Krebs on Security

Thieves recently attached bank card skimmers to gas pumps at more than 30 service stations along several major highways in and around Denver, Colorado, the latest area to be hit by a scam that allows crooks to siphon credit and debit card account information from motorists filling up their tanks.

Forced to re-issue an unusually high number of bank cards due to fraudulent charges on the accounts, a regional bank serving Colorado and surrounding states recently began searching for commonalities among the victimized accounts. The financial institution, which shared information with KrebsOnSecurity.com on the condition that it not be named, found that virtually all of the compromised cardholders had purchased gas from a string of filling stations along or not far from Interstate 25, a major North-South highway that runs through the heart of Denver.

Several Valero stations along the I-25 corridor reached by phone acknowledged being visited over the past week by local police and U.S. Secret Service agents searching for skimmer devices. The stations declined to comment on the record, but said investigators left a bulletin stating that stations in the area had been targeted and urging them to be on the lookout for suspicious activity around the pumps.

Mark Gallick, a Secret Service agent with the Denver field office, confirmed that a bulletin on skimmers was circulating among gas stations in the area, but refused to comment further.

Similar attacks on gas station pumps recently have hit other parts of the country: Police in Arizona also are dealing with a spike in reports about skimmers showing up at gas pumps, prompting Gov. Janice Brewer this month to urge the Arizona Department of Weights and Measures to increase their inspection efforts in looking for skimmers at gas stations.

Bluetooth-enabled gas pump skimmer. Photo: Alachua County, Fla. Sheriff's Office

Bluetooth based wireless skimmers have been found attached to a slew of gas station pumps throughout the Southeast, particularly in Florida. Wireless skimmers allow thieves to pull up to the compromised station and download stolen card data with a laptop while sitting in their car. Many wireless skimmers run on rechargeable batteries, but skimmers attached to the insides of a gas pump can easily be made to draw on the pump’s power source in order to continue stealing card data indefinitely.

“Our device is not the traditional skimmer but rather a Bluetooth enabled equivalent of a thumb drive programmed to capture the data as it was transmitted from point A to point B inside the gas pump itself,” said Lt. Stephen Maynard, the public information officer for the Alachua County, Fla. Sheriff’s Office, which dealt with skimmer compromised pumps earlier this year.

The gas pumps compromised in the Denver-area attacks showed no outward signs of having been tampered with or altered, according to several sources. My source at the bank said all of the pumps in question contained a device on the inside of the pumps designed to record data stored on the back of cards inserted into the compromised pumps, but he wasn’t sure whether the skimmers were designed to transmit the stolen data wirelessly.

Continue reading →