Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/22/2010
05:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Criminals Hide Payment-Card Skimmers Inside Gas Station Pumps

Wave of recent bank-card skimming incidents demonstrate how sophisticated the scam has become

Criminals hid bank card-skimming devices inside gas pumps -- in at least one case, even completely replacing the front panel of a pump -- in a recent wave of attacks that demonstrate a more sophisticated, insidious method of stealing money from unsuspecting victims filling up their gas tanks.

Some 180 gas stations in Utah, from Salt Lake City to Provo, were reportedly found with these skimming devices sitting inside the gas pumps. The scam was first discovered when a California bank's fraud department discovered that multiple bank card victims reporting problems had all used the same gas pump at a 7-Eleven store in Utah.

Card skimming has been on the rise during the past year, with most attackers rigging or replacing merchant card readers with their own sniffer devices or ATM machines. The devices typically include a scanner, transmitter, camera, and, most recently, Bluetooth- or wireless-enabled links that shoot the stolen data back to the bad guys.

A similar attack occurred with a rigged ATM machine last year in Las Vegas during the Defcon hacker show: Security researcher Chris Paget lost $200 to an ATM machine in the Rio All-Suite Hotel & Casino that appeared to be operating normally, but failed to spit out cash. The U.S. Secret Service was investigating the incident, and it was unclear whether the machine was outfitted internally with a skimming device or had been tampered with for someone to grab the cash withdrawals at a later time.

Bruce Schneier, CTO for BT Counterpane and author of the Schneier on Security blog, says attackers in Europe are also moving skimming devices inside gas pumps as a way to avoid detection. He says the perpetrators could be insiders, but it's unclear. "The moral is that they are getting better and better at this," Schneier says.

Organized criminal gangs might be behind some of these attacks, he adds "Obviously, they are well-funded," Schneier says.

Police say data skimmed from the 7-Eleven store in Sandy, Utah, was used to steal more than $11,000 from ATMs in California. Authorities estimate that victims lose millions of dollars a year to these types of attacks at gas stations nationwide.

Sgt. Troy Arnold from the Sandy police department told a local news outlets that the device in the 7-Eleven gas pump was the size of a cellular phone SIM card and was affixed to the card reader inside the pump. "It's a small device -- Bluetooth, the size of a SIM card -- that is attached to the actual credit card reader. And as we are placing our credit cards or debit cards into these gas pumps ... it's not collecting, but it's just transmitting the account information, the credit card number, to a different device that's within the range of the Bluetooth technology," Arnold told a local Fox affiliate.

The device was removed in late January, and officials think it had been in place for about two months.

Bluetooth-enabled sniffers and wireless technology let the criminals gather data remotely rather than have to physically retrieve their contraband devices, the officials noted.

Back in December, a similar spree occurred in the Sacramento, Calif., area, where gas pumps at an AM/PM convenience store were outfitted with card skimmers, transmitters, and small cameras that siphon victims' debit card data. That information was then used to create a clone card, which the criminal uses at an ATM machine to withdraw money from the victim's account, according to a published report.

"The consumer can't be expected to notice these things," BT Counterpane's Schneier says. And even if gas pumps are secured with tamper-proof seals of some sort, "no one is going to look for those," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...