13
Feb 15

Fuel Station Skimmers: Primed at the Pump

I recall the first time I encountered an armed security guard at a local store. I remember feeling a bit concerned about the safety of the place because I made a snap (and correct) assumption that it must have been robbed recently. I get a similar feeling each time I fuel up my car at a filling station and notice the pump and credit card reader festooned with security tape that conjures up images of police tape around a crime scene.

The security tape wrapped around this card reader at a Kangaroo station is intended to communicate that the credit card reader hasn't been altered.

The security tape wrapped around this card reader at a Kangaroo station is intended to communicate that the credit card reader hasn’t been altered.

It’s nice to know I’m not the only one who feels this way. A reader named Tyler recently shared the above image, along with his experience.

“I had my first encounter with tape across a gas station’s card reader the other day,” Tyler said. “I must say it led me to believe there was some sort of skimming device installed, as I have never seen this before. Further inspection showed it was actually a real attempt by the gas station to let consumers know if the device has been tampered with.”

Of course, if you merely need to re-affix the tape to something else, that's not a high technical hurdle.

Of course, if you merely need to re-affix the tape to something else, that’s not a high technical hurdle.

Tyler wanted to know what would prevent a scammer from simply removing the tape from one reader and placing it back on top of a compromised reader? Or, since most people probably wouldn’t know to look for the presence of tape around the card reader, how about just placing the skimming device right on top? I wondered that as well.

The tape carries the bold yet misguided assurance, “securing your identity.” However, I’m guessing this security device is primarily meant to serve as a signal to gas station attendants when and if someone has monkeyed with a pump card reader.

The tape on the reader is intended to protect against pump reader skimmers, like the one pictured below, which sells in underground forums for upwards of USD $2,000 and is designed to be fit directly over top of the readers they have at many ESSO/Exxon fuel pumps.

A gas pump card skimmer marketed and sold in underground forums for more than $2,000.

The seller of a gas pump card skimmer shows off his wares, which he sells for more than $2,000.

Of course, security tape wrapped around a card reader at a gas pump isn’t going to stop most pump skimming attacks, which start when someone with a master key for the pump opens it up and fiddles with the guts of the machine. The crooks figured out a long time ago that only a handful of master keys are needed to open the majority of the gas pumps in use today. So, rather than retrofit each one of these pumps with a more custom and secure locking mechanism, most stations just put security tape on the pump door.

kangaroo1

I don’t worry too much about gas pump skimmers; I always use my credit card, and know that I am not liable for unauthorized charges on my card as long as I report it to my bank or credit card company. But I would urge readers to avoid paying at the pump using a debit card. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

Tags: ,

68 comments

  1. Politically Jaded

    What are these check things you speak of?

    • I know, right? Still, it always seems that the few check writers left in the world today are always ahead of me in line. What are the odds?

      • Funny thing, many check writers are holding on to the idea that there’s still some sort of float time. Truth is, with the Federal Reserve centralized into one location and back office conversion, float is a thing of the past.

      • The line will get longer as all the charge card users, not just debit card users, have to enter pins.

        Jonathan @nc3mobi

        • It’s not likely that you’ll see large number of PIN-required EMV credit cards issued in the US. There are many reasons (some say excuses) for this, but the clear trend is banks issuing EMV credit cards that do not require a PIN for an on-line transaction.

            • Hello Brian

              I looked again at that blog and it reminded me that I still haven’t found any evidence to back the opinions given in it around the efficacy (or lack of it) of Chip & PIN.

              It’s possible that I am missing something – the figures I rely on are those published by the UK Financial Services(http://www.financialfraudaction.org.uk/download.asp?file=2796)

              These continue to show a significant decrease in both counterfeit cards and lost-and-stolen card fraud after the introduction of Chip & PIN in the UK. This appears directly at odds with the statement made by Conroy (which was not challenged) that “… in the UK, the lost-and-stolen fraud is now back above where was before the migration.”

              Frankly, I am still amazed that the US cannot manage/does not want Chip & PIN but the world is funny place.

              Keep up the good work.

              Regards

              M

              • Visa, Mastercard, et-all are trying to push a credit card scheme using phones and using GPS to track where purchases are made in the US.

                Obviously, huge privacy and security issues on that one.

                Customer: My Phone-app card account got hacked!
                Visa: Are you sure that wasn’t a virus on your phone?

                Want an Awesome Article Krebs? Quite write-up on the Windows 95-esque security in android and IOS, then add normal cellphone viruses to that, then payment data.

                Magstripe Chargecard relies on obscurity. With everyone online vendor and merchant using it for tracking of purchases (instead of deleting the data when they no longer need it to fight a charge-back, it becomes a “oh we need big data to make a buck”), that’s where the irresponsibility comes from.

                Chip and PIN relies on PKI, which relies on, again, obscurity. Unless encryption is happening on the chip itself, one of the keys in the pair can be lifted and used in transactions anywhere. The improvement is it is difficult to acquire the hardware necessary to program a chip, problem is all that crap is going to be made in china or in a country where the design documentation exists to exploit it because merchants are going to demand inexpensive hardware.

                Now leasing the equipment, and actively repo’ing and refreshing it, that there might get you something.

                Once it becomes difficult for the thieves favorite targets to get hacked, they’ll find a way around.

                • As with any smart-card chip, the crypto is performed on the chip, including key-pair generation. The private key never leaves the chip. While there may be other flaws in chip-and-X, multiple copies of the card’s private key is not one of them.

          • Since PIN vs signature only matters when your card is physically stolen, and these events are close tot 0 in terms of total fraud, I’d say not having PIN’s is a good thing.

            It is a good thing as people will forget their PIN and to counter will recycle PIN-codes like they do now with passwords. So debit and creditcards all the same PIN as let’s say your phone or security system. That is reality …

            However when you get defrauded by someone who actually uses your PIN, banks are a lot less friendly in refunding money.

            • I would have to disagree Peter. In a Card not present environment, not using the pin might be one thing (and there are other layers added to account for that such as Verified by Visa etc) but in a Card present environment, having a pin makes a lot of sense in relation to added security.

              Let’s face it – most clerks don’t really check signatures and with a duplicated card for example, your card didn’t necessarily had to be stolen, the crooks might have just had you while using your card at an ATM or indeed gas pump. So having just the signatures (that isnt really checked anyway) means the crook can now use your card details not only in a Card not present environment. Adding the pin reduces that risk greatly as the card can’t be used for payment unless the correct pin has been entered.

        • Most of the time spent at the pump is while the dispenser fills your tank, adding a few seconds at the start of the transaction wouldn’t be a big deal. Many pumps already prompt for zip code, so replacing that with a PIN prompt would net to zero.
          A chip read does take longer than a swipe, but I doubt it will result in lines circling around the block.
          I don’t believe PIN for credit transactions is coming to the US. Or needed. It is significantly more difficult and expensive to counterfeit a chip card compared to a mag stripe, (nearly every hotel in America has a card encoder at the front desk). This is regardless of the cardholder verification method (CVM). As chipc cards are deployed, fraud will migrate (as it has in Europe) from card skimming to card-not-present. My expectation is that over time this will result in more rigorous checkout procedures at web merchants.

  2. great article. i’m not sure if my recommendation is any better, but I always pay inside with my credit card. i avoid paying at the pump at all cost.

  3. Such gimmicks as the tape seen here are a half-assed and misguided attempt to project an air of security while avoiding or delaying the capex necessary to achieve state of the art security.

    Instead of retrofitting pump POS with chip and NFC readers, and securing them behind strong enclosure locks, we get something akin to a duct tape solution.

    • Chevron in California reports that tamper does reduce the incidence of skimmers to nearly zero. Card reader technology generally takes years longer to reach gas pumps relative to in-store POS systems. I work for a cstore chain. The pump reader hardware for EMV/NFC that will work with our POS systems (from one of the largest POS system makers in the world) simply doesn’t exist yet.

      • That’s an interesting report from Chevron in California. Can you provide a link to this report? I couldn’t readily find it via Google search. Thanks!

      • It would be *impossible* for an outside attacker installing a skimmer on fuel pumps to spend a few bucks duplicating “security” tape or labels.

        Consumers will know to look for the tape / label, and be aware of how to identify counterfeits.

        Yeah. Right.

        • You’ll need to carry a black light and a counterfeit detecting marker with you to the gas station. /s

  4. Nice point about debit cards that seems too often forgotten. I only use my debit card (Which I still think of as an “ATM card”) for cash at my bank.) I see debit cards as a bad for me personally for the following reasons. 1. Risk and inconvenience in case of a breach as mentioned above and not just for gas transactions. 2. Time value of money. I like having credit cards giving me about 40 days of float on my money. I also want to be paying federal income taxes at the end of the year as refunds are simply a result of a tax free loan to the US government for the same reason. But I diverge. 3. Rewards. I’m happy to have one card for travel but recently my wife has turned me in a rewards chaser with multiple cards.

    • I never use a debit card. Every time my bank sends me a new one I pick up the phone and specifically request an ATM only card. They happily ship one out right away. No pin…. no money.

      • I’m one step ahead of you. I don’t even have an ATM card.

        • I’m two steps ahead of you, I don’t keep my money in banks. Instead it’s buried under shrubbery.

          The problem? The wooden shack I live in at my isolated forest location has been surrounded by progressively more and more shrubbery as my assets have grown and more “deposits” have been made.

          Right now I have what looks like a lawn made out of bushes.

          Maybe I can start burying it under other people’s bushes.

    • That’s why I’ve stopped buying gas at Costco. I don’t want to use my Amex card and the only other non-Costco card they’ll except is bank debit cards. As much as that discount would be nice, my piece of mind is worth more.

      • Didn’t they just cancel their agreement with Amex? Stay tuned.

        • They failed to renew the exclusivity agreement that expires in March 2016. Lots can happen between now and then. Coincidentally, Costco seems to use the security tape, as well. At least mine does.

          • When my local Costco completely tore up and expanded their gas station with new pumps and more lanes, the security tape went onto all the new readers.

            Coincidentally the new readers accept cards with both left and right orientation, though they don’t accept upside-down cards… having mag strip readers on both sides would require the thief to either lose out on whoever swipes in the other orientation, or double the number of stripe readers in their box.

            If the tape is done right, where it leaves behind a pattern when removed, then the tape can be quite effective. Those patterns are usually quite difficult to remove, since they (should) use a different adhesive than the rest of the tape. I have no idea what tape Costco uses on their pumps, I’m just saying that tape in and of itself isn’t necessarily a laughing matter. Individual implementations, of course, can be.

        • Yes, starting sometime early in 2016, Costco will stop accepting AMEX cards.

    • Another approach: my bank offers a zero-cost checking account option (probably zero service too, but who cares) that I maintain as a buffer between my “real” checking account and the ATM/debit card world outside. I fund this second account with a few hundred bucks for cash draws when needed, using a phone app or website to transfer funds among accounts from wherever I am.

      • And you really think using a phone app or website to access accounts and transfer money is secure?

        • In a word, yes. Secure enough, given that “wherever I am” usually means on my home network, but could be other locations in a pinch. You have something better?

  5. Smaller, mom and pop gas stations are installing padlocks onto their pumps which prevents the master key issue.

  6. Waiting for EMV . . .

    October 1, 2017 – Counterfeit Card Liability Shift, Automated Fuel Dispensers. This extends the card-present counterfeit card liability shift to transactions from automated fuel dispensers.

    http://usa.visa.com/download/merchants/bulletin-us-participation-liability-shift-080911.pdf

  7. Unless they have come up with some increasingly sophisticated method, I believe skimmers still rely on either a retrofit keypad (which can be easily spotted) or a camera (which can be defeated) in order to capture the PIN. I always (after reading so many good articles on KrebsOnSecurity) cover my hand with my other hand and use all of my fingers to type the pin, making it nearly impossible to glean my pin from afar.

    I do prefer credit but my cards get flagged a lot for fraud when traveling, so as a last resort I do occasionally need to whip out my debit card which is accepted without incident.

  8. Using tamper proof sensors going to a alarm system or shutting the machine down would work

  9. Twin Mustang Ranch Dressing

    There are ESSO stations in the U.S. today? Wasn’t that brand retired some four decades ago?

  10. We found 6 in the Denver area in 2015 alone, and over 50 in the past two years. Individually franchised gas stations, no matter how popular the name of the station, some just care more about their customers than others. I encourage our cardholders to support the gas stations that use the tape over the card reader door, at least you know they opened the door and check for the blue tooth enabled skimmer. The stations that don’t do this for their customers don’t deserve the business in my opinion

  11. I work for a fuel retailer, in the IT department. This is a constant fight for us – crooks have gotten more creative with concealing their skimmers. I saw one a while back that was an altoid tin wrapped in heatshrink and velcroed to the inside of the CRIND door. At first glance it looked like a part of the dispenser… We have taken measures against some of that (CRIND tamper stickers, changing locks, dispenser inspections on every shift, etc) and it has gotten better.

    We have about 16000 fuel dispensers, so we have to be very vigilant to ensure consumer security. Also, no matter what defenses you put in that are physical, if you do not train your team to watch for this then none of it will matter. I tell my friends and family when they use their card to be mindful of their surroundings. I will shake a card reader and make sure their is no false face on it. I look at the condition of the keypad overlay. I cover the keypad with my hand if I use PIN entry or AVS (zip code).

    Young people will get this, but our older and less technological people won’t grasp it. Just the other day I caught my grandmother reading her card and CVN off to someone on the phone and had to explain for an hour why this was a bad idea in this day and time. Mom and pop’s are in no better way secured than our retail chain. In fact, I would say less so… They won’t have the PCI-DSS audits come down on them as hard as it does us. They lack the physical security that we have to maintain with DLP and the controls we have to maintain on the POS. And some of them around here do not even use a more current PIN entry device that supports 3DES. And they won’t have the capital to spend on a high end security monitoring and alarming solution…

    Thank you Krebs, I enjoy reading your blog! :)

    • I love to see these comments from people who work in the industries affected by the bad guys. Thanks!

      • You Know, That Guy

        It helps to know they are paying attention to the problem.

        • Yes sir, we are. We have to be. There is far too much at stake to be lax. And it is an evolving process, right? People are creative and will find a workaround.

    • To be fair, I can’t convince a friend in his mid twenties to care about security at all, but did manage to train my mid-80s grandparents (and my parents) to be more mindful about cyber security. It’s not hopeless. But it is a big struggle.

      What I don’t understand is why, with all the increased spending on cyber security, are there no grant programs to help small businesses do the right thing when it is financially out of reach? We’re willing enough to help idiots rebuild homes the rivers clearly want. Why are we not funding education efforts in all levels of schooling to help kids understand this matters and train enough security experts? No handful of people can fix this mess. We all need to have the tools to make the best decisions, and only then will it get better. But hooray for those out there on the front lines now.

  12. Tape has been used over Florida gas pump dispensers for several years. Very often they are broken. When you report this to the cash register monkey, they shrug their shoulders. I have asked to speak to managers and they don’t seem to be concerned either and many times he is “not onsite” or “not available”. Tape means NOTHING.

    • Call their customer care number if they have one. I know we do – on the back of every receipt. Report them and tell them what store you had the issue with. Tape means jack shiz when the people behind the counter doesn’t care or isn’t trained.

      • We have utilized tape on our dispensers and internal card readers, and numerous other devices as well for years. Our managers and assistant managers have to check them all twice a day and verify their condition and report any anomalies. If any are found, video is checked, and possible onsite inspections of the pumps if needed.

        The funniest part we have seen is the number of customers who mess with the tape while they are pumping. Its big game of chess trying to keep the customers data secure.

  13. My card got stolen a week ago, and I am still waiting for the replacement. I suppose because it was EMV it takes longer to get a new card out.

    It was either a parking garage or a gas station that picked my card. No way to know for sure. BofA shut it down pretty quickly.

  14. Krebs,

    Suggestion for an article: Card Fraud in the entire world versus the US: Why US Companies need to switch to EMV technology.

    • Can’t wait for the day when stealing one’s credit card data is useless. I for one will bow down to the new Encrypted Token gods.

  15. Ryan, that indeed is a good suggestion, which is why Brian has covered it several times before. 😉

    Here’s one: http://krebsonsecurity.com/tag/emv/

  16. I have a few perspectives, as a b2b credit mgr I understand that gross margins are often single digits Before expenses are taken out and net margins are often microscopic. Small Businesses pay credit/debit fees Beyond our control & extra to pay for your rewards programs. We spend considerable time choosing the best products AVAILABLE at the time to work within our business, hoping the manufacturers/software writers are intelligent and security conscious. We can’t keep buying/retraining constantly, we have a business to run. I also know that it is impossible to control all employees who have a different security mindset than mine. I have to trust that my IT Staff knows their stuff (I read KoS, some think I’m paranoid).

    As an older person, I carry the baggage remembering the “good old days” when you could buy something that worked, didn’t break down and wasn’t time intensive to keep updating/replacing. I went from early adopter of tech 80’s (everything crashed & disappeared) to 00’s wait & let others deal with the gigo tech and when things stabilize I’ll take action. I don’t want to BE a techie but I appreciate those that DO. I often find techie minds don’t want to slow down & explain things without making us feel like idiots (I read KoS to be aware & learn).

    As a consumer, I don’t want to chronically deal with having stolen debit/credit card data because software writers/manufacturers are poor planners. It steals my time from more valuable endeavors. So I use debit/credit cards less and cash more now, plus it saves small retailers some high fees, I buy more amazon/itunes cards to use online. I’m more patient waiting in line for grandma to write a check now, some day maybe you will understand.

    My life isn’t technology, it’s a tool I use and have Appreciated for MANY Years but my life doesn’t revolve around it. Just food for thought…

  17. Never seen one of those at the pump before, but I always my CC. Anything else is just too risky. I just really wanna know when these criminals find the time to tamper with these machines without anyone noticing something off. I would assume it would require things to be moved around. Most gas stations in the US are 24/7. I guess the workers are too busy worrying about robbery to deal with skimmer issues at the pump.

    • “I just really wanna know when these criminals find the time to tamper with these machines without anyone noticing something off”

      They often will target the pumps furthest from the attendants view, but yes the workers at gas stations are often too busy to even notice.

      Some of the thieves are quite brazen as well. A colleague and I were refueling on the way to lunch and noticed someone on the other side of the pump was jacked in with a laptop. Jeans, sweatshirt, non company white jeep. We reported it to the station upon departure but it was rather mind boggling.

  18. In Europe, we use chip cards with PIN authorisation. If your card somehow got stolen with pin, or skimmed or whatever, bank will first refund your money then investigate the case.

    As customer, I’m not “guilty” if I haven’t hide PIN or other nonsense, I’ts up to the banks to provide security for their customers using provided machines.

    • That is actualy not correct. It depends per country. For instance in The Netherlands, when you get skimmed using your PIN, there is a 15% “co-pay” as you had to be careful.

      And no, they don’t always first refund and then investigate. It depends per bank and per country what the procedure is.

      Remember the “no risk” when using a card is not a inherent propery of chip cards, but dependend on laws and card-agreements.

  19. I wonder if the drop in Oil/Gasoline prices affects the market for skimmers for gasoline pumps? Most pumps I use don’t use a PIN, but rather the billing zipcode (still PII, but not as bad as a PIN compromise).

    • I smell a troll or or someone who thinks that the taxonomies are actually related.

      No. Think about the unrelated economies of both businesses.

  20. Do any reader manafactures support validating contactless features of modern cards with strip/EMV data?

    I know contactless is not secure (just like HID door tags etc) but it is another datapoint to validate plastic these days.

    Roll on a seamless 2 factor world.

  21. Unfortunately, the average consumer developes a false sense of security rather easily. Crimminals would be smart to add the tape when they install their equipment. Simply because the…um…less-than-savvy consumer will look at it and say, “Oh good! Security tape. Totes secure.”

  22. Krebs,
    As someone who works within the gas station industry and who actually installs dispensers and everything to do with them on the outside(motors, sumps, piping, etc.). I have noticed at some of the gas stations I go to and particularly the one that I work for, that the keys are changing. The company I work for uses a different set of locks for the top half of the pump(where the Card reader and pin pad are), this was done in an effort to actually reduce the amount of people breaking into pumps and damaging the “counter” of the meter which tells the pump how much you have pumped. And as added protection we also use SCRs(Secured Card Readers), that if altered with will deactivate and no longer work until reactivated by a certified Gilbarco tech(a log-in and special cord are required to do so). And as another deterrent most of our pumps have a guard on the bottom half to combat people attempting to break into the pump from the bottom.

  23. I saw these on some pumps here in North Carolina.

    My first thought was, “dude, you’re supposed to put the tape on the access door and not the damned reader”, but apparently the current concern is for the reader.

    I generally try to yank on the reader a bit when I buy gas at the pumpt just to be safe anyway.

    All this being said, I guess this was the place where my credit card last got hijacked, since I’ve not seen this tape previously at my local Kangaroo..

  24. In the photo with the fingers, I note that the tape has a pattern of the word “VOID” visible on it.

    Does that pattern become visible if the tape is removed? If that’s the case, it would be a clue that the machine had been tampered with. (Granted, this assumes good lighting at the pump so the VOID is at all visible.)

  25. Why don’t gas stations just attach inexpensive battery operated alarms every-time the pump door is opened instead of tape? How many times do they open these doors anyway except to change the roll of receipt paper tape. A loud alarm will send thief’s running especially if its being filmed.

  26. Hi Brian,

    Eagerly waiting for your report/comment on the so-called biggest bank hack over$1 billion across 30 countries. (Today’s Kaspersky Lab’s Report)

  27. Sadly, I wonder what Putin will do once he realizes this Antivirus company has potential control of millions of computers. Moscow based = 1 gun for each head in the office. :(

  28. replying to MH whose comment was
    http://krebsonsecurity.com/2015/02/fuel-station-skimmers-primed-at-the-pump/comment-page-1/#comment-368009

    The FFA in the UK took numbers and made the best impression it could in its 100 page pdf. Their headline number is that fraud is down 11%. Down from what? The previous year? It turns out total fraud when measured from the 2004 peak.

    What was missing from the FFA were the sales figures. Without them you can’t tell the fraud rates. I got them from the UK Cards Association. In the last seven whole years total UK fraud relative to sales went up for the first two, down significantly for the next three, and is rising again for 2012 and 2013. That isn’t good. The good news is that there is no doubt that that EMV (along with major public awareness efforts) had a significant impact reducing card-present fraud, but the impact on total fraud is waning. The EMV impact on Remote Purchase (CNP) is doubtful as RP fraud grew as a percent of total fraud during all years except for a slight dip during 2008.

    see the narrative, charts and sources at
    http://nc3.mobi/references/uk/

    on EMV in general see
    http://nc3.mobi/references/emv/

    There is a better way

    Jonathan @nc3mobi

  29. benefited from your writing. Cheers!|
    Scam https://www.fraudswatch.com/