this reason. Skimmers are already small enough that they can be fitted inside the machine, completely invisible from the outside. Cameras could be concealed in any number of places.

The only rational thing to do is never trust that the machine you're putting your card into hasn't been tampered with.

This was found in Las Vegas. It's worth noting that the head of Las Vegas Metro (the regional police force) was on TV last year telling people that card skimming is so rampant in Nevada that nobody should use a card at any gas station — they should always use cash.
That's the best solution - improved privacy and sometimes even reduced gas prices when using cash.
That would imply that cash is preferred, but, cash at a gas station - or any shop - is an attractor for robberies. At least with a skimmer the damage is purely financial, with robberies, especially in the US, there's a big risk of gun violence on top of that.

Can't rob someone that doesn't have cash, is all I'm saying.

You can absolutely rob a person that does not have cash though. Even ignoring the value of personal electronic devices credit cards themselves can be a target. You might be able to eventually unwind the financial impact but that doesn't deter robbery.
What you're describing sounds more like a mugging. He was talking about armed robbery of a convenience store. Is it possible to hold them up at gunpoint, forcibly take some of their card-processing equipment, and exfiltrate some money or credit card numbers that way? Probably, but that's not exactly the path of least resistance.
It's possible to steal a box of candy bars, or a case of beer, or the iPad cash register and on and on. Cash is not the only valuable a robber can target. Having large amounts of it on hand may make you a more appealing target but it is only one type of valuable.
> You might be able to eventually unwind the financial impact but that doesn't deter robbery.

Fewer and fewer people having anything on them to rob will deter robbery over time.

(comment deleted)
Until you find yourself escorted to an ATM at gunpoint.
This is why I don't carry a debit card tied to my main bank account. Just a "ATM only" account that I keep low.
This makes you the 0.000001% of the population.
Yay, guess I’m also part of that very rare club.
Cash is clearly preferred, as every gas station I can remember in the last 20 years offers a discount for paying cash.
Or prepay inside with a credit card? No skimmer at the counter in the gas station.
You can't be sure of that, it only takes seconds to install a skimmer or replace the whole unit, or the person behind the counter may just do it themselves.
Twelve years ago I had my card number and PIN logged at a point of sale inside a shop. The authorities caught the ring and determined what happened was the shop was burgled a week before and a week after. The first time the thieves took a few items and swapped the card reader out for a compromised one. Then they burgled it again and swapped it back, now laden with hundreds of card numbers and pins.
"What's your threat model?" In a perfect world, purchases in person are contactless, authenticated with a mobile device. Until then, don't sweat the small stuff: you're not liable for any fraudulent charges on credit cards (US centric advice), and I don't suggest using debit cards (keep an ATM card just for cash access at ATMs).
It's the same situation in the California desert communities by me. Joshua Tree, Yucca Valley, 29 Palms, skimmers abound.

One nearby gas station has affixed large warning stickers on the pumps saying something to the effect of "Warning: use of a card to pay at this pump may result in a 72-hour freeze of your card. Please contact your bank or creditor for more information."

I've interrupted a few folks in the process of paying with cards at those pumps, asking them if they saw the warning sign. None had seen it, people seem conditioned to no longer register such things. Also worth noting, none had cash to pay inside with. Some went inside to pay at the register with their card though, which seems less likely to be compromised than the pump.

My card was skimmed at a gas pump shortly after I first arrived in the CA desert, I've only paid with cash ever since.

It seems unlikely that this practice knows any boundaries, I'm suspicious of any gas pump or poorly maintained/monitored ATM at this point.

I’ve started using the BPme app which, while clunky, avoids having my physical card interact with the pump.

Contactless can’t come soon enough!

Shell has a similar tool that works pretty well.
I have a low limit credit card that is used exclusively for sketchy stuff, such as gas, restaurants, smaller ecommerce sites, and so on.

It is not attached to my normal bank nor does it have any subscriptions/autopay so it is no big deal if it gets compromised (has happened once).

The idea that gas stations and restaurants have to be regarded as "sketchy stuff" seems quite sad to me.
Both of these are only sketchy because the US refuses to modernize. Restaurants need to switch to portable readers that work with contactless/phones. Gas stations also need to accept general contactless and not just whatever special gas card they have.
I know a ton of people who use Cash App's card for that. Seems like it works well for them. (I don't use it personally)
I loved that card for the $1 off at any coffee shop until they changed it. It's still ok, but now you have to make 5 purchases with the card to get 5x$1 off.
Huh, they might be A/B testing that. I still have the original $1 off any coffee shop (min. $1.50; every 30 minutes). When did your deal change?
A couple of months ago. On podcasts I listen to, I've heard other people talk about it changing. Basically the deals all get 'locked' until you make a certain number of purchases to unlock them again.
Anecdata:

After 20 years of not having credit card problems, about four years ago my wife and I had to replace our card about twice a year due to the number getting stolen. This happened six or seven times. The best is when the credit card company asked us to confirm we had sent a payment of $200 to a prisoner in Venezuela.

Since then I have strictly paid with cash at gas stations, but haven't changed my credit card use anywhere else. We have had to replace the card exactly once in the past three years.

Went to LA and Maui over the past two years and within a month after both I had to close the card.

So I've just been going into the station and paying with ApplePay if the POS device supports it. Then cash

Yet another reason to get an electric car.
Joking aside, I don't know why we are still using such simple tech to secure transactions. Large numbers aren't good security measure.
Step 1: Never use a debit card for anything ever. Step 2: Fraud is no longer your problem as long as you review your statements in a timely manner.
Fraud absolutely remains a problem. Not on a raw financial level, but there's still the time involved (disputing, providing evidence, follow-ups, switching the card number on 800 different services and hoping you didn't miss an important one), and the risk of losing your banking if you're regularly being compromised.

There's also a systemic cost to it, at the merchant and banking level. That's money being siphoned from all of us into the hands of criminals.

(comment deleted)
> risk of losing your banking if you're regularly being compromised

Hmm, I hadn't considered this, and it might very well be valid if it happens really outside the norm.

> but there's still the time involved

I've only ever had to call about fraudulent charges once, and that was because a restaurant double-billed me (once with tip, once without), so it wasn't outright fraud as much as it was a mistake/computer glitch. Every other time the credit card company has called me.

> There's also a systemic cost to it, at the merchant and banking level.

Not really an individual problem, just like shoplifting raises prices for us, and taxes, and regulations, etc.

I'm surprised there haven't been cases where criminals just mount two cameras with zoom lenses so that they capture both sides of the card as it enters the reader. You'd be able to reconstruct the number, the name and the 3 digit security code. Sure, you're not going to get 100% of the cards due to people blocking the cameras, but you also don't need to mount anything to the actual pump and can better avoid getting caught.
For things that are moving, you'll need a camera with a high framerate so you don't get a blur. We have cameras to do automatic licence plate reading of all the cars that come on our property and they were expensive (> $1500 + lens) and large-ish.
High frame rate is good, but to not get blur you just need a high shutter speed. Most digital cameras can do this easily. But simply having a high shutter speed isn't enough, as if it's fast enough no light will get it to get a proper exposure. That's why you'll need a supplemental light source, like infrared or a flash, a large aperture (aka large lens elements), or a lot of gain (ISO).

It's really a balancing act between the three. The more zoomed the lens, the bigger the lens elements need to be to maintain the same aperture ratio. That's why a 600mm f4 is absolutely massive compared to a 50mm f4 lens.

For something like this application though, the quality of the sensor doesn't need to be too high, you don't really that high of a shutter speed, nor do you need to worry about image noise. There's always light on at the pump, so you can easily calibrate for night time, if needed just bring a light meter (or use an app) to the spot at night and check.

Details printed on the card aren't enough to reconstruct the contents of the magstripe needed to do card-present transactions (and those are preferred as online transactions are subject to extra checks like 3D Secure and address verification).

If you only want card details for online/card-not-present transactions then getting them via malware is easier and even less risk of getting caught.

A few weeks ago filling up at Costco the attendant was inspecting the pump from top to bottom, I asked what he was doing and responded "looking for skimmers or alterations" to the pump. I asked how often do you do that, he said "every hour". I was impressed.
That’s a benefit of not sticking the clerk inside the convenience store all day like other stations.
Another good reason to get an EV, don't have to visit gas pumps again! :)
In the UK we have more and more roadside chargers that take a card just like a self service fuel pump.
I was pretty excited when I found a gas station near my house that accepted apple pay at the pump. More often then not I will go there strictly for that reason.
I know not everyone has a credit card, but as someone once said to me, never enter your PIN into anything other than a bank ATM, i.e., an ATM physically attached to a bank lobby.

I was at a gas pump the other day with a never-before-seen-by-me card reader that I tried to physically remove (as I always tug on them to make sure they are not fake). After that I noticed, "Apple Pay Coming Soon". That is the first pump I have seen with such a notice, and I am very much encouraged to see that, hopefully someday soon, I won't even have to insert my card into one of these machines!

... as someone once said to me, never enter your PIN into anything other than a bank ATM, i.e., an ATM physically attached to a bank lobby.

While I agree with you, Krebs has documented several ways your ATM card can be skimmed even if you follow that advice:

Almost perfectly disguised skimmer on a Chase bank ATM: https://krebsonsecurity.com/2011/12/pro-grade-3d-printer-mad...

Skimmer on the vestibule door card reader: https://krebsonsecurity.com/2015/03/door-skimmer-hidden-came...

The card reader on the ATM is frightening (but I always hide my PIN with my hand, but even then, it can be guessed by muscle movements). But Apple Pay is another positive to not having to put your card in the door. If the door doesn't support Apple Pay, then I try my AAA card, which works a lot of the time. If I have to use my bank card, I really try to hide my PIN when I eventually get to the ATM.
Whenever I see reports about these skimmers, I always wonder how in the hell someone managed to install that thing into the pump without anyone seeing them do it. Every gas station that I've ever been to has had a direct line of sight from the cashier to the pumps, presumably in case of fire so they can hit the shutoff as quickly as possible.

Maybe a non-24 hour station and passersby just assumed it was maintenance? But do they not have security cameras?

Wear a high vis jacket and carry a toolbox and most people in most places won't give you a second glance.
Hell, get a clipboard and a vest that says INSPECTOR on the back of it and go to a construction site and people will actively avoid you.
This attack vector should not exist in 2019. i.e. card skimming should not still be a thing.

Chip/paywave is strong enough w/ online backed by a 2fa (3D secure?). It's just annoying companies don't want to replace their terminals because they own them (rented ones get replaced by force) so it costs money to do that. Thusly we're all stuck with this problem still being very real.

It is hard for me to follow Krebs from a mobile phone - an unresponsive site.