Track My Order
Frequently Asked Questions
International Shipping Info
Mon-Fri, 9am to 12pm and
1pm to 5pm U.S. Mountain Time:
Chat With Us
September 26, 2017
Tutorial - Gas Pump Skimmers
about 2 years ago
Some ATM skimmers have used Bluetooth (http://krebsonsecurity.com/2010/07/skimmers-siphoning-card-data-at-the-pump/ ); others use GSM modules, ( http://krebsonsecurity.com/2010/06/sophisticated-atm-skimmer-transmits-stolen-data-via-text-message/ ), while really older ones use SD cards that must be manually harvested. See https://krebsonsecurity.com/all-about-skimmers/ for a long list of articles about skimmers.
These devices only skim the mag stripe. Skimming the data between the chip and the reader doesn't produce enough information to create a cloned card, so it's essentially worthless to the thieves.
It’s still possible to copy an account number from a skimmer attached to a chip reader, but without a valid CVV or CVV2, it’s very hard for the thief to profit from them. Thieves have been known to use account data stolen from EU countries to make online purchases from poorly protected US sites, but I’ve not heard of an incident where the stolen data originated from a chip card.
It’s a really hard-to-exploit flaw. I don’t think you have nearly as much to worry about as an American with a mag stripe card!
If the pump takes chip cards (the kind you leave in the reader slot until the screen says "approved") then the transaction data is safe (even if it's not properly encrypted, the chip generates a digital signature that keeps the transaction safe.). If it's a swipe reader (the kind where you insert and 'quickly remove' your card) it's garbage, regardless of their claims of encryption.
Nope. Leave it alone, and report it to the police. Don't tamper with the evidence; let the cops decide how to handle it.
Sorry in advance for the lengthy first comment, but I wanted to clarify how credit card companies handle fraud, as it's changed in the last two years, and is still changing.
The Payment Card Industry (PCI) defines the standards and rules for credit cards, and they have been driving banks and merchants to use the EMV standard, which (among other things) uses "chip cards" to cryptographically protect against skimming and cloning. Europe changed over to chip cards over a decade ago, but American retailers (led by the National Retail Federation, or NRF) have a powerful voice in how credit card acceptance is done in the US. They have bitterly complained that converting to EMV will take expensive cash register system changes that will bankrupt many businesses. So the PCI dragged their feet here in the US, while fraud losses continued to mount. But about 10 years ago, data breaches with millions of credit card numbers stolen started changing how the industry was impacted by fraud, and they decided they needed to change.
However, the PCI is just an industry organization, they can't force stores to spend the thousands of dollars it would take to buy brand new chip card readers; they can't force banks to install new systems to issue chip cards. Instead, PCI came up with an incentive based program they called the "Liability Shift". They picked a date and told merchants and banks to be compliant with the new rules by that date, or they place themselves at serious financial risk.
What is the Liability Shift? In October of 2015, the PCI implemented new rules who was responsible for fraud. All fraud committed on a stolen card is now the responsibility of "the weakest link" in the security chain. ALL fraud.
Weak links are determined by the security at each point in the card acceptance chain. Chip cards are more secure than mag stripe cards. Chip terminals are more secure than mag stripe terminals. So if a bank issues you a mag stripe card and it gets skimmed at a retailer that has a chip reader, the bank is liable for all the fraud committed with that card. If the bank issues a chip card, and it's skimmed at a store that doesn't have a chip reader, the store is liable. If a store has a chip card terminal, but lets their customers swipe their cards, they are still weak. A web payment page that doesn't take CVV2 numbers is asking for trouble. A web site that stores CVV2 numbers (a total violation of the PCI Data Security Standard, PCI DSS) that gets breached could leak thousands of accounts. A payment processor handles cards from thousands of merchants, and could leak millions of accounts.
The reason this should be very scary is that PCI means ALL FRAUD committed with a stolen card number becomes the liability of the weak link. Did the thief buy a new Ferrari with the stolen credit card? If your store or your bank or your site was determined to be the weakest link, you pay for the Ferrari. A breach anywhere, such as a few cards stolen from a deluxe hair salon that caters to millionaires that take cards with high dollar credit limits, could easily bankrupt the victim.
Now, on to gas pump skimmers. Card readers are built into the gas pumps, and you can't just pick up an old pump and replace it (like you could with a cash register.) Gas pumps are far more expensive to retrofit with chip readers than regular cash registers, and there are a huge number of pumps deployed around the country. So the PCI has deferred the liability shift for gas pumps to 2020. But it's coming.
Even with all this incentive, US business have still been incredibly slow to convert over to chip readers. Less than half of the retailers take chip cards. After their initial reluctance, US banks have embraced chip cards. Banks understand the risks much better than the merchants. But bankers have failed at convincing their clients to convert their cash registers.
There's far more going on here, of course; so if you have questions or corrections, feel free to post them as replies to this comment. But I hope this intro helps people better understand who ends up paying for the fraud.
No public wish lists :(