04
May 15

Foiling Pump Skimmers With GPS

Credit and debit card skimmers secretly attached to gas pumps are an increasingly common scourge throughout the United States. But the tables can be turned when these fraud devices are discovered, as evidenced by one California police department that has eschewed costly and time-consuming stakeouts in favor of affixing GPS tracking devices to the skimmers and then waiting for thieves to come collect their bounty.

One morning last year the Redlands, Calif. police department received a call about a skimming device that was found attached to a local gas pump. This wasn’t the first call of the day about such a discovery, but Redlands police didn’t exactly have time to stake out the compromised pumps. Instead, they attached a specially-made GPS tracking device to the pump skimmer.

A gas pump skimmer retrofitted with a GPS tracking device. Image: 3VR's Crimedex Alert System.

A gas pump skimmer retrofitted with a GPS tracking device. Image: 3VR’s Crimedex Alert System.

At around 5 a.m. the next morning, a computer screen at the Redlands PD indicated that the compromised skimming device was on the move. The GPS device that the cops had hidden inside the skimmer was beaconing its location every six seconds, and the police were quickly able to determine that the skimmer was heading down a highway adjacent to the gas station and traveling at more than 50 MPH. Using handheld radios to pinpoint the exact location of the tracker, the police were able to locate the suspects, who were caught with several other devices implicating them in an organized crime ring.

A GPS tracking device manufactured by 3SI Security Systems (3sisecurity.com)

A GPS tracking device manufactured by 3SI Security Systems (3sisecurity.com)

This story in October 2014 the U.S. Justice Department‘s “COPS Office” indicates that the Redlands PD has taken the lead in using GPS technology to solve a variety of crimes, and had credited the technology with helping secure at least 139 arrests.

According to 3VR Inc., a San Francisco based surveillance and security firm, the Redlands PD has used the GPS technology to apprehend offender committing armed robberies, vehicle burglary, pharmaceutical burglary and robbery, cell store burglary and robbery, bike theft, laptop theft, constructions site theft, fire hydrant theft, metal theft, wire theft, 3rd row seat theft, cemetery theft, vending machine theft, mail theft, UPS parcel theft, residential burglary, tire theft, vehicle theft, cigarette theft, etc. “The technology has also been used to voluntarily track informants by sewing a unit into a purse,” 3VR wrote in a recent newsletter.

3VR notes that the GPS device used by the Redlands PD in the pump skimmer case runs for about six hours on a full battery, meaning cops have about six hours to locate the device before the GPS stops transmitting. However, the devices can be tweaked to extend the battery life, by allowing them to switch on only in the event the device actually is moved, and by decreasing the frequency with which the device beacons home.

One increasingly common type of gas pump skimmer — those equipped with Bluetooth technology — might not be as susceptible to these kinds of police tricks. Bluetooth skimmers are equipped to tap directly into the pump’s power supply, and to allow thieves to retrieve stolen card data wirelessly, just by pulling up to the compromised pump with a Bluetooth enabled laptop or smartphone and downloading the data without ever leaving the vehicle.

Unlike ATM skimmers, skimming devices attached to gas pumps usually are impossible for the average customer to spot because the skimmers are not stuck to the outside of the machine, but rather hidden inside after thieves gain access to the pump’s insides. I wouldn’t worry too much about pump skimmers, unless you’re accustomed to paying for fuel with a debit card: Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance). Use a credit card instead.

How common are pump skimmers?  Thieves tend to attack multiple filling stations along a major interstate, as detailed in this July 2010 story about pump skimmer scammers. More recently, a law enforcement sweep of 6,100 gas stations in Florida last month turned up skimmers at 81 locations.

If you’re as fascinated by ATM and pump skimmers as I am, check out the rest of my skimmer series, All About Skimmers.

Tags: , , , ,

57 comments

  1. Of course, in Los Angeles at least, most gas stations don’t even accept credit cards. And those that do, tend to charge higher prices for credit card users (about 10 cents per gallon at the very least), besides just charging generally higher prices than other stations. There are a few exceptions, of course. But my recommendations for gas stations are: (1) Carry enough CASH for a full tank. (2) Never use a debit card to pay. (3) Use a credit card only if you’re getting cash back in excess of the gas station’s price bump. Otherwise, stick with cash.

    • Curious how advice goes round in circles.

      A while ago (in the UK) “driving away without paying” became an issue.

      Many fuel stations now have cameras to record car number [licence] plates to help counter this. There was then a suspicion that some service station staff would make spurious claims of “driving away” to cover deficiencies on the till.

      So the advice became “use a card” so your payment is recorded and you get the till-receipt. If you have used a card (usually at the service station till) you then had “proof”. If you paid cash you were more likely to be falsely accused.

      Then we got “pay with card at pump” and it appears that at least in the US the skimmers have moved in. So it’s back to paying with cash (which presumably you feed into the pump, rather than hand over at the till)!

      With fuel prices in the UK I would not want to carry enough cash for a full tank. A 60 (UK) Gallon tank takes ~72 US Gallons. Diesel at £1.22p/litre at my local filling station (£4.61/US Gallon = $US7/US Gallon) means carrying the equivalent of $504! I would be more worried about being mugged for my cash than I would be about being skimmed.

      • A typical UK car has a fuel tank around 60 litres/12 gallons. That’s around £72 for a full tank.

        • ThursdaysGeek

          Yeah, my car’s tank is probably less than 12 gallons, and even a hummer is just a bit over 30 gallons. I’ve never heard of a normal passenger vehicle with a 72 gallon tank!

          Even when gas prices were high, I never paid more than about US$35 to fill my tank.

          • Sorry, what? £72 British is around $115 US

            £72 = $113 (£ is pounds, a currency)

            So currently the British are at around $10 per gallon, us, or £1.2 per liter ($1.91/L)

      • In he US, gas stations require customers to prepay. To pay with cash you have to go to the casheer before pumping. If you pay with credit, the station pre charges your card $100, then amends the charge after you finish.

        Requiring prepayment seems like it would prevent drivaways more effectively than cameras and without nasty false reports, but I don’t have any data to back that up.

    • Re MW’s post above: Besides Arco, which gas stations do not accept credit cards? I can’t think of any major stations in California. Also, most stations will not give cash back when you use a credit cards.

      • credit only at gasstations

        There are may credit card reward programs in the US that offer 3% back on gas purchases. so at $3.33/gallon, if the cash price is 10c less, you break even. Since the price of gas has been much higher than that lately, using a credit card is cheaper than cash in many cases, and certainly more convenient and arguably more safe.

        I think the biggest problem is that the margins are so low and the cost of the credit card machines in the pump so high, that there is no incentive to implement encryption at card swipe unit, which would eliminate the success of internal skimmers. There are pump encryption solutions on the market and a few stations are deploying them. Not broadly enough though.

        From discussions with insiders, gas companies are willing to accept the fraud losses for now. And the card brands continue to give petro stations leeway in compliance. That’s disappointing.

        • I suppose that part of it is that they are expecting to have to replace a lot of equipment when the liability shift for EMV comes up (for gas stations this will be Oct 2017), and they don’t want to go through this more than once.

          It would be kind of nice if there were a way of telling which stations had already upgraded their equipment to something that did proper encryption, and which ones have the old and vulnerable models.

          • Reply to Eric and Credit only,
            Some gas stations on the east coast of the US, have already went to a SCR(Secure Card Reader), for instance I work for a company that has been using SCRs for years. Most if not all of our CC(Credit Card) pumps use SCRs. The company I am talking about now has over 1200+ stores with “recent” buyouts of different companies. The maintenance for the most part is in house. I have since been promoted but was a maintenance tech for about 1.5years and have some experience with Gilbarco pumps(Advantage, Legacy, Encore, and mechanical series). For the most part this company has many locations(where fuel theft occurs when people break inside the pump) that have pump guards installed and special keys made specifically for this company are used to lock the CC area of the pump to prevent someone from gaining access to either portion of the pump. Gone are the days of the common CH-751 key. They’re so common that my personal vehicle came with one installed on its lockable center console…

  2. Interesting article, Brian.

    Like having a “LowJack” for gas pump skimmers, huh?!

    I’ve always paid cash for gas purchases myself. Don’t use credit cards at all.

  3. I have to give props to the cops for coming up with an innovative way of catching these guys. But I am hoping that reporting like this won’t tip off the bad guys to be on the lookout for such devices. But then again the bad guys frequently aren’t that smart.

    These days, I always pay cash. The place I usually go gives me 5 cents/gallon off for paying cash – not a lot, but worth something. A full tank for me usually runs around 40$.

  4. What is “3rd row seat theft”?

    • Seats in many SUV’s come out very easy by releasing a latch or 2. (No locks) and are instant cash in the stolen car parts market.

      • This sounds funny. What kind of market can exist for 3rd row seats. Wouldn’t the only reason you’d need one is yours got stolen?! Isn’t that like creating demand?

        • Lucas Cooper

          For the most part, yes, but car parts are always worth something, and there will always be a few cases where people will need them. In fact, there was a pretty famous airbag theft ring that also sold back airbags to the same people they were being stolen from. It wasn’t stopped until Honda started adding serial numbers to some of their bags, and the cops eventually ordered a big batch of Honda airbags from the business that was suspected of selling the stolen bags. Sure enough, all the serials on the purchased airbags were stolen.

  5. Donald J Trump

    The use of GPS technology to track people in criminal cases is now be considered a violation of the 4th admendant violation in more and more cases.

    • I’m not a lawyer but in the case described in Brian’s post, isn’t the GPS device being used to track an illegal device, the skimmer, rather than a person?

      I completely understand and agree with 4th amendment challenges of placing a GPS device on a completely legal object such as a vehicle to track the whereabouts of a suspect who cannot necessarily be presumed to be breaking the law just by operating his vehicle.

      GPS tracking of the suspect would actually only occur coincidentally when the suspect is in possession of the illegal skimmer, which I would have to guess cannot be considered to be legal to possess under any circumstance.

      One would think that in at least one of 139 arrests, the defense attorney would have raised 4th amendment concerns about the GPS evidence against their client and, if successful, would have resulted in the evidence being suppressed.

      This is not to say I know what might have happened one way or the other, because I don’t know.

      Just my uneducated opinion.

      • Edward Nygma

        I think a key thing to consider here would be probable cause. Possession of the skimmer, while perhaps not per se illegal, likely constitutes probable cause in the eyes of a judge. Thus the tracking is permissible per the 4th Amendment. And there’s always for law enforcement the option to get a warrant to track someone. The GPS evidence that was thrown out had been obtained by placing a tracking device on a vehicle without a warrant. The message that should be taken from the suppression of that evidence is not “Don’t use GPS”, it is “Get a warrant”.

        • Nice discussion on wether or not the Police may follow a suspicious device.

          Why doesn’t anybody complain about violation of the 4th amendment when carrying an Android phone?

          Or when your car is stolen and your security firm is able to follow it via a GPS tracker? As a car thief I would be using this ‘Violation of the 4th amendment’ as a standard procedure.

          • @RonM, speaking only for myself, not being a lawyer, in the former case, one voluntarily carries an Android phone and I believe one or more of the terms and conditions of using Android itself as well as its underlying apps includes consent to have location information collected, stored, analyzed, etc. Law enforcement would still require a court order to have the information transferred to them.

            For the latter, the car thief is dead to 4th amendment rights because the property is what is being tracked, not the car thief, and it is not the car thief’s property.

            The owner of the car presumably would have at some point consented to the collection and transfer of the information to law enforcement.

            The car thief would have not standing to contest that, I assume.

            I think those are the reasons we don’t know or hear of such things as thieves contesting the collection of location data for objects not belonging to them.

            The only such instance I know of when a suspect had standing to contest such collection was when the police surreptitiously placed a GPS device on the suspect’s own car without a court order. That was clearly, IMHO, not permitted under the 4th amendment.

      • Donald J Trump

        That’s like attaching a GPS tracking device to a car which is not a person in illegal drug cases. Many court judges have ruled that this is a violation of a person’s 4th amendment rights and a violation of privacy because they feel it’s unlawful to track people in this manner.

        Why use a GPS tracking device in this manner when law enforcement can just set up a 24 hour surveillance camera pointing at the pump or back of the car to obtain the license plate number?

        Just my opinion, but it’s a good argument in a criminal defense for who’s ever installing these skimmers.

        • There is a lot of misunderstanding of the SCOTUS ruling US vs. Jones. The ruling applies to long-term warrantless GPS tracking. The ruling suggests that shor-term (perhaps under 24 hours) warrantless tracking may not impinge on your right to privacy under the 4th amendment.

          • Donald J Trump

            “may not” where do you draw the line before it violates the 4th amendment?

        • Again, I’m not a lawyer, just an uneducated opinion…

          This is probably splitting hairs but I think there’s a significant, legitimate and relevant difference: attaching a skimmer to a card reader without the consent of the owner of the card reader is prima facie an illegal act.

          On the other hand, operating a legally licensed automotive vehicle is not prima facie an illegal act.

          So I think a judge considering granting a court order to permit a GPS transmitter to be attached to a skimmer is liable to be convinced that it should be granted because an illegal act has already occurred and the purpose of the GPS is only to determine who the perp is.

          On the other hand, no crime is per se committed by operating a motor vehicle, so the judge is less likely to be convinced to permit a GPS transmitter to be attached surreptitiously to a suspect’s vehicle for an indefinite period in the hope the suspect would commit an illegal act while the GPS transmitter is active.

    • As Freddie points out, the GPS is tracking an illegal device, not a person. Also, tracking is constitutionally suspect *without a warrant*. But a skimmer is prima facie evidence of a crime. I’d think it wouldn’t be too tough to get a warrant for the tracker.

    • “The use of GPS technology to track people in criminal cases is now be considered a violation of the 4th admendant violation in more and more cases”

      This is true. But the GPS device is clearly not tracking a person, but something (the skimmer) illegally installed. The Police would need the consent of the gas station owner to apply the GPS trackers but – I might guess that this would very readily be granted.

      I fully agree with the Supreme Court’s decision that warrantless GPS tracking of people [in most cases] is contrary to the Fourth Amendment. But the scenario in question – placing a tracker, with permission of the property owner, on a device illegally installed on that property – is entirely different from one where police, with no warrant, place a tracking device on an individual’s private auto. SCOTUS called foul on this, and rightly so. For police to get a warrant isn’t trivial but it’s not that hard. It’s important for there to be a check on what police can do – not to prevent them from doing what makes sense but – more importantly – to stop them from doing stupid things they haven’t thought through.

  6. Jeffrey Bates

    I rarely — if ever use my cards at the pump.
    Paying cash around here, usually gets you some money of the price…

  7. How long do you think this will work for? Surely the criminals will just learn to look for the GPS tag and discard it, no? Doesn’t seem like an approach that will work for more than a few months in any given area.

    What amazes me is that they’re able to install the skimmer on a gas pump, in front of a camera and that they’re not discovered immediately when they do so. There are a few companies that can do automated threat detection with video that could do some interesting work here (provided the price is something gas stations can afford).

    • Edward Nygma

      Entirely plausible that they install the skimmer whilst disguised as a maintenance crew or oil company people of some sort. Nobody might realize that they weren’t supposed to be there working on that pump until it’s too late. And then identification from the video might be foiled by, say, a hard hat brim and posture preventing a clear view of the face.

      Alternatively, they just know where the cameras have blind spots. Especially likely if they have a person on the inside. Or act to blind the cameras. Most modern cameras can be dazzled by the infrared LEDs used in TV remote controls. A hat and shirt that looks normal-ish in optical wavelengths but blazes like a hundred suns in near IR will result in the video evidencing that the skimmer was installed by an Organian on vacation from negotiating Klingon cease-fires. Then there’s lower-tech and more destructive options involving e.g. spray paint and crowbars…

      • That’s getting harder. I usually pay at the pump but recently the receipt printer was out of paper so I went inside to get one. And next to the cashier station was a sheet specifying the people who were authorized to work on (or approve work on) pumps, POS devices, etc etc. Names, photos and more – the whole deal. The days are long gone when folks could pull up in a trade van and just pop in a skimmer.

        • What makes you think that that particular gas station is typical w.r.t. security culture, rather than being an outlier on the more-secure-than-usual side of the mean?

    • Check some of Brian’s earlier posts in this series. He has surveillance photos of the devices being installed. There’s a reason you are advised to tug on ATMs to see if there’s a skimmer attached — they’re pretty much just stuck on the front of the machine, usually.

  8. We pumped gas and had full service. That was before the corporate DIY-screw yourself era. Put in more lottery machines and hire more low wage workers to make up the losses. Crank up the pop and bottled water prices.

  9. That was quite a varied list of theft and fraud crimes the police employed GPS trackers for. Cigarettes and firehydrants?

    How will thieves respond – portable GPS detectors and faraday cages?

  10. Brian, can you provide a picture of what these things look like when they are attached to a gas pump? Do they tape them on the outside or somehow access the inside of the credit card slot? I would like to see what they look like so as to be on the lookout when one has been installed…. Do pump owners not check their pumps? How long do the skimmers take to install and how long do the thieves leave the things attached? Maybe I am missing something. It seems the pump owner should be vigilant and not let this happen…

    • They usually have one of several master keys that opens a whole slew of these pumps, and then pull up in a van, open the doors so that they obscure the pump on either side, and then distract the station attendant while the rewire the thing on the inside of the pump. You can see more here:

      http://krebsonsecurity.com/2014/01/gang-rigged-pumps-with-bluetooth-skimmers/

      • Then why not have a very loud buzzer go off when the machine is opened you could also disable the pump once the door is opened – and require reactivation remotely either by the guy at the local cash register (with a video camera to take a pic of who is reenabling it).

  11. critical tinker

    GPS attached to skimming devices attached to gas pumps are the equivalent of dye packs in money at backs.

    haha.

    what they need to do in addition to the GPS, is lace the whole device with LSD and then the fun begins. for the criminal of course.

  12. Wow, Third row seat thefts, Thanks Brain, I learned something new today!

    I never considered SUV seats to have such value.

    What a world we live in!

    • Pickup truck tailgates are also hot, especially in Texas. That’s why the manufacturers started making locking tailgates.

  13. Bluetooth enabled? This sounds like an opportunity for the grey hats. Remotely load the thing up with cryptowall and the thieves lose their profits for the day when they connect.

  14. FKA Curmudgeon

    There’s some benefit to living in Oregon where there is no self-service gas. Since the station is attended all the time, it would seem harder to install a skimmer. Unless of course it is an inside job.

  15. Sooo, I should pull out my phone and scan for Bluetooth devices at the pump prior to using it, okay I can do that once and a while.

    I always use CC for gas, and try to use the same station as often as I can. I always look for skimmers and cameras or any changes of the pumps face ect.

  16. A debit card can be used safely. Inside the store. There’s a local chain that offers a discount per gallon between $0.06 – $0.10 for the use of their branded card (that is attached to a bank account). It’s a little more of a hassle to go inside, but if peace-of-mind (and discounts) are sought, then that’s what one may have to do. Else, agreed, use a credit card.

    • And when the store’s register is hacked because the crappy point-of-sale software or vendor doesn’t give two hoots about security, you’re back to square one. Using debit is riskier than credit, period.

      • Is there ever a convincing positive case to be made for carrying/using a debit card, unless of course one is unable to qualify for a credit card?

        I have repeatedly tried and failed to convince my 80-year old mother that the fraction of 1% interest her bank pays her to make at least 20 debit card transactions per month is not worth the risk of having her checking account balance wiped out by debit card fraud, even to the point of offering to pay her the interest she would have received if she would just switch to credit.

    • If it’s tied to your bank account (i.e. ACH access) – good luck. You have no protection.

      Zero. Nada. Zilch. If someone gets access to that info then your bank account can be emptied and you have no recourse. Even if the bank does decide to absorb the loss, it’ll be weeks/months until you have any money.

      With a credit card charge, there’s no direct access to your bank account (i.e. actual money), and you have Federally-limited exposure to unauthorized charges. Government regulation at work – a real help in this scenario.

    • Paying with CC inside might get you past the pump skimmer but not the minimum wage clerk that’s copying down your card number and CVV. Where there’s a will there’s a way.

  17. Thanks to this article the thieves will know what not to do. In the meantime, use cash folks…. its not skimable.

  18. man power works better than camera. i think they shuold hire man a gasoline boy instead of installing camera…

  19. Interesting. I usually don’t use credit cards at a filling stations and prefer cash instead. Mostly because there is a surcharge that adds up when you pay through your card.

  20. This is for the apple fanboy, above. Actually, apple was caught by several hacker magazines several months after its initial release, of tracking its customers phones. It was several years later, they were still doing it, according to European courts. Only after the pentagon dropped apple phones, did apple update the system to encript the tracking data. But, they are location aware yet.

  21. I mainly pay cash for fuel, usually $15 does it for my antique 3 cylinder honda hybrid – I don’t go much below 1/2 tank as I’ve heard it’s better for the fuel pump – it stays immersed and cool.

    However I keep a $50 gas gift card in case of emergency, while gift cards can too be skimmed at least its isolated from a cc or debit card, and its fixed preset amount limits the collateral damage. This gas card has no fees, no expiration.

  22. Anyone else getting a 404 error for the Miami Herald article link?

  23. I worry the most about telling folks how they can get caught. While interesting, it will surely lead to more innovative ways to perform the theft.