July 20, 2010

Thieves recently attached bank card skimmers to gas pumps at more than 30 service stations along several major highways in and around Denver, Colorado, the latest area to be hit by a scam that allows crooks to siphon credit and debit card account information from motorists filling up their tanks.

Forced to re-issue an unusually high number of bank cards due to fraudulent charges on the accounts, a regional bank serving Colorado and surrounding states recently began searching for commonalities among the victimized accounts. The financial institution, which shared information with KrebsOnSecurity.com on the condition that it not be named, found that virtually all of the compromised cardholders had purchased gas from a string of filling stations along or not far from Interstate 25, a major North-South highway that runs through the heart of Denver.

Several Valero stations along the I-25 corridor reached by phone acknowledged being visited over the past week by local police and U.S. Secret Service agents searching for skimmer devices. The stations declined to comment on the record, but said investigators left a bulletin stating that stations in the area had been targeted and urging them to be on the lookout for suspicious activity around the pumps.

Mark Gallick, a Secret Service agent with the Denver field office, confirmed that a bulletin on skimmers was circulating among gas stations in the area, but refused to comment further.

Similar attacks on gas station pumps recently have hit other parts of the country: Police in Arizona also are dealing with a spike in reports about skimmers showing up at gas pumps, prompting Gov. Janice Brewer this month to urge the Arizona Department of Weights and Measures to increase their inspection efforts in looking for skimmers at gas stations.

Bluetooth-enabled gas pump skimmer. Photo: Alachua County, Fla. Sheriff’s Office

Bluetooth based wireless skimmers have been found attached to a slew of gas station pumps throughout the Southeast, particularly in Florida. Wireless skimmers allow thieves to pull up to the compromised station and download stolen card data with a laptop while sitting in their car. Many wireless skimmers run on rechargeable batteries, but skimmers attached to the insides of a gas pump can easily be made to draw on the pump’s power source in order to continue stealing card data indefinitely.

“Our device is not the traditional skimmer but rather a Bluetooth enabled equivalent of a thumb drive programmed to capture the data as it was transmitted from point A to point B inside the gas pump itself,” said Lt. Stephen Maynard, the public information officer for the Alachua County, Fla. Sheriff’s Office, which dealt with skimmer compromised pumps earlier this year.

The gas pumps compromised in the Denver-area attacks showed no outward signs of having been tampered with or altered, according to several sources. My source at the bank said all of the pumps in question contained a device on the inside of the pumps designed to record data stored on the back of cards inserted into the compromised pumps, but he wasn’t sure whether the skimmers were designed to transmit the stolen data wirelessly.

My source said the hacked pumps in Denver tended to be on the outside edges of the gas station, those hardest to see by clerks in the station. In a wrinkle that could be part of an effort to drive customers to the compromised pumps, the source said, customer service representatives at the bank also received complaints from victim account holders who reported getting phone calls promising them gift cards if they purchased gas at specific stations in the Denver area.

Gas pump skimmer. Photo: Arizona Dept. of Weights & Measures

“The caller ID on those calls — 727-712-0382 — was a number that probably originated from a Florida provider,” my source said.

Unlike most skimmers affixed to ATMs — which can often be spotted because they rely on fraud devices that are attached to the exterior of the cash machines — gas station skimmers are planted after the thieves have gained access to the interior of the pumps. As result, there are rarely any signs that a gas pump has been compromised. However, consumers can and should keep a close eye on their monthly bank statements and report any unauthorized charges immediately.

The Truth In Lending Act limits consumer liability to $50.00 once a credit card is reported lost or stolen, although many card issuers will waive that amount as well. Fraudulent debit card charges are a different story: The Electronic Fund Transfer Act limits liability for unauthorized charges to $50.00, if you notify your financial institution within two business days of discovering that your debit card was “lost or stolen.” If you wait longer, but notify your bank within 60 days of the date your statement is mailed, you may be responsible for up to $500.00. Wait longer than that and you could lose all the money stolen from your account.

[EPSB]

Have you seen:

Fun With ATM Skimmers, Part III…According to the European ATM Security Team (EAST), a not-for-profit payment security organization, ATM crimes in Europe jumped 149 percent form 2007 to 2008, and most of that increase has been linked to a dramatic increase in ATM skimming attacks. During 2008, a total of 10,302 skimming incidents were reported in Europe. Below is a short video authorities in Germany released recently showing two men caught on camera there installing a skimmer and a pinhole camera panel above to record PINs.

[/EPSB]


33 thoughts on “Skimmers Siphoning Card Data at the Pump

  1. jrj

    Any info on the brand of pumps being targeted? Gilbarco, Wayne, Tokheim, Schlumberger?

    If only one brand, then that might be a clue as to the culprits.

    Also, might be time to install security cams overlooking those outboard pumps.

    1. BrianKrebs Post author

      Nope. My sources said the attacks at least in Denver occurred across multiple types of pumps on pumps in several different station brands — including Conoco and Shell.

  2. Carl

    Brian,
    In a situation where a debit card is in possession of the accountholder, my impression is that the 60-day period for returning debits as unauthorized would apply to all charges – Isn’t that true? Also, most of the card brands require issuers to provide 0-loss guarantees to their customers, so often the bank is eating whatever losses there may be. That is true with Visa Check Cards.

    Thanks for the good information!

    1. BrianKrebs Post author

      I’ll have to research your first question to know for sure, Carl, sorry. As for the 0-loss guarantees, I alluded to that in the last paragraph of my post, where I said many card issuers will waive that $50 amount as well.

    2. Sallaia

      You always should verify with your financial institution, but the 60 day period should be 60 days from when your statement containing the fraudulent transactions. The rules on crediting back fraud losses also pertain mostly to consumer (not business) cards.

      One other thing to note is that credit unions do not always have to play under the same rules as banks do when it comes to fraudulent transactions. (No hate towards the credit unions, I just know from discussing with a friend who worked for one.)

  3. bob bruen

    Most gas stations already have cameras installed to identify drive-offs.

    The caller ID phone number could be anywhere. VOIP phones can use an area code from anywhere. They do not have to use the area code from their physical location.

    –bob

    1. Lo

      Drive offs? There are still parts of the Country that allow folks to pump before paying?

      Or did he mean something else?

      1. Ben

        That is what he meant, and yes, there are still places in the United States where you can pump your gas and then go in and pay.

        1. Tim

          I would further that to say there are MANY places that still allow pumping before paying. Here in Ontario (Canada), that’s the norm. I can’t remember the last time I paid before I pumped, but then, I always use my card at the pump for the electronic record and instant receipt. I can’t imagine paying in cash first for filling a small tank like a motorcycle. What do you choose? $10 or $15? The difference could mean not making it to the next gas station.

  4. Jim

    Within two business days of discovery — when you still have your card, when are you considered to have “discovered” the theft? When you receive your statement? The first time you log into your account after a fraudulent charge posts? The day such a charge posts?

  5. Michael

    The last time I bought gas (off I-25 but not in Denver), an ordinarily-dressed woman in heels went from one not-in-use pump to the next, opened the pump with a key, inspected its guts for several seconds and closed it up. Am sure she was legit management but anyone can open up pumps without attracting undue attention.

  6. Glenn Fleishman

    I see that the law is different for debit cards, but does any institution enforce the $50 or $500 loss against a card holder who had their number fraudulently obtained without their participation, as with a skimmer? Seems like the gas station would be at fault (even though they’re an aggrieved party, too).

  7. katie

    I was hit by this for over $200 and my bank credited it alll back. The majority of the charges came from a Quick Trip station then went all over GA it was such a pain. Thieves stink.

  8. JBV

    The safer way to use automatic payment devices is with a credit card. As Brian stated, consumer protection law is more comprehensive and explicit for credit cards than debit cards.

    If you have enough money in your bank account to cover debit card purchases, then you have enough to pay the credit card bill when it comes. To protect yourself even further, it’s probably a good idea to use a credit card issued by a different bank than the one where you keep your money.

    1. Brad

      Sorry –
      Your thoughts on keeping your credit card separate from your debit/checking account -does not hold any merit. They are not attached to each other and are not related in the bank except by name.

  9. JackRussell

    I guess my first question has to do with how the thieves gain access to the insides of the pump. They must have obtained a key from somewhere – I guess the question I have is how universal are the keys? Is there a different key per station? Or a different key per chain? Or is there just one universal key that opens them all?

    1. Lo

      Was thinking the same thing, but came to the conclusion, maybe incorrectly, that security for accessing the insides of these pumps is an after-thought. A combination of manufacturers trying to keep costs down, and not foreseeing someone would figure out how to attach this leech to their gear.

      I bet someone with experience repairing pumps could show you many ways of accessing the inside of these pumps.

    2. Ben

      There are universal keys which are intended for government entities to inspect the pumps, etc. Unfortunately, nothing intended for onlyone use is ever kept that way, and I imagine you can get a universal pump key pretty easily these days.

      It would make far more sense to restrict access to the insides of the pump to Gas Station managers, in my opinion. Unfortunately, it is not the way it is now. Better to go in and pay, I guess.

  10. JC

    Since this has not been mentioned as a “fix”. Just use Cash. It is accepted everywhere, there is no future bill to pay, and in order to steal it the thief must also be willing to rob you, cowards need not apply.

    1. Jim

      It is NOT accepted everywhere, interestingly enough. There are several stores in my metro area that don’t take cash, including a Costco.

      I have yet to see a gas station that doesn’t, but I honestly haven’t looked.

      (And for the record, I did not rate JC’s comment…)

    2. Matt from CT

      Not all gas stations are attended to accept cash, either.

      Especially in rural areas, where the state laws allow it, they’ll be unstaffed during the wee hours of the morning but still allow pumping fuel to support (especially) commercial and farm users.

      This became more common both as the technology for card reading improved, and environmental regulations made having your own fuels tanks more expensive and greater liability.

  11. lll

    This isn’t much of a problem in Oregon, where there’s no self-serve.

    1. adam

      talk about false sense of security….

      These thieves can target ANY pumps, self-serve or not….it don’t matter….

      And yea I wouldn’t doubt it if the keys were all cut the same across all pumps, after all most of the ones I see are “barrel keys” (i.e.: not easily duplicated….at least not easily by regular consumers, say, at a walmart, hardware chain, etc….).

  12. Pat

    Below are fraudulent charges, I believe the card was stolen as described in your article, from a purchase at a northeast automobile gas chain. The card was only 10 days old. The good thing about my bank is that they can issues replacement cards at any branch. I just used an unused “newer” card at the northeast automobile gas chain yesterday, if I get more fraudlent charges, Danno and I are going to be booking them ( ; ^ ).

    07/19/2010 DEBIT CARD VISA DDA PUR
    407105 HARMONY LIQUORS ORANGE * NJ $13.82

    07/19/2010 DEBIT CARD VISA DDA PUR
    472187 TAYLOR SUPERMARKET ORANGE * NJ $14.25

    07/19/2010 DEBIT CARD VISA DDA PUR
    431605 SHELL OIL 22958551073 NEWARK * NJ $29.16

    07/19/2010 DEBIT CARD VISA DDA PUR
    443565 10 SPOT 35 IRVINGTON * NJ $38.98

    07/16/2010 DEBIT CARD VISA DDA PUR
    473309 POWER GAS EAST ORANGE * NJ $10.00

    07/14/2010 DEBIT CARD VISA DDA PUR
    405523 POPEYES CHICKEN BISCUITS ATLANTIC CITY * NJ $16.56

    1. JBV

      Experience is supposed to be the best teacher. Why are you using a debit card at all, especially at a gas station chain that you know or believe is a target of skimmers?

  13. Brad

    With any organization, you might have to hold their feet to the fire to get them to cough-up on the zero liability as advertised by Visa.

    Debit card fraud is going up and up! Online fraud use is the worst as a lot of merchants use verified by visa – a horrible program that lets the merchants not eat fraud charges – even if the bank calls them the same day and notifies them.

    1. Jane

      It also doesn’t work as advertised. We made a purchase last week online, and NoScript blocked the “Verified by Visa” part from running. Product arrived yesterday. Not sure if that’s an implementation issue or a sign that the whole thing’s just for show.

      1. Beeker

        Actually “Verify by Visa” is just another tool to prevent unauthorized charge when you purchase things online which forced you to input the ID and the password. I have run across that on a few occasion and used it. It is within the responsibility of the merchant to implement that if they choose to do so. Just a another layer of security.

        1. Brad

          Actually – Verified by Visa is a horrible tool.
          It simply extends passwords, and if banks were to implement 100% of the functionality of the product with every consumer – the consumers would be a very unhappy lot.

          And the merchant does not have any responsibility. They simply present the box to the consumer. I have never seen a merchant require 100% participation in the product – essentially forcing the consumer to use it – they would lose to many sales and Visa allows the consumer/crook to skip past it and complete the sale.

  14. greg

    I’m wondering, once a POS is confirmed it had been skimmed, are there any financial consequences for the business who operate the POS terminal (like being sued by creditcard companies/banks who attempt to recover some of the monies from that business via a lawsuit for negligence, etc.) If banks support (most of) the loss, surelly they will pass it (via higher fees and commissions) on us, their customers.

    1. Brad

      That would draw down on the PCI compliance aspect. Tricky subject there. Actually banks take almost 100% of the losses. We certainly do try to pass it on in terms of additional fees although it has been really subtracted from the interchange we receive from the merchants.

      This new interchange bill congress passed is going to be a real game changer for all consumer accounts. Consider that the interchange could drop 30-50% for bank’s income. This will not lower fees for consumers at the merchant level. But it will force banks to make up that lost income somewhere else. Banks have a virtually unlimited liability for debit card losses – it is a very risky product – and when you drop that fee income without dropping the liability – that is a dangerous situation.

  15. JTW

    These devices are likely installed inside the pumps during regular maintenance if not at the factory.
    This has been a problem with card readers in European stores for some time, which now come out of the factories in China complete with skimmers and transmission units built in and preprogrammed to contact specific phone numbers.

    The Bluetooth is a new one for me, and an interesting development.

  16. Jim Mathews

    As a compliance offficer for a bank i can tell you that Federal law is what is being discussed. Even credit unions have to abide by this law. However, Colorado has a separate regulation for state chartered banks. Consumers do not have to abide by the 60 day period. They can protest at any time in the future and the Bank must refund funds once they determine the transaction is not legitimate.
    Keep in mind that this whole law is for consumer protection. Businesses are not afforded the same protection and can be help completely liable for these transactions.

Comments are closed.