Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Hidden Cam Above Bluetooth Pump Skimmer (krebsonsecurity.com) 113

Brian Krebs: Tiny hidden spy cameras are a common sight at ATMs that have been tampered with by crooks who specialize in retrofitting the machines with card skimmers. But until this past week I'd never heard of hidden cameras being used at gas pumps in tandem with Bluetooth-based card skimming devices. Apparently, I'm not alone. "I believe this is the first time I've seen a camera on a gas pump with a Bluetooth card skimmer," said Detective Matt Jogodka of the Las Vegas Police Department, referring to the compromised fuel pump pictured here.

Image.

It may be difficult to tell, but the horizontal bar across the top of the machine (just above the 'This Sale $' indicator) contains a hidden pinhole camera angled so as to record debit card users entering their PIN.

This discussion has been archived. No new comments can be posted.

Hidden Cam Above Bluetooth Pump Skimmer

Comments Filter:
  • Use better tech? (Score:5, Insightful)

    by sectokia ( 3999401 ) on Wednesday November 27, 2019 @04:29PM (#59463960)
    Chip and pin? Paywave? Even if you record the comms on those you canâ(TM)t replay it because of the challenge cycle. Magnetic and pin is beyond stupid.
    • Re:Use better tech? (Score:5, Interesting)

      by fahrbot-bot ( 874524 ) on Wednesday November 27, 2019 @04:44PM (#59464010)
      From TFS:

      ... camera angled so as to record debit card users entering their PIN.

      Any type credit card would be better than a debit card, because (a) your bank account is isolated from the card, (b) you get a 30-day float on your money, (c) the dispute process doesn't involve asking for your missing money back.

      Seriously, if you have a credit card, there's *no* reason to use a debit card. I know some banks issue combined ATM/Debit cards, but you can usually get an ATM-only card. If not, threaten to switch banks. That worked for me. A few years ago my bank said they were "upgrading" everyone to combined ATM/Debit cards. I complained to my branch manager who suggested that I don't activate the card and it would still work as an ATM card. This worked, but I kept getting "reminder" letters to activate my card. Finally I wrote to the president of SunTrust, explained my reasons for not wanting or needing a debit card and threatened to move my accounts elsewhere if I couldn't get an ATM only card.

      A week later I got a call from his assistant saying I wasn't the only one unhappy with the new policy and they would issue ATM-only cards to customers requesting them. I got mine a few days later. Apparently, when they switched vendors from VISA to Mastercard they tried to save a few bucks and only provide credit and debit cards. Now they also provide ATM-only cards...

      • by jabuzz ( 182671 )

        I agree entirely with points a,b and c, which is why I exclusively use a credit card.

        However I rather than making a fuss I exclusively use my debit card for getting cash out of an ATM. I am not sure any UK banks still issue ATM only cards. Besides which till a couple of years ago vendors could charge an extra fee for using a credit card so I very occasionally used my debit card. Not anymore and the card has since been replaced in the normal cycle.

        • However I rather than making a fuss I exclusively use my debit card for getting cash out of an ATM.

          That sounds like a good personal policy and one I'll adopt if ever given no alternative. The only problem would be if your card was lost/stolen and used before you noticed and called your bank. Many places will process transactions on low-dollar amounts w/o a pin/signature -- I know this is true for credit cards (at least here in the US), please correct me if otherwise for debit cards, I've never used one :-).

          • by shon ( 20200 )

            Skimmers and the like can target ATMs, no? So maybe a false sense of security to only use debit/ATM cards at ATMs.

        • However I rather than making a fuss I exclusively use my debit card for getting cash out of an ATM.

          My bank's ATMs (Chase) have the option of logging in with Apple Pay as an alternative to chip card. Any skimmer would then never get your card number even if it did have a camera positioned to see you enter your PIN, because it's an encrypted token.

          • Since newer Exxon fuel pumps offer Samsung Pay/GPay/Apple Pay, I just use one of those payment methods.

            It would be nice if PayPal, or some provider could make some universal payment method that works across all platforms. In fact, any SIM card made after 2014 has "Softcard" functionality in it, which means that the banking transactions are done in the SIM itself, where the user can authenticate with a PIN, and never on the phone.

            Going with NFC based payments completely cuts cameras and skimmers out of the

      • I know this. You know this. But they can't be told no matter what.

      • Comment removed based on user account deletion
        • by cusco ( 717999 )

          It's 10 cents a gallon in our area, so only 2+ percent.

          I just avoid the issue entirely and use cash. With cash I can withdraw X-amount of money on Friday and on Thursday I'll know how much money I've spent during the week. All the people that I know who have financial problems almost exclusively use credit/debit cards, and have no idea why they're over spending. If you ask them to estimate how much they spend in a week they will always underestimate the amount.

          Now I'm finding some cafes and restaurants w

          • Now I'm finding some cafes and restaurants which don't take cash any longer, which means they're not going to get my business.

            I haven't run into this yet but the moment I do, I'm outta there. I will not do business with a physical, brick & mortar store that takes only credit cards.

          • Now I'm finding some cafes and restaurants which don't take cash any longer, which means they're not going to get my business.

            Because "they" really care about tracking you stopping for breakfast at Denny's. I bow down to thee, O lord amd master.

          • by orlanz ( 882574 )

            The problem those people have isn't the credit card, but the inability to manage their monies. Or more precisely managing loans (0% 30-day loan is exactly what a CC is). Such folks should be extra careful or avoid taking a car, house, or bank loan too.

            You can go for decades managing your money just like you are but without having cash in your wallet. I usually carry just $20 in my wallet, refilling when below $10. I _may_ go to an ATM about once every 3 months...

        • by orlanz ( 882574 )

          I have rarely had to do this. I have gotten gas all over the US over the last 20 years and never used anything but credit cards. All along the east, mid, and west.
          Thus far, I have been able to avoid cash discount stations by going to other stations. Usually lowest cost station via gas buddy and they usually have a good sized store attached. A store means they aren't making money on the gas.

          Its a little hard in remote areas or places that have just one station every 30 mintues or so, but not impo

        • by AmiMoJo ( 196126 )

          There used to be more credit card charges in Europe too, but the EU decided that the banks could only charge a "reasonable fee" and not make profit that way. Same for the vendors of course. Other rules required vendors to be up front about card fees, not wait until you get to the checkout to spring them on you.

          So now most don't charge any fees, it's not worth it for 30 cents or something.

          There are currently multiple court cases seeking refunds for past over-charging. It's worth many many billions of Euros b

      • Seriously, if you have a credit card, there's *no* reason to use a debit card.

        Spoken like a true American. a, b, and c, are not relevant issues for debit transactions in much of the world, well c is but it is consumer protected by law in most countries. Likewise debit cards and numbers are one way transactions in the world that can't be skimmed, which is why this practice is most common in the USA.

        Credit cards are horrible. Someone can memorize a number and charge my account. On the flip side you can take pictures of my debit card from every angle and all you can do with the resultin

        • by quetwo ( 1203948 )

          In the US, Debit cards still have a Visa/Mastercard logo, and are run like credit cards. Only difference is that devices that support a PIN will require a PIN if you use a debit, where they will either require a signature or nothing if it's a credit card. You can grab the CC number, expiration date and CCV from a US Debit card and run up the bill like anything else. Pretty much all credit and debit cards that have a chip can use that, but we are still in a mode where if the chip is deemed broken (aka not

          • Comment removed based on user account deletion
          • by Megane ( 129182 )
            Credit cards used at the pump these days usually request that you enter your billing ZIP Code. I think the idea is that a skimmer (whether pump or restaurant or whatever) would not have access to your billing information. Of course a camera would catch this too.
          • You can grab the CC number, expiration date and CCV from a US Debit card and run up the bill like anything else.

            Exactly. Completely out dating banking system, like I said.

      • by gl4ss ( 559668 )

        well, for many banks the atm card system works purely via the debit card mechanism.

        also what they probably ACTUALLY mean is "debit card users entering their pin AND credit card users entering their pin AND for copying the verficiation code from the credit card.

        and look in some regions the debit cards can not be used without the chip at all but pretty much _all_ credit cards (visa/master) can be put charges on with just the number string and most of them even if they're chipped will comply with a legacy numb

      • by bn-7bc ( 909819 )
        Well personally I lije using mony that are mine as much as possibke, nodebt unles it is necesary. I know this might be stupid, but onlyusing my debit card forces a bit of diciplin, yes I have a ccas well for the simplevreason that not all places takevisa,so havng mc as well is handy. I’m one of those oeople that don’t carry cash, for one simple reason, U’m not used to using it,and all places i dubuisness take cards anywayso why hassle with lose change and the like
    • Re:Use better tech? (Score:5, Interesting)

      by Dallas May ( 4891515 ) on Wednesday November 27, 2019 @05:10PM (#59464084)

      Gas stations have had a 5 year exemption from the chip card requirements. But that extension ends in 2020. You will start to see dispensers be replaced at basically every gas station very soon.

      • The local Kroger gas station I use sometimes upgraded over the summer to chip/pin readers at the pumps

      • for years I saw americans struggling to pay for things in asia... most places have paywave and alipay / wechat the shop assistants do not know how to deal with magnetic stripes

        we are done with this craziness... the sooner the USA financial system gets protected from this kind of scam the better

        • by quenda ( 644621 )

          Seriously? Americans still use magnetic stripes on their credit/debit cards?

          At least you can pay at the pump. In Australia, we are forced to go inside to pay, so they can make more money selling junk food and cigarettes.

          • Yes, because we adopted them early and they are the dominant form of payment. Chip systems are what you find in most retail stores, but they are chip-and-signature, not chip-and-PIN. There are downsides to being the first to adopt, and this is one of them. Replacing the entire infrastructure is not cheap. And, as you point out, we have pay-at-the-pump. When the US uses unusual or outdated tech, it's almost always because of something like this.
        • by orlanz ( 882574 )

          But why? The scams aren't worth the investment... The ROI on terminal & POS upgrades is in the years and that's only because more liability has shifted from the banks to the retailers. I don't mind the new POS because almost all come with NFC... which is faster than swiping :). But I can understand why others have not changed... they don't see the fraud to justify the investment.

        • by quetwo ( 1203948 )

          About 8 years ago, I was in a grocery store in Germany (I currently live in the US), and handed the cashier my credit card that didn't have a chip. My bank didn't support chips yet. First card they had ever seen that required a swipe. The cashier ended up calling over the manager to figure it out (their register did have a swipe thing, but they never noticed it). After the swipe it printed out a second receipt with a signature line -- also something they had never seen.

          Luckily the US has caught up by th

          • by jonwil ( 467024 )

            What I don't get is why when the US moved to chip cards, they went for chip-and-signature rather than the far better chip-and-pin solution that most countries adopted.
            Are the credit card companies (Visa, MasterCard, American Express, Discover etc) scared that forcing people to remember and input a pin every time might make people less likely to use card over cash? Are there situations where installing a pin pad and requiring people to use the pin pad is too difficult or expensive?

            Are the banks opposed to ch

            • Are the credit card companies (Visa, MasterCard, American Express, Discover etc) scared that forcing people to remember and input a pin every time might make people less likely to use card over cash?

              Yes.

              Are there situations where installing a pin pad and requiring people to use the pin pad is too difficult or expensive?

              No.

              Are the banks opposed to chip-and-pin due to support costs involved when people forget their pin or need to change it for some reason?

              No, they already do it for debit, so it's no big deal.

    • Magnetic and pin is beyond stupid.

      No it isn't. You only think it is because you assume the people making the decisions care about the people suffering the consequences

    • In China they use single-use qr-codes on phones which are scanned from your phone.

      • by Megane ( 129182 )
        That's nice. So what about people who don't carry a phone around?
        • by dwater ( 72834 )

          They don't make a purchase. Seriously. There are coffee shops here (luckin) that do not take any payments apart from qr-codes.
          So prolific are phones that it is a viable business model. It's a little bit irritating for foreigners, but it is reasonably easy to ask a friend to buy one for you and you take a photo of their qr-code, which you scan at the shop.

          I see that Wikipedia has an error:
          https://en.wikipedia.org/wiki/... [wikipedia.org]
          "Purchases can only be made through the Luckin mobile application."
          You can use WeChat to

          • That's not to say that all places are like that... far from it. Most take wechat or alipay qr-codes codes, or cash, or perhaps even union pay credit cards.

    • Better tech? Maybe. Better consumer protections will fix this properly though.

      Here in Europeland, if you use a pump like that one (unknowingly), and your card gets skimmed - You're not liable for the lost money. Sure, your bank might try it on, but it doesn't detract from the fact that you're not liable. Since banks don't like losing money, they find ways to solve the problem (hence, we have chip&pin, contactless, etc - and the mag stripe is all but a relic of the past for years now)

      In your world, no on

  • It may be difficult to tell

    No, that piece looks painfully out of place to me.

    • I'd bet money in your ordinary business you'd never notice it. Especially from above looking down.

    • You're in a rush to get some place, you wouldn't notice it. Even if you did you'd think one of two things (a) "looks very dodgy, think I'll leave it and try another garage" or more likely what most would think (b) "Oh the garage has installed security cameras on their pumps, OK.".

      Take a quick look and leave if anything doesn't look quite right, never take any chances, especially if the camera is being used to see your face and they're waiting around the corner to rob you after you take the money out.

  • Simple fix (Score:5, Funny)

    by jimbrooking ( 1909170 ) on Wednesday November 27, 2019 @04:41PM (#59463994)
    Buy a Tesla !
    • Buy a Tesla !

      I know this is funny... But it couldn't be more true.

      • Buy a Tesla !

        I know this is funny... But it couldn't be more true.

        Time to start skimming at charging stations.

        • Time to start skimming at charging stations.

          That's not how they work. They read the vehicle's VIN number over the charge cable and charge the card on file.

          • by AmiMoJo ( 196126 )

            Only at Tesla ones, and that might have to change soon.

            The EU is mandating that charger accept card payments. No having to subscribe to multiple networks, carry 20 different cards etc. The good networks already do that but soon all will have too.

            Tesla is arguing that they are exempt because they are not offering public charging, it's for their customers only. But they also want the public charging subsidies so will have to decide if they want to open up to everyone or forego that. In some countries they hav

    • Just don't use an atm to get the cash to pay for it.

    • That's true, then you won't have any money for the scammers to steal

  • how is this even news?

  • It seems to me that catching them would be pretty easy.

    Just sit in the parking lot with a bluetooth scanner and wait for the device to start transmitting. Nail whoever just pulled in the parking lot. It's not like you can access this thing from miles away.

    • by PPH ( 736903 )

      How many pumps does your local station have? And on a busy day, which car filling up also has someone sitting in it downloading the day's catch?

      If you can see the BlueTooth activity, perhaps the thing to do is to have an attendant periodically walk by the pumps, looking for one that pings the scanner. Which is something an unhacked pump isn't likely to do.

    • by AHuxley ( 892839 )
      But the police would need tech to do that and spending on new tech for the police is bad for city politics ...
      • by cusco ( 717999 )

        It would be pointless as well, since unless the theft rises to the level of a felony the police won't even bother to investigate. They'll tell you that right out.

      • That's why every pump needs a free Ring skimmer detection camera!
    • by Agripa ( 139780 )

      It seems to me that catching them would be pretty easy.

      Just sit in the parking lot with a bluetooth scanner and wait for the device to start transmitting. Nail whoever just pulled in the parking lot. It's not like you can access this thing from miles away.

      If they are technically competent, then they can access it from across the street.

  • by Dan East ( 318230 ) on Wednesday November 27, 2019 @04:44PM (#59464012) Journal

    We live in a world where technology is cheap, and prototyping and building your own custom devices is nearly as easy as snapping Legos together. I dabble in various microcontrollers, using mbed.com's web-based IDE to compiled and build binaries that can be directly flashed onto various devices. Heck, for a little higher cost per device you can just use a Raspberry Pi and and develop right on the device itself. It should be possible for any person with reasonable technical prowess to order a Raspberry Pi, magnetic strip reader, and a compatible camera, and put something like this together with only the most basic software glue holding it all together.

    • by sjames ( 1099 )

      This has a lot to do with it. There are too many cases where the "security" is based on the assumption that a device like this would require designing and fabricating a custom board and that anyone who could do that would make more money in a legitimate job.

      These days, that's a terrible assumption.

  • by smooth wombat ( 796938 ) on Wednesday November 27, 2019 @04:49PM (#59464024) Journal

    Paying cash once again pays off. Don't have to worry about anyone getting your card information and having access to your entire account.

    Like a light switch, there's a reason cash still exists. It's because it's simple and it works.

    • Paying cash once again pays off. Don't have to worry about anyone getting your card information and having access to your entire account.

      Like a light switch, there's a reason cash still exists. It's because it's simple and it works.

      yeah, because no one's counter-fitting it by the dump truck loads. Oh... wait...

    • You just have to worry about physical theft.

      And money once stolen is gone if it's spent. If I get skimmed, and can prove it, it's the responsibility of the credit card company / gas station.

      • There is a limit to what cash someone can physically steal from me - typically $20-30. If someone gets my credit card details they could run up $2000 and I'd probably not notice until the next monthly statement. If they got my debit card details they could empty my account and ditto.

        Actually I carry all types with me and I suck up the risk, but I'm just saying.
        • typically $20-30.

          So do you have a stack of money at home than you replenish every day? Do you visit the ATM every day for $20?

          And good luck doing anything with that anywhere. You wouldn't even be able to top off your tank with that amount.

          If someone gets my credit card details they could run up $2000

          And you still aren't "out" that money. The $2000 exists in a database somewhere. Gas stations asked to be exempt from chips, they can pay for any thefts. For idiots using debit cards, that's just extending protections legally or better educating people. (The latter is near impossible).

        • If someone gets my credit card details they could run up $2000 and I'd probably not notice until the next monthly statement.

          You should be choosing to be alerted about large purchases in your preferred way. Even if you don't so choose, you're bound to get a call from the credit card issuer about the unusual activity.

          And if you don't, 30 days is still soon enough to do a chargeback. If you treat your wallet with the same negligence and don't notice that you've been pickpocketed for 30 days, it'll be a bit lat

      • by ve3oat ( 884827 )
        I almost always pay by cash, and yet my credit card has been compromised twice by skimmers, once in France and once in the USA. Fortunately my cc company stopped both attempts so I lost nothing. But I have never been physically robbed of my cash! Guess which of cash or credit card I consider to be most vulnerable?

        I continue to pay by cash at almost every opportunity.
      • You just have to worry about physical theft.

        And loss. If you lose your wallet/purse, consider any cash gone. Cards you just cancel.

    • Re: (Score:3, Insightful)

      by linuxguy ( 98493 )

      "Paying cash once again pays off"

      How did this foolish comment get 5 starts. I guess this is Slashdot, full of old geezers. Carrying around cash is stupid.

      I pay with a credit card. If there is a charge on there that I did not authorize, I don't have to pay for it.

      Carrying cash means making frequent trips to ATM/bank. And then figuring out what to do with the loose change. No. Been there. Done that. Not doing it again. I pay with credit cards that give some percentage back. Sure, I carry some old fa

      • " full of old geezers " && Slashdot ID: 98493 = Hi pot, I'm kettle. :D

        On a serious note, carrying cash around is anything but stupid.

        Ever go to pay with your card and they tell you " Sorry, our computers are down. . . cash only. "
        When / if the card is compromised, you get to wait for a new one, then change all the auto-billing that is linked to it. ( Pain in the ass )
        When you go to buy gas and the cash price is X, but the super-extra-fine-print credit card price is X + Y.
        Big Business has enough o

        • Ever go to pay with your card and they tell you " Sorry, our computers are down. . . cash only. "

          Yup, and when I answered "Sorry, I don't carry cash", I scored some free food. Also makes a great excuse to give the panhandlers outside of Walmart asking for your change - "Sorry, don't carry cash." I've been through several hurricanes and never had a problem using my cards afterwards, either. Seems the payment processing networks are a lot more resilient than people are inclined to assume.

          Cash is for buying shit on Craigslist, paying kids to cut your grass, and putting a surprise inside birthday/Christ

          • by orlanz ( 882574 )

            I think the pay by watch/phone QR/*Pay is the change that has me generationally left behind. Apps & NFC are fine... even finger based auth. Otherwise, it just feels unnatural to hold my watch & phone up to the reader. And about 1/4 of the time, that store has either turned off or doesn't support that mode... which has me a little embarrassed. I feel like an old person searching in their purse for the exact change.

            Maybe as the terminals become more standard, I may feel fine not reaching for my CC

      • by cusco ( 717999 )

        full of old geezers

        Says the guy with the 5-digit ID . . . :-)

        Paying with cash is the only way that I can maintain a budget. I take X-amount out on Friday and on Thursday I know exactly how much I've spent over the past week. If I'm paying with a card I have no clue how much I've spent after a couple of days. Everyone that I know who has financial problems use only credit/debit cards, ask them how much they've spent over the past week and they will **always** underestimate the amount.

        • by 6Yankee ( 597075 )

          When I was a student, I had trouble budgeting across a monthly wage and a per-semester grant, so I set up a second account (which at my bank was free) with only an ATM card. I'd pay myself from the main account once a week by standing order. I think I was living on £50/week, but I set it up to pay myself £52.50. That way, I had an extra £10 for treats every fourth week. The card for the main account was left in my desk drawer in a sealed envelope with NO! written on it.

          I

        • Comment removed based on user account deletion
      • "Carrying around cash is stupid.
        I pay with a credit card. If there is a charge on there that I did not authorize, I don't have to pay for it.
        Carrying cash means making frequent trips to ATM/bank. "

        DOH! How is there going to be a charge on your cash that you don't authorize dipshit? If you work with only cash then you have to make trips somewhere, but it isn't all or nothing. NOT carrying some cash is stupid. There are times when you can't use your card because systems are down and only cash is accepted. If

      • I pay with a credit card. If there is a charge on there that I did not authorize, I don't have to pay for it.

        Yes you do. The credit card companies have gamed it so merchants bear the cost of fraud. When you dispute a charge, the credit card takes the money back from the merchant. The merchant is out the money and the merchandise, meaning they have paid for the fraud. So the cost of all the credit card chargebacks and disputes gets incorporated by the merchants into the price of all the goods that they

        • by orlanz ( 882574 )

          Shoplifting costs many times more than CC fraud.
          https://www.statista.com/chart... [statista.com]
          Like 48billion vs 8billion. Retails have bigger things to worry about... like employee theft or supplier fraud.

          There was a ruling in Jan 2013 that allowed any retailer to pass on CC fees. And it was always legal to provide cash discounts. Large retailers don't because its not worth the additional costs of managing cash running around.

        • Comment removed based on user account deletion
      • by mjwx ( 966435 )

        How did this foolish comment get 5 stars... Actually how did it get modded up at all.

        Anyone who uses a credit card exclusively is an absolute idiot. Why, because you're the ones driving prices up. When you use a credit card, banks take a chunk of the transactions for themselves, this can be up to as much as 5% for higher end cards (and I'm not including the costs of terminal rental, et al... which are higher than the costs of dealing with cash).

        Also, I know a lot of people who never received a full reimburs

      • by orlanz ( 882574 )

        I am the same as you. I think it is a combination of generational and financial education thing.

        I have been in a few workshops where this question came up and the youngest generation in the group _totalled_ less wallet cash than the highest single in the oldest gen. At the same time, that group could easily buy a loaded BMW with their combined credit. The only exceptions were the ones who were too young to have credit or messed up their credit in college or didn't feel comfortable having access to hundre

    • Paying cash once again pays off. Don't have to worry about anyone getting your card information and having access to your entire account.

      Like a light switch, there's a reason cash still exists. It's because it's simple and it works.

      As someone else mentioned, you have to worry about theft. If you get robbed, there's no recourse to recovering the stolen money. You also have to worry about running out of cash and having to find an ATM. Then, you're out of luck if you accept a counterfeit bill. You also have to get change if you don't have the right type of bills. Cash is also full of bacteria; there's a reason to avoid handling it around food.

    • Erm, did you get that card out of another machine known as an "ATM"? Are you sure it was skimmer-free?

      You'd get around that problem by physically going into your credit union, though. I'm just trolling a little. Your point is well made.
    • Paying cash once again pays off. Don't have to worry about anyone getting your card information and having access to your entire account.

      Or just join a country with a 21st century banking system. Card information? You can happily take a photo of my card if you want to, the only thing you can do is send me money with that information.

    • by AmiMoJo ( 196126 )

      Or, you know, just cover the PIN pad with your hand while entering your code, like they tell you to.

      I remember when Chip and PIN first came to Japan. One shop assistant put /his/ hand over the pad and then turned his back on me. It took me a moment to realize he was protecting my PIN for me. On the other hand if the item is less than about 3000 yen they often just put the transaction through without any PIN or signature.

  • I’m surprised Krebs hasn’t heard of this. Over here skimming was rather common when we still used magstripes, and on all manner of devices. Payment terminals at gas pumps, ATMs, the machines used to top up public transport cards, vending machines... often quite cleverly hidden. But easily defeated by shielding the keypad with your free hand or wallet. A good habit to have in any case, it’s not uncommon for thieves to shoulder surf your PIN, then rob you after you leave the store. Most peop
  • A large part of the problem is that some gas pump designs make it easy to install skimmers. Gas pumps have an opening to replace the paper for the receipt printer and, on some (typically older) pumps, the card reader electronics can be accessed via this opening. Because replacing the paper is a task that needs to be performed frequently, opening up the paper access isn't difficult.

    Around here, Chevron is the worst offender for operating this type of pump.

    Some years ago, my credit card was compromised too fr

    • I suspect a lot of ATMs and gas pumps are designed as cheap as possible and corners have been cut, Tabs where security bolts or even welds should have been used, plastic for the bezels instead of metal.

      I've seen a few Youtube videos where a thief was
      able to rip the flimsy top of the ATM off with ease, pouring all of the electronics out on the floor.

      In one video, the thief reached down deep into the guts
      of the machine, and pulled out what appeared to be a
      memory chip or a laptop type h

  • by TigerPlish ( 174064 ) on Wednesday November 27, 2019 @05:36PM (#59464150)

    This is why I stick to Mobil with Speedpass app, paid through Apple Pay: They don't get to see my number or PIN, *at all*.

    No Mobil? No Apple Pay? No business. If it's a dire emergency, if my car's running on fumes, then I may use that emergency $50 I keep stashed away in my wallet.

    I live in the capital of skimmers and they're not just in gas stations, they're in restaurants too -- always pay at the cashier, do not hand your card over to the server.

    But more and more I rely on apple pay or cold hard cash.

  • Is this a new thing or has it happened before?

    • Happened on the slashdot cybertwuck announcement a few days back, so it's at least the second time - funny that the first was pictures of an electric truck and the second is a picture of a gas pump.

      Honestly though I hope there will be an option to disable them (or is there?), Slashdot don't change from text only :(
  • Major issue (Score:5, Insightful)

    by JustAnotherOldGuy ( 4145623 ) on Wednesday November 27, 2019 @08:00PM (#59464682) Journal

    "Whoever hacked this fuel pump was able to get inside the machine and install a Bluetooth-based circuit board that connects to the power and can transmit stolen card data wirelessly."

    So it would seem that either gas pumps are relatively easy to pick, open, and work on without being noticed, OR someone had help from inside, i.e. someone with a key.

    • Not all stations are open 24h or have 24h video surveillance, so provided there is no visible damage when staff arrive to open up there would be no compulsion to carefully check every pump for cleverly hidden extra devices.

      As an example of a similar hack a while back, a team out of Vancouver stole a number of POS card reader units from Petro Canada stations in that city. They took them & fitted wireless MITM hardware, then went on a road trip to Ontario where they operated as a team to distract cashi
  • for even making it possible to conduct transactions without a chip or a virtual number. Then they have the gall to take a month to fix the illicit transactions. Welcome to the United Corporations of America.
  • Folks:

    Normally I don't drive; I don't have a car.

    For those special trips where I use a car, I will go to a bank with a cash machine inside it and pull out enough cash for necessary gas for my trip.

    I put that in my shirt pocket so that it's easy to reach, not my trousers pockets.

    The debit card stays at home for the trip.

    I have a low limit credit card (not my normal credit card). I take that. I leave all other cards at home.

    At the station, I go to the story/box-office and give the cashier $40 in t

  • They've been using pinhole cameras with ATM machines for years. The only news here is that it took them this long to use this method with gas pump CC skimmers.

  • The only remedy is to make the human mind be able to store thousands of different passwords that look like 7656-(0*##^_-A-X and recall with complete precision.

    And forced frequent password changes, mandatory alphanumeric/symbol passwords don't do shit except piss people off and cause them to game the system so they only have to use a very minute variation of the same password everywhere. Password 'wallets' are still awkward to use, and brings their own set of security problems. Same with biometrics.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...