26
Jun 18

How to Avoid Card Skimmers at the Pump

Previous stories here on the proliferation of card-skimming devices hidden inside fuel pumps have offered a multitude of security tips for readers looking to minimize their chances of becoming the next victim, such as favoring filling stations that use security cameras and tamper-evident tape on their pumps. But according to police in San Antonio, Texas, there are far more reliable ways to avoid getting skimmed at a fuel station.

San Antonio, like most major U.S. cities, is grappling with a surge in pump skimming scams. So far in 2018, the San Antonio Police Department (SAPD) has found more than 100 skimming devices in area fuel pumps, and that figure already eclipses the total number of skimmers found in the area in 2017. The skimmers are hidden inside of the pumps, and there are often few if any outward signs that a pump has been compromised.

In virtually all cases investigated by the SAPD, the incidents occurred at filling stations using older-model pumps that have not yet been upgraded with physical and digital security features which make it far more difficult for skimmer thieves to tamper with fuel pumps and siphon customer card data (and PINs from debit card users).

Lt. Marcus Booth is the financial crimes unit director for the SAPD. Booth said most filling stations in San Antonio and elsewhere use legacy pumps that have a vertical card reader and a flat, membrane-based keypad. In addition, access to the insides of these older pumps frequently is secured via a master key that opens not only all pumps at a given station, but in many cases all pumps of a given model made by the same manufacturer.

Older model fuel pumps like this one feature a flat, membrane-based keypad and vertical card reader. Image: SAPD.

In contrast, Booth said, newer and more secure pumps typically feature a horizontal card acceptance slot along with a raised metallic keypad — much like a traditional payphone keypad and referred to in the fuel industry as a “full travel” keypad:

Newer, more tamper-resistant fuel pumps include raised metallic keypads (known in the industry as “full travel” keypads), horizontal card readers and custom locks for each pump.

Booth said the SAPD has yet to see a skimming incident involving newer pump models like the one pictured directly above.

“Here in San Antonio, many of these stations with these older keypads and card slots were getting hit all the time, sometimes weekly,” he said. “But as soon as those went over to newer gear, we’ve seen zero problems.”

According to Booth, the newer pumps include not only custom keys for each pump, but also tamper protections that physically shut down a pump if the machine is improperly accessed. What’s more, these more advanced pumps do a better job of compartmentalizing individual components, very often enclosing the electronics that serve the card reader and keypad in separately secured metal cages.

“Pretty much all these full travel metallic keypads are encrypted, and if you disconnect them they disable themselves and can only be re-enabled by technician,” Booth told KrebsOnSecurity. “Also, if the pump is opened improperly, it disables itself. These two specific items: The card reader or the pad, if you pull power to them they’re dead, and then they can only be re-enabled by an authorized technician.”

Newer pumps may also include more modern mobile payment options — such as Apple Pay — although many stations with pumps that advertise this capability have not yet enabled it, which allows customers to pay for fuel without ever sharing their credit or debit card account details with the fuel station.

One reason that pump skimmers seem to be more pervasive is that authorities across the country are doing a better job of working with banks and federal investigators to determine fuel stations that appear to be compromised. The flip side is that thieves are generally opportunistic, and tend to focus on targeting systems that offer the least resistance and lowest hanging fruit.

Unfortunately, there is still a ton of low-hanging fruit, and these newer and more secure pump systems remain the exception rather than the rule, Booth said. In December 2016, Visa delayed by three years a deadline for fuel station owners to install payment terminals at the pump that are capable of handling more secure chip-based cards. The chip card technology standard, also known as EMV (short for Europay, MasterCard and Visa) makes credit and debit cards far more expensive and difficult for thieves to clone.

Under previous credit card association rules, station owners that didn’t have chip-ready readers in place by Oct. 2017 would have been on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip (currently, card-issuing banks eat most of the fraud costs from fuel skimming). Currently, fuel stations have until Oct. 1, 2020 to meet the liability shift deadline.

Some pump skimming devices are capable of stealing debit card PINs as wellso it’s a good idea to avoid paying with a debit card at the pump. Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

This advice often runs counter to the messaging pushed by fuel station owners themselves, many of whom offer lower prices for cash or debit card transactions. That’s because credit card transactions typically are more expensive to process.

In summary, if you have the choice, look for fuel pumps with raised keypads and horizontal card slots. And keep in mind that it may not be the best idea to frequent a particular filling station simply because it offers the lowest prices: Doing so could leave you with hidden costs down the road.

If you enjoyed this story, check out my series on all things skimmer-related: All About Skimmers. Looking for more information on fuel pump skimming? Have a look at some of these stories.

Tags: , , , , , , , , , ,

115 comments

  1. I’ve been seeing on my local news about a new way the thieves are getting your info off your card. I think its called A Shim(?). It is suppose to be able to read the chip on your card. They slide the shim into the card reader. That’s about all I know of it; anyone know more?

    • Shims go into a chip slot to read the data between the chip on the card and the reader. Apparently, you can’t make a chip card from this data, but you can make a magnetic-strip card from it (someone screwed up).

      Brian Krebs explains it for you in this blog post, “ATM ‘Shimmers’ Target Chip-Based Cards.”

      https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-cards/

      • Its not so much that someone screwed up as that at the time of implementation, the security on magnetic strip cards was fine. Because of how the chip works (challenge + response) you require far more knowledge of the system than you do for simply replaying the data in the card.

  2. Skimmers are everywhere , like here in Indiana they end up on ATM’s inside the stores or even on machines that the cashier use , we even had big stores discover them at there check out. So for me I jiggle and pull on every ATM , pump or anything that takes my card then I also cover my Pin number with my hand. It’s not full proof, but what is?

  3. Off topic but check this out.

    An individual claiming to be from an out-of-state staffing company contacted me and said he had a position with a local company (its a fortune 100 company that I have previously done contract work for) has a need of someone with my experience and skill set. After a very short phone call he sent me an email saying I needed to fill out an online form in order to be submitted to the client company. Check out this form. Fourth field requires an SSN. Without any face-to-face interview or offer they are wanting my SSN.
    https://spstaffing.com/application/

    Further down in the form it is requiring an emergency contacts’ information. Also required is a real signed signature. I have never seen such a level of personal information required for just an application. All of this screams identify theft.

    • I forgot to add that this ‘staffing company’ application is also asking for DOB along with the SSN and other personal information without any face-to-face.

      It would really be great if Krebs would pick up these scams that are being made to look like ‘contract staffing companies.’

    • Anyone who wants to see how persistent you are need only search krebsonsecurity.com and “fakestaffing.”

      Maybe it’s time for you to pay to advertise your blog, instead of leaving the same comment over a dozen times in two years.

      Or submit your story to Brian the right way, through his contact page.

      • I am persistent because these scams are hurting a lot of people. Naturally I am not using my real name on that blog or this one since I don’t want the scammer to go after me. because I am not using my real name I haven’t monetized it in anyway. So, I make nothing.

        I am not behaving in a selfish way. I am trying to help others.

        When I was unemployed and went to my regional unemployment service center I tried to explain this scam to the teachers there. My explanation seemed to go entirely over their heads so they didn’t warn others. I tried to go to my local media, but since I was not successfully victimized and my explanation went over their heads they also did not bother to report it.

        There is no legal requirement for any staffing company to ask for a partial or complete access and or DOB until a job is excepted. Yet they keep asking and getting this a very damaging information.

        • “There is no legal requirement for any staffing company to ask for … DOB until a job is excepted.”
          They could be accused of age discrimination.

        • John,

          Persistence is not a dirty word.

          The blog is good. I’ve read it. Whether you make money with it is of no concern to me.

          My criticism is that repeated comments are evidently an ineffective method of getting major attention.

          That’s why you should buy an ad.

          Fyi, BK reads tips. Submit one:

          https://krebsonsecurity.com/about/

    • I always filled out on-line forms when asked to do so. But I tend to make a lot of typos when it comes to SSN, DOB, and other personal information.

      I also tend to make similar typo mistakes when asked to send SSN, DOB, etc, by email.

      Even legit companies have stupid people working for them who asked for personal information by web form and email. Mistakes made in web forms and emails are easily corrected later when actual tax forms are filled out.

    • John,
      Thanks for this info. I noticed that this SearchPros application has no questions about security clearances, yet they claim they have Federal Agency clients.

      Every legit staffing company for defense agencies ask about applicants’ existing security clearances. It is super expensive for a contractor to pay for the required clearances so they prefer candidates to already have them.

      That huge discrepancy combined with asking the candidates’ age does make this look like a scam OR a company run by all newbies.

      You are right that Brian should either do a report on this (we have seen a lot about skimmers and Swatting) or he pass this scam onto a fellow investigative reporter.

  4. I’ve never seen a chip-card reader at a gas pump. Don’t use any card reader at the pump. Take your chip card into the store. If it doesn’t have a chip reader at the counter, go buy gas elsewhere. A little inconvenient, but convenience is the door to the skimmers’ trap.

    • Why? If you are using a basic credit card, you are not liable for fraudulent transactions, that is the bank’s problem. There is no reason to go out of your way to avoid any reader when using a credit card. Debit card, now, is different, should never use those anywhere except a decent ATM.

      • I would go to another station just so I don’t have to deal with the hassle of claiming fraud. Most people visit the same few pumps near their homes and work. One time with a credit card is probably fine, however I wouldn’t keep going back to someone who does not care about security of their customers.

      • Exactly. Then it’s Someone Else’s Problem, not mine.

  5. If the petrol stations with secure pumps advertised the fact they would have an advantage and the rest would soon follow.

    • Angie Riddell

      I absolutely agree 100%. Until reading this article I didn’t realize there were newer pumps. Will now be looking for those on every outing.

      • Never happen. “Secure” isn’t some permanent state and the evidence provided by the LEO doesn’t prove anything (and I don’t mean to suggest he was trying to). “Skimmers haven’t been found on certain pumps (yet) so these pumps are more secure.” That’s a correlation and, as we all (should) know, correlation does not imply a causal relationship. Any station that decided to advertise that their pumps were more secure would find themselves potentially boned the moment one of their pumps was compromised. And odds are someone will find a way to compromise them sometime.

        • With almost every one of these stories, there is some person who comments saying essentially that the suggested actions won’t fix the problem now and forever and thus it’s useless to undertake.

          As always, this is letting the perfect be the enemy of the good. Then again, your other comment about buying new cars instead of gas tells me you’re probably just trolling everyone.

          • First, I didn’t say that using those pumps provided no benefit as you suggest. I was commenting on the idea that gas stations should advertise these new pumps as “secure” because, well, I think they’d be reluctant to for obvious reasons (nothing is secure so, from a business perspective, it’s a bad idea to suggest something you can’t prove, have no ability to verify and cannot guarantee going forward).

            I also don’t think I said anything that isn’t true. The “more secure” statement comes from a correlation which doesn’t mean anything. It’s a correlation one can put some faith in if they choose but it’s not a guarantee. There’s also the old saw about ‘absence of evidence” not being “evidence of absence” that’s at play here. That one hasn’t been found does not mean one does not exist (or, more likely, will exist at some future point). Anyhoo, I agree you’re probably better off looking for these pumps and using them – I know I’ll be doing so until I hear one of these has been hit (after all, it’s definitely not more risky). Again, it was a comment directed at the advertising idea and written to address that specific point. Consider it written from the perspective of a gas station company’s marketing/legal team … though I admittedly know nothing about either. 🙂

            Whoops! Almost forgot: Second, the other post is a joke, not a troll. It’s taking a position to the absurd extreme in an (evidently poor) attempt to elicit a giggle or two. But I thought it was funny and, ultimately, that’s what matters, no? No? Ok, guess not.

            To be completely transparent (other than my username but you do have my email), I find this site and your work quite interesting, informative, and important. I recommend it to anyone who will listen. As such, I can guarantee (for whatever that’s worth to you) that I will not troll here. Just not my goal. I may post in oddly superfluous language at times (or oddly brief) if it suits my mood but, well, sometimes I get bored and feel like doing something a little different. That’s all it is. But yeah, I hope I addressed your concerns.

  6. I know this is old fashion, but I simply pay for gas with cash, always.

  7. Just go inside and pay

  8. Cash works every time without giving away any info.

  9. Richard Mortimer

    “…if you disconnect them they disable themselves and can only be re-enabled by technician”

    Oh, so crooks will never learn this information and how to re-enable the pumps? How did crooks get the master keys for the old style pumps? Oh that’s right, they’re criminals. Maybe these new features will slow down the criminals now, but surely they’re working hard to crack these new features.

    • Jason Roysdon

      Perhaps the newer machines require a network-based authentication by an authorized technician before they can be re-enabled? Then any staff changes can be done centrally and without any “secrets”.

      • For both modern card readers and pin pads if the device is removed the attacker should not be able to reactivate it. In some cases the devices will zeroize their unique network keys, which requires those keys to be re-injected. Sometimes they will simply stop working. In both cases the technician cannot reactivate the device without assistance, and authentication with the manufacturer. Generally this is done by injecting a manufacturer controlled public key into a secure element inside the device at build time. A authorized field technician obtains a challenge from the device, authenticates themselves with the manufacturer’s technical support and obtains a signed response to enter into the device. This system is fairly robust against outside attackers. Certainly more so than the ribbon cables with unencrypted track information on them that were common in older equipment.

    • just my two cents….i agree with most of that except the people part…i heard a quote somewhere that sounded something like “when in doubt do not attribute to malice that which can best be explained by stupidity” if i remember right…the article said something about manufacturer who used the same default masterkey for all their pumps…in which case get that masterkey and you can open any pump from that manufacturer despite the security situation at any given gas station.. unless the station was somehow able to change the key to the pump…

  10. James Schumaker

    I am wondering if there might be a database somewhere of US gas stations that use the more secure gas payment system (horizontal slot, metal buttons). If there isn’t, it would sure be a useful thing to put together.

  11. Demagnetized Magnetician

    My local Shell station charges $0.10/gallon for credit cards. I never carry much cash.

  12. The best way to avoid pump skimmers is to never buy gas. It’s a lot easier to just buy a new car whenever you get low (any reputable dealer will make sure you leave with a full tank – if they don’t, shop elsewhere) and the extra socialization with the dealer is something we can all use.

    If you can’t afford to just buy a new car every time you need gas, try renting one. You can ask that the rental agency fills the car when you return it so, when you get low, book another reservation and take the car back! Of course, if you pay with a card they could be skimming you at the agent but hey, you don’t have to worry about pump skimmers, right?

  13. Brian, I was trying to think if you’ve ever addressed one of my pet peeves. Today many (if not most) gas stations require you to verify your CC with the billing zip code. Essentially, they have turned your ZIP into a password… but the difference is, unlike a PIN, they never redact your zip from the screen.

    Not sure how tightly focused the pinhole cameras watching the number pad tend to be (regarding whether they can see the screen and the keypad) but I’d think that if the ZIP is being used for verification, then it’d be valuable for criminals, so I imagine they’ve begun to focus on the screen and the keypad.

    • I’ve noticed the same thing. It is very hard to enter your ZIP, cover the keypad, and cover the screen all at the same time.

    • @Dsastray, are you seriously that paranoid? If you are that worried about someone skimming your card AND watching you enter your zip code through a pinhole camera you should just use cash all the time.

    • If someone gets your ZIP code, so what? Half the people buying gas at the local station live nearby, sharing the same ZIP code. It’s not a big secret.

      A criminal can follow you home, if they want your ZIP code. Or they can have a “friend” look up your vehicle plate number.

      Criminals don’t care about your ZIP code. If they’re using a rigged pump to steal your card information, they’re using it to make a clone card to use for buying jewelry and expensive gadgets to resell. Criminals aren’t cloning cards with ZIP codes to save $30 on gasoline.

      ZIP code verification is meant to cut down on lying, authorized cardholders from dishonestly claiming they weren’t present at the pump. Liars are a huge problem for “pay at the pump” gas retailers, not carders.

      • That seems like pretty sloppy reasoning. Either the piece of information is not important, anyone can find it out about you and therefore shouldn’t be used as an authentication method, or it is important and should be protected. No?

        If a company billed me for a pay at the pump charge, and I said I wasn’t there, they’d say “but your card billing ZIP code was entered”. I’d say, “but anyone can follow me home or google search me or guess the local ZIP code and find that” and their authentication method is useless.

        Also, my home ZIP code is not necessarily my billing ZIP code (it isn’t on my business card). All in all, I don’t think it is a good system that allows a thief to connect more information to a stolen card number.

        I live in NJ, so I just have to worry about the attendant skimming my card.

  14. The only problem I have with the new style pumps at Costco in San Antonio is the metal keypad. With the temps in the high 90’s and low 100’s, the keys get too hot for me to place my fingers on the keys and hid them with the other hand. The first time I tried that in the hot weather, I thought my fingertip had been stung by an insect when I pushed a key. The keys are also too small. I have to peek to make sure I’ve got my fingers over the correct keys for my PIN, unlike my credit union’s ATMs where the keys are big enough that once I put my hand on the keypad, I never need to look at them again.
    I applaud Costco for having the employee at the fuel pumps pretty much constantly walking around the pump area to check for attempts at tampering.

  15. I don’t understand why anyone really cares about this. Basic credit card fraud (as opposed to real identity theft) is really low on my list of worries. I’ve had my primary credit card compromised twice in the past year. Each time the issuer cancels the card, sends me a new one and I use other card for 2 days until it arrives. I’ve never had to pay anything and all I’m out is half an hour of time on the phone. It’s really no big deal.

    If your card does get compromised, you’re never going to figure out where the breach occurred so driving around town to find a “secure” gas pump is really a waste of time (and gas).

    This is never going to change until the liability regulations change. Currently it doesn’t cost the station anything if your card gets compromised so why should they spend money to stop it? As soon as it costs them money they will quickly upgrade the pumps.

  16. Pinoy tambayan

    It means we have to be very careful while using credit cards. I’m afraid thinking to not use credit card in future 🙁

  17. Samsung Pay works at almost every pump I have tried. It’s not perfect, but pretty close and it uses a virtual card number so even if it is captured, it’s useless to a criminal.

    Search YouTube for “Tutorial: How to use Samsung Pay at a gas station pump.” to see how this works.

  18. lots of these new gas pumps and ATM machines have displays that can show video
    and pictures.

    If station owners and banks are not doing multiple checks of the pumps to ensure skimmers have been added the how about utilizing those and showing picture of the pump being used and what it should look like.

  19. When I buy gas I pay in advance inside the office. If I overestimate the charge they only charge me for the gas I pumped. That way if there is a skimmer in the pump I avoid it.
    I also have notification on all cards how much is charged and deposited. If I go to a merchant that does not use the chip card reader, I tell him to forget it and tell him to get a chip reader. I just go somewhere else that thinks more for our security instead of their cost.

Leave a comment