Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/22/2010
05:20 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Criminals Hide Payment-Card Skimmers Inside Gas Station Pumps

Wave of recent bank-card skimming incidents demonstrate how sophisticated the scam has become

Criminals hid bank card-skimming devices inside gas pumps -- in at least one case, even completely replacing the front panel of a pump -- in a recent wave of attacks that demonstrate a more sophisticated, insidious method of stealing money from unsuspecting victims filling up their gas tanks.

Some 180 gas stations in Utah, from Salt Lake City to Provo, were reportedly found with these skimming devices sitting inside the gas pumps. The scam was first discovered when a California bank's fraud department discovered that multiple bank card victims reporting problems had all used the same gas pump at a 7-Eleven store in Utah.

Card skimming has been on the rise during the past year, with most attackers rigging or replacing merchant card readers with their own sniffer devices or ATM machines. The devices typically include a scanner, transmitter, camera, and, most recently, Bluetooth- or wireless-enabled links that shoot the stolen data back to the bad guys.

A similar attack occurred with a rigged ATM machine last year in Las Vegas during the Defcon hacker show: Security researcher Chris Paget lost $200 to an ATM machine in the Rio All-Suite Hotel & Casino that appeared to be operating normally, but failed to spit out cash. The U.S. Secret Service was investigating the incident, and it was unclear whether the machine was outfitted internally with a skimming device or had been tampered with for someone to grab the cash withdrawals at a later time.

Bruce Schneier, CTO for BT Counterpane and author of the Schneier on Security blog, says attackers in Europe are also moving skimming devices inside gas pumps as a way to avoid detection. He says the perpetrators could be insiders, but it's unclear. "The moral is that they are getting better and better at this," Schneier says.

Organized criminal gangs might be behind some of these attacks, he adds "Obviously, they are well-funded," Schneier says.

Police say data skimmed from the 7-Eleven store in Sandy, Utah, was used to steal more than $11,000 from ATMs in California. Authorities estimate that victims lose millions of dollars a year to these types of attacks at gas stations nationwide.

Sgt. Troy Arnold from the Sandy police department told a local news outlets that the device in the 7-Eleven gas pump was the size of a cellular phone SIM card and was affixed to the card reader inside the pump. "It's a small device -- Bluetooth, the size of a SIM card -- that is attached to the actual credit card reader. And as we are placing our credit cards or debit cards into these gas pumps ... it's not collecting, but it's just transmitting the account information, the credit card number, to a different device that's within the range of the Bluetooth technology," Arnold told a local Fox affiliate.

The device was removed in late January, and officials think it had been in place for about two months.

Bluetooth-enabled sniffers and wireless technology let the criminals gather data remotely rather than have to physically retrieve their contraband devices, the officials noted.

Back in December, a similar spree occurred in the Sacramento, Calif., area, where gas pumps at an AM/PM convenience store were outfitted with card skimmers, transmitters, and small cameras that siphon victims' debit card data. That information was then used to create a clone card, which the criminal uses at an ATM machine to withdraw money from the victim's account, according to a published report.

"The consumer can't be expected to notice these things," BT Counterpane's Schneier says. And even if gas pumps are secured with tamper-proof seals of some sort, "no one is going to look for those," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32089
PUBLISHED: 2021-05-11
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on Zebra (formerly Motorola Solutions) Fixed RFID Reader FX9500 devices. An unauthenticated attacker can upload arbitrary files to the filesystem that can then be accessed through the web interface. This can lead to information disclosure and c...
CVE-2020-24586
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted us...
CVE-2020-24587
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and...
CVE-2020-24588
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802....
CVE-2020-26139
PUBLISHED: 2021-05-11
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and...