Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

More Gas Station Credit-Card Skimmers

kdawson posted about 4 years ago | from the look-for-the-guy-with-the-blue-tooth dept.

Crime 251

coondoggie notes a Network World piece on credit-card skimmers found installed in gas pumps, this time in Florida. Like the similar wave of attacks in Utah earlier this year, the latest crop uses Bluetooth to transmit the illicitly collected data. Does this mean an accomplice has to hang around within 3m of the pump? "The Secret Service has indicated there's a crime wave throughout the Southeast involving the gas-station pump card skimmers, and it may be traced back to a single gang that may be working out of Miami... St. Johns County in Florida has also been hit by the gas-pump card skimmers. [A local sheriff's department spokesman] says criminals wanting to hide the credit-card skimmers in gas pumps have to have a key to the pump, but in some cases a single key will serve to get into many gas pumps." Here's an insight from the banking industry on the skimming fraud.

cancel ×

251 comments

Hiders Keepers? (4, Informative)

LostCluster (625375) | about 4 years ago | (#32892914)

Does this mean an accomplice has to hang around within 3m of the pump?

No. What it means is that there's no need for there to be a wire that leads to the skimmer's recording device... which now can be hidden in the next pump over. This also means the mag reader could be placed in the pump without a recording device, therefore requiring the pump to be taken apart for inspection, adding to the cleanup costs.

Remember, once a fraud becomes so expensive to clear up that the expenses are greater than the total loss, then it's almost allowed to continue unchecked.

Re:Hiders Keepers? (5, Informative)

atrus (73476) | about 4 years ago | (#32892992)

Or, in reality, every skimmer records numbers. The thief comes by with the "dumper", buys some gas while take a complete download of the current recorder memory. Its far less risky on the retrieval of the numbers, especially if the skimmers have already been identified and the cops are waiting around the corner for the guys to come back (unlikely, but you never know).

Re:Hiders Keepers? (4, Insightful)

dan_linder (84060) | about 4 years ago | (#32893100)

...and with the price of flash memory so low, it would be pretty easy to hide a little digital camera to snap photos of the person as they put the card in and/or stood in front of the machine. It would be easy to download those too and if they saw a few with the manager and a customer standing and pointing at the machine they would know that the gig was up and to just walk away.

I'm really thinking the cash idea is the way to go from now on. :-(

Dan

Re:Hiders Keepers? (1, Insightful)

Thelasko (1196535) | about 4 years ago | (#32893262)

Mod parent up!

The recording device is in the pump. It records the card numbers internally. The thief then comes back and downloads the data off the skimmer with bluetooth (probably with a phone). Totally inconspicuous.

Re:Hiders Keepers? (2, Insightful)

mldi (1598123) | about 4 years ago | (#32893340)

On the bright side, it's easily detectable by checking for BT radios.

Re:Hiders Keepers? (3, Insightful)

fuzzyfuzzyfungus (1223518) | about 4 years ago | (#32893482)

I doubt the skimmer-makers would bother, unless the cops have quietly been hunting bluetooth emissions for a while now; but it wouldn't exactly be rocket surgery to have a bluetooth device that just sits there, receiving but maintaining absolute radio silence unless it hears a particular transmission(from a particular bluetooth MAC, if you really want to get paranoid). The wireless analog of port knocking, more or less...

Particularly with all the cellphones floating around, a BT radio, even one yelling its little amplifier out, is hardly automatically suspicious in a reasonably crowded area. Somebody who knew what they were doing, had the right set of antennas, and had some knowledge of what they were looking for(if, for instance, the skimmer-manufacturers produced a large batch, all with BT modules from the same manufacturer, or even with MACs in series, and some were captured by conventional physical inspection), could definitely hunt them down much more quickly, unless they are very short range units, or were using some stealth strategy like the above...

Re:Hiders Keepers? (5, Informative)

Stephenmg (265369) | about 4 years ago | (#32892994)

Bluetooth range can go up to 100 meters depending on the class of the transmitter. Class 1 ~100m, Class 2 ~10m, class 3 ~1m. A class 2 the recording device could be hidden in the trunk of the abandoned car at the place next door. Class 1 could be down the street.

Re:Hiders Keepers? (1)

oldspewey (1303305) | about 4 years ago | (#32893012)

... and Bluetooth has a range much greater than 3m in my experience. I've had my phone autoconnect to my car when the phone is a good 8m away in a pants pocket, on a different floor, in the opposite corner of the house.

Re:Hiders Keepers? (-1, Troll)

Anonymous Coward | about 4 years ago | (#32893076)

Do you think that the majority of the perpetrators of this sort of crime could be possibly be THIRD WORLDERS, by any chance?
Say it ain't so!

How's that 'diversity' going?

Re:Hiders Keepers? (0)

NiceGeek (126629) | about 4 years ago | (#32893134)

You're right, white folks never commit fraud.
Sigh, ACs are ACs on Slashdot or in real life - just in real life you can see the hoods and robes at least.

Re:Hiders Keepers? (1)

EdIII (1114411) | about 4 years ago | (#32893548)

Come on... don't lump all the AC's in with ignorant racist KKK hicks that pop up once in awhile. Anonymity is an integral sacrosanct part of freedom.

Re:Hiders Keepers? (-1, Troll)

Anonymous Coward | about 4 years ago | (#32893326)

In England, it's always Albanians or Romanians. Cunts, the lot of them.

Islam is the shelter of murderers and liars (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#32892922)

These nations of Islam are nothing more than strongholds of liars, cowards and murderers. They need to be boycotted and their power needs to be ignored by the free peoples of the world. The Muslim religion is meant to enslave and execute people unless they adhere to a largely illogical creed. It's time to cleanse the world of this blight.

Re:Islam is the shelter of murderers and liars (0, Insightful)

Anonymous Coward | about 4 years ago | (#32893154)

The religions are meant to enslave and execute people unless they adhere to the largely illogical creeds. It's time to cleanse the world of these blights.

FTFY

Do they really need a key? (1)

localman57 (1340533) | about 4 years ago | (#32892958)

It seems that the sort of people dedicated enough to develop this attack would also be able to learn to pick locks. I don't know for sure, but I'd guess that a gas pump lock isn't very tough to pick. There's no reason that most people would want to open a gas pump, so there's no reason to use a very expensive, pick resistant lock on it.

Re:Do they really need a key? (3, Insightful)

Aladrin (926209) | about 4 years ago | (#32893052)

Not many want to, no... But all those that want to do so illegally have really, really bad plans in store. It's enough to offset the relatively small number and need a good lock.

I don't know that they DO have them, but they should.

Re:Do they really need a key? (1)

photogchris (1847394) | about 4 years ago | (#32893186)

Saw something on Discovery involving a competitive lock picker. He was given a normal off the self dead bolt to pick, took about 30 seconds. Next was a commercial dead bolt. After a few minutes he stated it could take him up to two hours to pick. Sure, could be hype and not the same as a fuel pump lock. But, if true I would guess picking a commercial lock on a fuel pump would not be so easy.

Re:Do they really need a key? (1)

Peach Rings (1782482) | about 4 years ago | (#32893430)

I lold at this quote from TFA:

"It's certainly a concern and an issue that's been around for a while," he says. "They're easy to get in to. One would think that each specific gas station would have a key," but that's the case.

Re:Do they really need a key? (1)

Monkeedude1212 (1560403) | about 4 years ago | (#32893612)

There's no reason they have to even open the gas pump to pull it off though, and thats the problem. Pull up with a big SUV so that the Gas pump card reader isn't in view of any cameras. Next, pull your bluetooth reader, which can be smaller in size than a candy bar, put it on over the card reader and attach it with glue such that it is inconspicuous. Finish pumping gas. Go inside, Go to the bathroom. Hide your bluetooth reciever in the ceiling tiles. Come back every 3 days and be that creep that all the gas station attendants know as "that guy who goes straight to the washroom everytime. Gross". Grab the info, profit.

No worries here. (4, Insightful)

The MAZZTer (911996) | about 4 years ago | (#32892968)

I always pay for gas in cash. I think I will not change this personal policy in the near future.

Re:No worries here. (0, Troll)

AnonymousClown (1788472) | about 4 years ago | (#32893102)

And if the clerk pockets the cash and calls the cops on you to cover the theft?

Here's a 20 for pump #2. *pumps $20 worth of gas and takes off*.

Nah.

It won't happen.

Re:No worries here. (3, Insightful)

pgmrdlm (1642279) | about 4 years ago | (#32893144)

You get a receipt? Peace of paper with the time, date, and transaction. Are you always in the habit of paying for anything, no matter how you pay for it, without receiving a receipt???????

Re:No worries here. (0)

Anonymous Coward | about 4 years ago | (#32893514)

When paying for gas with credit card, printing a receipt is optional. You can keep track of gas expense by looking at credit card account online.

Re:No worries here. (2, Insightful)

pgmrdlm (1642279) | about 4 years ago | (#32893582)

I was trying to dispute the position of the previous AC.

And if the clerk pockets the cash and calls the cops on you to cover the theft? Here's a 20 for pump #2. *pumps $20 worth of gas and takes off*.

Just saying, ask for a receipt if your worried about the clerk pocketing your cash. Have proof of your purchase.

Re:No worries here. (0)

Anonymous Coward | about 4 years ago | (#32893164)

All the pumps here require the attendant to activate the pump before it will let you fill, in other words, prepay. Plus they are on camera, just like you.

So no, it's not going to happen, especially if you ask for a receipt, like I always do.

Re:No worries here. (1)

Nadaka (224565) | about 4 years ago | (#32893232)

The only problem with paying cash for gas is that I generally like to fill up every time, and I don't have any buddies working the local gas station anymore, so there is no way anyone is going to let me fill up before I pay in cash.

Re:No worries here. (1)

PitaBred (632671) | about 4 years ago | (#32893504)

You can often leave an ID with the clerk at the counter and they'll turn it on for you. At least they will around here.

Re:No worries here. (1, Informative)

Anonymous Coward | about 4 years ago | (#32893542)

are you an idiot? you can always pay like $60 or whatever, and if the tank is full before the money runs out you go back and they give you change!!!

Re:No worries here. (0)

Anonymous Coward | about 4 years ago | (#32893596)

Geez, this is slashdot? Any shmoe out of HS should be able to do a quick mental calc to get within 10% of full. Oh noes! I might have to visit a gas station 5% more than otherwise!

efficiency issue (2, Insightful)

peter303 (12292) | about 4 years ago | (#32893434)

(1) Takes extra time to visit a clerk and pay cash.
(2) Amount not recorded automatically. Have to mess around with receipts. During high price periods my gas usage approaches 5% of my budget and should be tracked.
(3) Requires carrying around more cash, especially in periods when prices are high.

Re:No worries here. (1)

chargersfan420 (1487195) | about 4 years ago | (#32893496)

Modded funny? This is actually an excellent policy. Personally, even if paying by debit or credit card, I always make sure I have enough cash to cover the purchase of gas, just in case of some electronic malfunction occurring with the debit / credit systems. I'd really hate to have them try to remove gas from my car because they couldn't take my plastic money.

Also, to the other "child" posts to this one, where I live (Canada) you often have to pre-pay for gas before filling up, to prevent "gas & go" type crimes. Paying in advance is not a problem but almost mandatory in some cases, especially late at night, when a "gas & go" is more likely to occur.

ATM Skimmer (4, Interesting)

Thelasko (1196535) | about 4 years ago | (#32892982)

I've noticed that my bank has introduced new ATM's to combat skimming. The card reader now has flashing lights, and the display shows a picture of what the card reader should look like.

Re:ATM Skimmer (1)

NevarMore (248971) | about 4 years ago | (#32893058)

Which bank?

Re:ATM Skimmer (1)

kent_eh (543303) | about 4 years ago | (#32893238)

Royal Bank of Canada, among others.

Re:ATM Skimmer (1)

Itninja (937614) | about 4 years ago | (#32893684)

Chase has this as well. Along with these cool 'deposit friendly' ATM's that let me insert 50 checks at once without a deposit slip.

Re:ATM Skimmer (5, Interesting)

Anonymous Coward | about 4 years ago | (#32893484)

This is not new in Europe. Every ATM now has it. Also sine 3-4 years ago all cards have a chip in them. The transaction is authorized by the chip in a real-time two way communication, and you have to punch in the pin code. But that is never going to happen here in US, primary because it means no tips. But why bug gas stations - just go work as a waiter, or at any cash register desk and just routinely slide the card through a second reader. In EU the waiter at a restaurant has to bring the POS terminal to your table. You insert the card into the slot, while the card is in the slot the waiter puts in the amount, you check it, decide to tip or not, put the amount of tip in, then dial your pin code. Then the chip on the card already connected with the bank of the POS terminal starts to make the transaction, the bank proxies that transaction to your bank, the chip on the card talks with your bank, and it's done, money are wired from you account to the merchant account. Plain and simple, and in no more than 10 seconds you get an SMS on your cell phone - hey - merchant XXX, pos terminal ID YYY just withdrew 20 euro from your card ending in ..... If it's not you, you pick up the phone, call your bank and just tell them it is not you. And that's it.. the merchant cannot change the amount you were billed at a later time. Here in US you have to wait up to 5 days to have it posted and it could get changed a lot (usually because of the tips).

You have to decide whether you want a convenience of just waving your card in front of a cash register, or you want the security of actually allowing the transfer of funds from your account. As for the banks - it will always be easier and more profitable to have the people loose their money and go into debt. That is why only a strong government regulation can make them change something. On a little bit of side not - in Europe if you don;t have enough funds in your card the transaction is refused and no penalty is payed. Here, because of the delay in posting transactions you could easily overdraw your card, and get charged 50 for each transfer after the limit.

So.. decide.. convenience or security.

bluetooth (5, Informative)

confused one (671304) | about 4 years ago | (#32892986)

Does this mean an accomplice has to hang around within 3m of the pump?

No, a Class 1 Bluetooth device has a range of up to 100m.

Doesnt sound overly hard to (4, Insightful)

kaptink (699820) | about 4 years ago | (#32893004)

Why don't they make gas stations check their pumps once a day for skimmers? Perhaps when they set the price in the morning. Seems relatively simple.

Re:Doesnt sound overly hard to (2, Informative)

Anonymous Coward | about 4 years ago | (#32893042)

Your gas station must have more initiative than mine. At the one closest to my job they let a dead cat sit by the side of the building until it smelled so bad they couldn't ignore it anymore.

Re:Doesnt sound overly hard to (1)

dan_linder (84060) | about 4 years ago | (#32893044)

At most gas stations the price setting is done remotely from inside the building (probably along with the big digital sign price too).

Dan

Re:Doesnt sound overly hard to (1)

Thelasko (1196535) | about 4 years ago | (#32893290)

I've seen it done. The clerk never moves from behind the counter. They just punch in the number to a machine and all the pumps and signs update instantly.

Re:Doesnt sound overly hard to (1)

molecular (311632) | about 4 years ago | (#32893594)

talked to a guy at a shell-station in europe. He said the prices are updated remotely via network. They change multiple times a day.

Re:Doesnt sound overly hard to (3, Interesting)

nizo (81281) | about 4 years ago | (#32893046)

I wonder how man skimmers are installed by the person with the key to the gas pump? Checking wouldn't do much good if the guy checking the pump is the one who installed the skimmer.

Re:Doesnt sound overly hard to (2, Insightful)

fuzzyfuzzyfungus (1223518) | about 4 years ago | (#32893530)

Even in situations where there isn't an inside man(and I'm sure that there sometimes is), a scheme that habituates the employees, anybody monitoring the CCTV cameras, and the public at large, to people frequently opening and poking at the pumps is likely to decrease security, rather than increase it.

The uniforms of gas station employees aren't exactly secret, nor are clothes that look very much like them hard to get ahold of(given that they are generally just plaincloths, or mechanic-style coveralls, possibly with silkscreened logos), so it would be pretty trivial to concoct a plausible disguise in which to tamper with the device.

Re:Doesnt sound overly hard to (1)

moogied (1175879) | about 4 years ago | (#32893068)

Gas station employees. Not gas pump technicians.

Re:Doesnt sound overly hard to (1)

squallbsr (826163) | about 4 years ago | (#32893384)

Hmm, I had the key to the gas pumps - I'm no pump technician. Of course our pumps still had mechanical dials and the max price of fuel was 2.99/gal...

Anyway, there is a key to the printer on current digital pumps, so the receiver could be stashed inside the pump without needing to be a tech.

Re:Doesnt sound overly hard to (1)

vlm (69642) | about 4 years ago | (#32893082)

Why don't they make gas stations check their pumps once a day for skimmers? Perhaps when they set the price in the morning. Seems relatively simple.

Being "in" on the scam is even simpler. Especially if you don't need management approval, merely minimum wage McJob worker approval.

Person who checks the pumps.... (0)

Anonymous Coward | about 4 years ago | (#32893084)

Probably also ensures that the skimmers are working properly.

Simples!

Re:Doesnt sound overly hard to (2, Informative)

blair1q (305137) | about 4 years ago | (#32893110)

Because gas stations are no longer gas stations manned by trained mechanics. They are convenience stores, manned by people who generally don't have any control or technical knowledge of the pumps. Prices are set over the internet. About all the cashier can do is put a yellow bag over the handle if there's a complaint about a pump, and call it in.

Re:Doesnt sound overly hard to (2, Funny)

Anonymous Coward | about 4 years ago | (#32893214)

Hey now, don't insult gas station attendants. Some of them are Slashdot's most prolific posters. I think a couple are even editors here.

Re:Doesnt sound overly hard to (1)

Haffner (1349071) | about 4 years ago | (#32893124)

Because the type of person who works at a gas station is hardly the type of person who can be trained to identify sophisticated electronics. Also, if, like previous commenters suggest, the bluetooth addition forces the pump to be dissasembled, you are talking about adding significantly to the cost of the gas station owner. It's another reincarnation of the old formula: if (cost to fix problem - cost of letting problem go unfixed > 0) then don't fix problem, else hire lobbyists.

Re:Doesnt sound overly hard to (3, Interesting)

Nadaka (224565) | about 4 years ago | (#32893354)

I was a gas station attendant for 3 years while getting my college degrees.

It was a nice easy job with fringe benefits like the ability to do homework on the job, free soda fountain mountain dew and access to jailbait.

At one time we had me - a CS major doing AI research and a Nuclear Physics major on her way to the Air Force Academy running the night shift.

Most of the people who can't handle the gas station clerk position think exactly like you do,
except they don't realize that they have to do paperwork at the end of each shift and quit because division is to hard.

Re:Doesnt sound overly hard to (1)

socsoc (1116769) | about 4 years ago | (#32893584)

Closing out your drawer requires division?

Re:Doesnt sound overly hard to (3, Insightful)

Monkeedude1212 (1560403) | about 4 years ago | (#32893704)

Most of the people who can't handle the gas station clerk position think exactly like you do,
except they don't realize that they have to do paperwork at the end of each shift and quit because division is to hard.

The problem is that not every gas station is structured like that. I worked at a Gas station for 2 and a half years, and they basically had 3 people on duty at all times. 2 to run the tills, maintain the cleanliness of the store, and watch the pumps. 1 would be in the back office, doing that paperwork and occaisonally watching security cams. The only paperwork the front line people had to do was count out their till to $100 each time their shift began and ended. Anyone with a pulse could have worked that job. The only way to keep that job was to NOT steal money.)

And while I wouldn't expect much from even those people, I think they could identify a card reader if taught how. It's as easy as saying "Look at this specific part of the pump. Remember how it looks. Every morning I want you to look at it. If it ever looks different, inform me."

Re:Doesnt sound overly hard to (1)

EmagGeek (574360) | about 4 years ago | (#32893176)

I imagine it's because it's too labor-intensive and too expensive, and making a routine out of opening the pumps would probably only make it easier for criminals to gain access to them.

Re:Doesnt sound overly hard to (1)

TavisJohn (961472) | about 4 years ago | (#32893234)

Maybe the gas station employees are putting these things in the pumps.

Maybe the pumps can have intrusion sensors installed, so that the computers that control them can also log when the pumps are opened. If they are opened when it is not scheduled then the pumps can be remotely shut down and then inspected. That combined with video surveillance they can then file a civil suit for the cost of the repairs to the pumps.

Re:Doesnt sound overly hard to (1)

camperdave (969942) | about 4 years ago | (#32893312)

Why don't they make gas stations check their pumps once a day for skimmers? Perhaps when they set the price in the morning. Seems relatively simple.

Trusting sort, aren't you?

If a gas station employee is going to go through all the trouble of installing a skimmer, then what's to prevent him/her from lying about whether one is installed?

What's needed is an end-to-end validation system. My card needs to tell me if I'm connected over a secure, untampered channel to my bank; maybe some LEDs along with the chip (that's right, ditch the magnetic stripe). My bank needs to know that it is a valid card; perhaps some sort of one time pad that's burned into the card at time of issuance.

Oh, and I don't think they set the price at the pumps anymore. That's done remotely from the control booth, or possibly from a central location for the chain.

Re:Doesnt sound overly hard to (1)

HungryHobo (1314109) | about 4 years ago | (#32893392)

one time pad? better an RSA key
Of course then you have to build processing power into the card to use that key

Re:Doesnt sound overly hard to (1)

xaxa (988988) | about 4 years ago | (#32893462)

Using public key cryptography your card can know it's communicating with a real terminal, and the bank can know it's a real card. You card can then "sign" the transaction.

All my cards have chips. They all have magnetic stripes too, so they work in the USA, although maybe it'd be cheaper for my bank if the standard card didn't have one, and I had to ask for a card with a magstripe if I wanted to use it outside much of Europe and a few other places. People stealing the magstripe data still happens here, although the fraud is carried out elsewhere (sometimes America) where a magstripe transaction will be accepted.

Re:Doesnt sound overly hard to (1)

camperdave (969942) | about 4 years ago | (#32893686)

I have yet to see a card that indicates whether the reader is valid. Do your cards have any sort of display or indicator on your card?

Re:Doesnt sound overly hard to (2, Informative)

molecular (311632) | about 4 years ago | (#32893640)

What's needed is an end-to-end validation system. My card needs to tell me if I'm connected over a secure, untampered channel to my bank; maybe some LEDs along with the chip (that's right, ditch the magnetic stripe). My bank needs to know that it is a valid card; perhaps some sort of one time pad that's burned into the card at time of issuance.
 

you mean a cryptographic smartcard that has the private key on chip and never tell it like this: http://en.wikipedia.org/wiki/Smart_card#Cryptographic_smart_cards [wikipedia.org] ?

Re:Doesnt sound overly hard to (3, Interesting)

fuzzyfuzzyfungus (1223518) | about 4 years ago | (#32893654)

While a CC system that doesn't utterly suck, and trust pretty much every link in the chain like it would its own mother, after she had been notarized and presented two forms of photo ID, I suspect that we could be waiting a while for that...

In the meantime, I'm curious why the "card path" of any exposed payment system would be designed such that it has internal voids where 3rd party hardware can be stashed. A mag-stripe reader is just a surface, with a few mm of electronics behind it. Generally, because people aren't too good at keeping their card at just the right distance, you mount the reader parallel to a passive plate a few mm away, through which the card is run. With a surface channel design, the attacker has to stick their skimmer onto the surface, where it can be detected by visual inspection(made easier if the card slot has blinkenlights, a highly specific shape, certain color/pattern, etc.)

If, for some reason, an internal card path must be used, so that the card can be held on to during the transaction or whatever, one could still make sure that the internal chamber is small enough to admit only a card, and that the eject mechanism doesn't just pop the card halfway out; but actually completely scrapes out the internal chamber each cycle(in order to remove, say, a thin-film reader fabricated on a sticky backed piece of flexible circuit board)...

Good mechanical design won't stop all skimmers; because people may not notice even a fairly blatant one just taped on top of the actual reader; but it should be fairly easy, with good design of the card path, to make it impossible to mount an internal reader without doing some in-situ metalworking.

Re:Doesnt sound overly hard to (2, Insightful)

Anonymous Coward | about 4 years ago | (#32893356)

They only need to have the card scanner in place for a short period (say an hour or two) to get enough credit cards, then they move on to the next target.

Re:Doesnt sound overly hard to (0)

Anonymous Coward | about 4 years ago | (#32893432)

Better yet they should leave them all unlocked so people can check for skimmers themselves.

Re:Doesnt sound overly hard to (1)

Monkeedude1212 (1560403) | about 4 years ago | (#32893632)

Gas stations generally aren't required to protect your info though, the only laws regarding that are that any reciepts which print the card # have to be *'d out.

Credit Card Skimmer.... (-1, Offtopic)

carolservulo (1855282) | about 4 years ago | (#32893036)

I just love to comment on that website, i'm glad to see green stuff in san mateo area, and i'm going to offer to all my friends in san francisco most it's cleaning business, thanks, Carol BayAreaGreen [bayareagreencleaning.com]

My card got skimmed in Iowa (2, Informative)

EmagGeek (574360) | about 4 years ago | (#32893048)

I'm usually paranoid about such things, but I didn't even notice. Chase was really on the ball with it though. The crooks who stole my card weren't able to charge a damn thing, because their first attempt tripped the alarm bells.

These skimmer gangs are pervasive, though. They have people working on the inside at retailers everywhere. When mine was skimmed, they tried to use the card to buy several DVD players at a Walgreens nearby within minutes of me buying gas. As it turned out, they had skimmed several dozen cards that morning and had people working in retail stores all around the area trying to buy mostly electronics merchandise with the card numbers. It was a pretty large theft ring...

Get the chip (1)

Lev13than (581686) | about 4 years ago | (#32893060)

The US really needs to get on board with EMV chip & PIN. Once Canada finishes it's conversion America will be the last major mag-stripe holdout. ZIP-confirmation and other two-factor authentication hacks aren't going to cut it. Chip isn't 100% perfect, but it is 1,000x more secure than an unencrypted mag stripe and has yet to be compromised in the wild. Combined with EMV-compliant contactless payments and PIN-less low value transactions (so that PINs aren't captured en masse), the situation could be greatly improved.

Also, since the US isn't switching, the rest of the world needs to keep a mag strip on their cards. This leaves a major vulnerability open and will result in continued international skimming but with exploitation migrating to the US.

Re:Get the chip (0)

Anonymous Coward | about 4 years ago | (#32893226)

Yes, it's a real pain when you go abroad and they all stare at you for not chipping and pinning and lots of cashiers don't know how to swipe any more.

Re:Get the chip (1)

jfengel (409917) | about 4 years ago | (#32893302)

ZIP-confirmation and other two-factor authentication hacks aren't going to cut it.

ZIP confirmation has always seemed spectacularly useless. If you've got somebody's card, the ability to get their address seems trivial. The card comes with the name on it (including on the mag stripe), and Google will give you an address much of the time from that.

Is there some secret advantage here that I'm missing, or is it just the credit card company's lazy way of pretending to add security?

You're giving the crooks too much credit (1)

rsilvergun (571051) | about 4 years ago | (#32893518)

pun not intended. Seriously, a lot of crooks are stopped cold by simple measures, and it's a cheap solution.

Re:Get the chip (1)

fuzzyfuzzyfungus (1223518) | about 4 years ago | (#32893690)

"Hey boss, marketing and/or legal say we have to have 'two factor authentication' in our product. We could adapt the smartcard chips they use in sims and...."

"Jesus fuck, man, that sounds expensive! We mail out those cards, sometimes unsolicited and pre-activated to poorly validated addresses, like goddamn candy. If your next scheme involves a per-card hardware cost, you might as well go pack your desk, to save security the trouble..."

"Well, we could just change the software and add a scary-looking screen that asks for the ZIP code, that's, like, totally a government-granted numeric ID, right?"

"Good work. Make it so."

Re:Get the chip (5, Insightful)

fuzzyfuzzyfungus (1223518) | about 4 years ago | (#32893330)

There is one unpleasant downside to "chip & PIN"...

While it is certainly more secure than mag stripe, the various issuing institutions, at least in Britain, have tried to use this to argue that theft/skimming losses should now be the fault of the "negligent" customer, rather than their problem.

I have nothing against better security, I do have a problem with better security being tarted up as evidence that no intrusion could possibly have occurred without the connivance of the customer.

Re:Get the chip (1)

Anonymous Coward | about 4 years ago | (#32893342)

The US will never switch as long as merchants, rather than banks, take most of the losses from credit card fraud. If you want to avoid economic losses, the best thing to do is put the liability for loss on the party that can most easily prevent the loss. In this case, banks have the best ability to prevent credit card fraud. Unfortunately, our current system makes merchants take the vast majority of the losses due to credit card fraud. So why would banks ever fix it if they don't have to pay for the economic losses? Make banks pay for credit card fraud and the issue will be fixed in a matter of months.

Re:Get the chip (2, Informative)

mbkennel (97636) | about 4 years ago | (#32893590)

Banks do take liability for credit card fraud unless they can prove merchants did not obey the security precautions mandated by the acquiring bank's or card association's agreement.

Re:Get the chip (1)

Mashiki (184564) | about 4 years ago | (#32893404)

The chip isn't secure. We're already seeing cases in Canada where chipped cards are being copied.

Re:Get the chip (0)

Anonymous Coward | about 4 years ago | (#32893646)

The chip isn't secure. We're already seeing cases in Canada where chipped cards are being copied.

Could you please provide a reference?

Re:Get the chip (4, Informative)

Anonymous Coward | about 4 years ago | (#32893664)

The system relies on the chip to tell the terminal that a valid PIN was used, rather than the terminal+chip+PIN creating a cryptographic message to the bank so the bank can verify that a valid PIN was used. End result: All you need is a fake chip that always tells the terminal a valid PIN was used.

http://www.zdnet.co.uk/news/security-threats/2010/02/11/chip-and-pin-is-broken-say-researchers-40022674/1/ [zdnet.co.uk]

Re:Get the chip (1)

bk2204 (310841) | about 4 years ago | (#32893670)

While I agree that ZIP confirmation is not particularly secure, there's actually a better reason that Canada doesn't use it: Canadian postal codes are alphanumeric, and installing a QWERTY keyboard at every point of sale just isn't going to cut it.

What a skimmer actually looks like (4, Informative)

kryptKnight (698857) | about 4 years ago | (#32893092)

Since none of the articles linked to by the summary felt it was relevant to mention what these skimmers actually look like, here's an article from Consumerist [consumerist.com] .

Re:What a skimmer actually looks like (1)

Thelasko (1196535) | about 4 years ago | (#32893296)

These skimmers are in the pump. You won't see anything different in the appearance of the pump.

Re:What a skimmer actually looks like (4, Informative)

whoever57 (658626) | about 4 years ago | (#32893328)

Since none of the articles linked to by the summary felt it was relevant to mention what these skimmers actually look like, here's an article from Consumerist.

That's an ATM skimmer, which are different to gas pump skimmers. Because the attackers don't have access to the inside of the ATM, everything is done by sticking gizmos on the outside of the ATM. With gas pumps, I don't think there are any signs that a user can see that a skimmer has been installed -- it's all internal to the gas pump.

Re:What a skimmer actually looks like (0, Troll)

Monkeedude1212 (1560403) | about 4 years ago | (#32893510)

attackers don't have access to the inside of a gas pump either.

They are both done by attaching items on the pump, just gas stations can only do credit cards (because there is no viable way to set up a camera to watch your pin).

Re:What a skimmer actually looks like (5, Informative)

Rogerborg (306625) | about 4 years ago | (#32893660)

attackers don't have access to the inside of a gas pump either.

Y'all got some religious prohibition about Reading The Fine Article [bankinfosecurity.com] ?

Unlike ATM skimming devices, which are attached to the exterior of a machine, over the card reader, the Shell skimming device was actually inside the terminal, wired between the card scanner and the computer board.

The entirety of human knowledge at your fingertips, and you still insist on wearing your ignorance like a badge.

Re:What a skimmer actually looks like (1)

RollingThunder (88952) | about 4 years ago | (#32893698)

No, the second article was pretty clear that the devices are being placed in-between the reader and the rest of the pump. It's in-line, recording every signal the card reader sends to the processing system, and prior to the point that it's all encrypted for transmission.

Unlike ATM skimming devices, which are attached to the exterior of a machine, over the card reader, the Shell skimming device was actually inside the terminal, wired between the card scanner and the computer board.

This is like the classic keyloggers, plugged in to the PC's keyboard socket, and then the keyboard plugged in to it, except you can't see it since everything's inside the pump.

How do they get into the gas pump? (1)

rsilvergun (571051) | about 4 years ago | (#32893546)

The article mentioned shim attacks, which I took to mean a mini-reader stuck into the real reader. Are they comming in pretending to be maintenance and getting to crack open the pump that way?

Re:How do they get into the gas pump? (1)

Monkeedude1212 (1560403) | about 4 years ago | (#32893716)

You just put it on in front.

International connection? (0)

Anonymous Coward | about 4 years ago | (#32893098)

I'm not sure if it is, no sources mention it but skimming ATMs was big in Moscow RUSSIA in beginning of 2000s. ATMs were relative novelty and people would never question the look of it.
It took a while to realize that US folks are just as vulnerable to this and the party moved here.

You're using it wrong (0)

Anonymous Coward | about 4 years ago | (#32893148)

Who says the skimmer has to transmit the skimmed numbers as soon as they are skimmed or that physical possession of the device needs to be reattained? The skimmers could store the numbers and respond with them on request. Criminal drives by the area and remotely queries skimmers downloading all of the data. Please ask why anything so easily copied serves as an authentication scheme for something so universally in demand. Fortunately for us consumers the banks eat most fraudulent credit card transactions, but these same negligent authentication procedures cost individuals tons of money for copied social security numbers.

What we need... (1)

Nadaka (224565) | about 4 years ago | (#32893184)

What we need to do is make every debit and credit card use something like an RSA Secure ID token and make the user type in the pseudo random synced 6 digit code for every purchase. And then allow only one transaction for a card in that ~1 minute timeframe that the code is valid.

That would cut down on 99.99% of all opportunity for credit card fraud. You would either need the card/token on hand or have the algorithm and enough instance data to derive the key through brute force means.

The only downside to this is that recurring credit card charges would no longer work... So there is no downside.

Re:What we need... (1)

Burdell (228580) | about 4 years ago | (#32893320)

The problem with RSA tokens is that the system doesn't scale. I have two credit cards, an ATM/debit card, several bank website logins, etc. I don't want those accounts tied together for security and privacy, and I certainly don't want to carry around a half-dozen tokens. Also, doesn't RSA claim a patent on the token setup (so they'd be a sole-source and raise costs across the board)?

Re:What we need... (2)

Big Boss (7354) | about 4 years ago | (#32893522)

Embed the token into the cards. They don't have a significant cost these days, and it would make the cards significantly more secure. Yes, it makes the cards more expensive than a piece of plastic and a magstripe, but really, it's not THAT much. Particularly when amortized over all the cards in circulation.

If you're going that far, you could also include the PIN entry keypad on the card and use a secure link to make it nearly impossible for an attacker to get your PIN via the capture device.

And, if designed properly, they won't wear out as fast as the old style ones, and they are more secure, so don't have to expire as often. The real expiration is on the CC company servers anyway, and checked when you try to use the card.

The really painful part isn't the cards really, it's the readers. And internet transactions, but that can be handled reasonably if you have a display on the card. It can show you a bunch of numbers to type into the computer after you tell it how much you want to allow the merchant to charge you. Generates a time limited code (one use, good for one minute?) that allows the transaction to process.

Re:What we need... (1)

HungryHobo (1314109) | about 4 years ago | (#32893428)

if my touchscreen cellphone can't keep synced to my wall clock (+/- 1 minute) I wouldn't bet much on something stuck into a cheap card managing it reliably.

harder credit/emoney is less credit & bank pro (1)

peter303 (12292) | about 4 years ago | (#32893448)

Credit/debit companies make money on volume. They balance a certain level of fraud against the ease of obtaining credit. Thats why there is pin-less debit and signature-less credit below certain threshholds.

Security through obscurity, yet again (1)

ka9dgx (72702) | about 4 years ago | (#32893210)

If the system was designed in such a way as to allow the generation of 1 time keys, instead of an embedded 16 digit number, this wouldn't be a problem. This could have been fixed 10 or maybe even 20 years ago... but we have the lowest possible cost system in place, and fraud is just a cost of business instead of a crime.

insight from the banking industry (5, Interesting)

flaming error (1041742) | about 4 years ago | (#32893298)

Interesting that this "insight from the banking industry" doesn't seem to indicate the banks have any responsibility for the problem.

There once was a time that people took their money to the bank for safekeeping. I think banks have partly weaseled themselves out of the security side of the business, and what used to be called "bank robbery" they now call "identity theft." Which works ok for the bank, seeing how it's the customer who lost the money and it must have been the customer's fault, or the gas station's, or the POS equipment vendor's.

The bank, which should act like a watchdog, portrays itself as something of an innocent bystander.

Re:insight from the banking industry (2, Informative)

mandelbr0t (1015855) | about 4 years ago | (#32893574)

No, an individual card issuer does not have any responsibility, nor should they. It is the responsibility of the financial network to mandate minimum security requirements of each card issuer, and all terminals under their control. (e.g. Interac, Cirrus, Visa). It is only the card issuer's responsibility to adhere to the policy set out by their network.

Re:insight from the banking industry (3, Insightful)

fuzzyfuzzyfungus (1223518) | about 4 years ago | (#32893736)

Sinclair said: "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"

When dealing with PR flacks, their salary depends on you not understanding it, which is likely even worse...

ATMs (2, Interesting)

Y-Crate (540566) | about 4 years ago | (#32893708)

After several years of being told by banks to watch out for large plastic attachments to ATM card slots, I've noticed that an increasing number of bank-owned ATMs now have them as a part of their design. The simple, flush-mounted card slot on a grey plastic / metal bezel is now giving way to a protruding translucent green plastic bulge on grey plastic / metal bezel.

Which makes less than zero sense.

They look fake as can be, especially when paired with a slightly older ATM with the more sensible slot.

Now, one might argue that the crazy card slots are a great theft deterrent because they preclude the attachment of a skimmer, but they also make it impossible for the machine to snap up a stolen card, nor do they really look legitimate enough to give the user peace of mind.

It's usually the same key (4, Informative)

Megane (129182) | about 4 years ago | (#32893734)

I used to write code that talked to gas pumps, and I can tell you that most pumps take the same key for the printer door, a different same key for the terminal (Gilbarco CRIND/Wayne CAT) door, and I think another same key for the pump control door. That's the same keys for the entire model run of a pump, and maybe for more than one model, unless maybe a big oil chain installs a different same key. Even then, they're those round locks like the ones that some laptop cables use that can be picked with a part from a Bic pen. (Presumably they're better made than the laptop cable locks.)

The card data is sent up to the station's control computer directly, usually both track 1 and track 2 data. I don't think it would be hard to insert a skimmer behind the door, whether a second mag reader head, or just splice the wires from the card reader. Or even rig the station control computer if you have access to that. (For that matter, all the card numbers may end up in a log file on that computer.)

There's not much danger of a pin pad skimmer, however, because in the US, PINs are protected by each pinpad having a master key injected into RAM before shipping to the site. They are potted in epoxy and have a memory kill switch if you attempt to open them. This works differently from the European system, which is why the US hasn't had to go to "chip and pin". The PIN is encrypted in the pad, the pinpad's serial number is attached, and the result is only decrypted by the card clearing house computers, which have a list of all the decryption keys. Even if the guy who ran the station was doing the skimming, debit PINs couldn't be skimmed and still work properly. But that's just debit. Credit cards don't have a PIN.

So unlike ATM skimmers, they could definitely hide the skimmer behind the door, but they would still need a camera of some sort to capture the PINs. Fortunately most gas pump terminals have a relatively flat front, so they can't just hide the camera on a different part of the panel.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...