21
Feb 19

New Breed of Fuel Pump Skimmer? Not Really

Fraud investigators say they’ve uncovered a sophisticated new breed of credit card skimmers being installed at gas pumps that is capable of relaying stolen card data via mobile text message. KrebsOnSecurity has since learned those claims simply don’t hold water.

An earlier version of this story cited an alert sent by the U.S. Secret Service and interviews with a company that helps merchants secure their payment terminals. The claims were that a circular device found on the side of a gas pump was a skimmer that was believed to be responsible for communicating with other Bluetooth-based skimmers found embedded in the pumps, and that its purpose was to gather stolen card data and send it off wirelessly to the skimmer thieves via text message.

Since that story was published, I heard from a reader who works in security for the company that owns the compromised filling station in question. This person asked not to be quoted directly, but shared information showing that the mysterious circular device was not a Bluetooth anything. Rather, he said, it is little more than a GPS-based tracker that can be bought at Amazon and other online stores for about $100-$150.

The source shared a clearer image of the “skimmer,” and a review of the components shown there indicate this thing is indeed a GPS tracker — the kind of device that a suspicious husband or wife might attach to the undercarriage of the family car to track the other’s whereabouts in real time:

The most likely explanation as to why this tracker was on the side of a gas pump to begin with is that someone who was being tracked discovered it and left it at the station. The source also said claims that this was found beneath an NFC reader on the pump are not correct either. However, he said it was true that there were multiple gas pumps at the station that were internally compromised with Bluetooth skimming devices.

While I am not wild about having to post this correction, I also don’t believe it would be right to simply unpublish the original story — flawed as it is. So in the interests of full transparency, what follows is the original piece, minus the lede.

Original story:

A memo sent by the U.S. Secret Service last week to its various field offices said the agency recently was alerted to the discovery of a fraud device made to fit underneath the plastic cap for the contactless payment terminal attached to the exterior of a fuel pump. Here’s a look at the back side of that unwelcome parasite:

A multi-functional wireless device found attached to a contactless payment terminal at a gas station.

As we can see from the above image, it includes GSM mobile phone components, allowing it to send stolen card data wirelessly via text message. In contrast, most modern pump skimmers transmit stolen card data to the thieves via Bluetooth. The white rectangular module on the right is the mobile phone component; the much smaller, square module below and to the left is thought to be built to handle Bluetooth communications.

Bluetooth requires the fraudsters who placed the devices to return to the scene of the crime periodically and download the stolen data with a mobile device or laptop. Using SMS-based skimmers, the fraudsters never need to take that risk and can receive the stolen card data in real-time from anywhere there is mobile phone service.

Gas stations are beginning to implement contactless payments at the pump to go along with traditional magnetic stripe and chip card-based payments. These contactless payments use a technology called “near field communication,” or NFC, which exchanges wireless signals when an NFC-enabled card or mobile device is held closely to a point-of-sale device.

Because this tiny round device was found hidden inside of an NFC card reader on the outside of a gas pump, investigators said they initially thought it might have been designed to somehow siphon or interfere with data being transmitted by contactless payment cards. But this theory was quickly discarded, as contactless cards include security features which render data that might be intercepted largely useless for future transactions (or at least hardly worth the up-front investment, craftsmanship and risk it takes to deploy such skimming devices).

Mark Carl is chief executive officer at ControlScan, a company in Alpharetta, Ga. that helps merchants secure their payment card technology. Carl’s company is the one that found the skimmer and alerted local authorities, which in turn alerted the Secret Service.

Carl said his team is still trying to reverse engineer the device found inside the NFC reader at the pump, but that so far it appears its purpose is to act as a Bluetooth communications hub for other skimming devices found at the scene. Turns out, investigators also discovered traditional Bluetooth-based skimming devices attached to the power and networking cables inside various pumps at the compromised filling station.

One of several traditional Bluetooth-enabled card skimming devices found inside pumps at a compromised filling station. Investigators believe this device and others like it found at the station may have been part of a local Bluetooth network that used a device hidden inside the NFC reader on a pump to relay stolen card data via text message.

“Based on the chipsets, and that there were other traditional skimmers in other pumps at the site, we believe this device [the round gizmo found inside the NFC reader] is likely the hub for a Bluetooth local area network,” Carl told KrebsOnSecurity. “So an attacker can install multiple skimmers in different pumps, feed all of that data to this device with Bluetooth, and then relay it all via the cellular connection.”

Many readers have asked if they should be scanning fuel pumps with their smart phones using the built-in Bluetooth component or Android mobile app like Skimmer Scanner. If this seems like fun, then by all means go right ahead, but I wouldn’t count on these methods failing to detect a Bluetooth skimmer at the pump as proof that the pump is skimmer-free.

For one thing, the skimmer detection app detects only one type of Bluetooth module used in these schemes (HC-05), and there are least three other types commonly found embedded in compromised pumps (HC-06, HC-08 and FCD_1608). And trying to do this with your mobile phone alone is not likely to yield any more conclusive results.

Better advice is to patronize filling stations that have upgraded their pumps in the past few years to add more digital and physical security features. As I wrote in last summer’s “How to Avoid Card Skimmers at the Pump,” newer and more secure pumps typically feature a horizontal card acceptance slot along with a raised metallic keypad — much like a traditional payphone keypad.

One other tip from that story: Some pump skimming devices are capable of stealing debit card PINs as wellso it’s a good idea to avoid paying with a debit card at the pump. Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

This advice often runs counter to the messaging pushed by fuel station owners themselves, many of whom offer lower prices for cash or debit card transactions. That’s because credit card transactions typically are more expensive to process.

Tags: , , , , , ,

87 comments

  1. To Whom It May Concern,

    My name is Kendall Anderson, and I am the Marketing and PR Manager for FSG Smart Buildings, a division of Facility Solutions Group.

    We have recently developed a skimmer automation solution for the convenience store market that helps c-store owners and operators protect their customers and their brands from skimmers.

    I’ve attached a press release detailing our solution.(https://docs.google.com/document/d/1vUR3aK7k31U3bE8zlDOtMK0wWTm8iX9f1WcmwsIIju8/edit?usp=sharing)

    In particular, I would like to speak with your about our patent-pending radar technology we are using to detect deep insert skimmers. I would be happy to speak more about the credit card skimming issues and what technology companies are doing to protect customers.

    I am always available via email or phone to discuss.

    Thank you and I look forward to hearing from you,

    Kendall Anderson

    • Vikings: Lovely spam! Wonderful spam!
      Waitress: Shut up! Bloody Vikings!

      • When did this start happening? Has KrebsOnSecurity always been spammed like this? This is the second time on two different articles just today that I saw spammers. Kind of annoying to be honest, not sure how that can be prevented.

        • It happens. I sometimes leave the comments up because the marketing people who post them don’t seem to get this actually makes them look spammy.

          • They don’t care how spammy it looks. Their only objective is to link their URLs and search terms to the reputation of KrebsOnSecurity. I assume you have “nofollow” tags in the HTML to help with this but I’d still recommend taking them down before they get any undeserved lift from you.

            Or maybe you want to move their comments to a “hall of shame” page titled “Spammer reviews” filled with fake customer reviews that include words like “deceptive”, “ripped me off” , “hate these guys”, “horrible customer service “, etc.

            • I am not against exhibiting spam as being such.

              On the other side I wouldn’t be surprised if the skimmer protection offered here actually would turn out to be a skimmer the gas station owner actually pays for.

            • I would guess that Brian has better things to spend his time on than shaming a spammer. We commenters are pretty good at that already.

            • I like the idea that “jaded” (the quotes are for context, not sarcasm) had. Kind of like a Hall of Lame for spammers.

          • Mikey Doesn't Like It

            I don’t disagree with you on these spammers, Brian.

            However, I’m concerned that some of them will post something like this and then, in their advertising, say something like “As seen in Krebs on Security” — which (mis)leads people to view that as an endorsement. Which we all know it’s not.

            My vote would be to simply remove it — no need to even get back to them. (If they complain, you point out that it’s your site and your rules…)

            (And besides, it clutters up another otherwise excellent post. )

          • It’s for real? It sure looks like spam. Not too sharp are they?

    • I would like to speak with your also!

    • thanks for the SPAM

  2. In 2019, you should just assume that all elements of technology can be leveraged to screw you over in one way or another.

    Pro tip- lock your debit card in your safe and stick to credit cards and cash.

  3. Fantastic article as always, Brian. Thank you very much! Boy, the level of sophistication with this skimmer seems that the possibilities could be endless for criminals. Not only can these be used in gas pumps, but my initial thinking was how easy it could be just putting them behind self-checkout stations in Target, Walmart, or any retail/grocery store for that matter.

    It’s scary how far we’ve come from actual overlays to a device like this which uses Bluetooth/NFC. Part of me is interested to see what the future holds for skimmers, but the other part becomes increasingly more scared. It seems as though our mitigating factors as just normal users are getting more obsolete and we have to be hyper-aware of these emerging threats.

    • The self-checkout stations you mentioned are different from old gas pumps in that the hardware of the card reader is physically secured inside a tamper detection box. Even inside the cabinet, there is no access to the wires or read head unless you disassemble it further. As soon as you start removing the screws, the tamper detection circuit is tripped. At that moment the PIN pad destroys its encryption keys; this bricks the device.

      Inside these old gas pumps, all the card reader wires are exposed, allowing the crooks to tap into them. That’s why Brian recommends only visiting pumps that have the newer hardware.

      • @jaded
        Okay, that makes more sense then. I was thinking of it in more general terms. Thank you for your comment!

        • You also have to consider that the cash registers at major retailers are likely under constant video surveillance. It’d be hard to sneak a physical device on to those without getting caught, if not during the act then after the fact when they check the tapes. Alot of these gas stations are off the beaten track or lack surveillance, making it much easier for crooks to sneak in and out.

          • “You also have to consider that the cash registers at major retailers are likely under constant video surveillance. It’d be hard to sneak a physical device on to those without getting caught, if not during the act then after the fact when they check the tapes.”

            Very good point! I recall watching a video (I actually think it may have been an older post on KrebsOnSecurity) where several individuals placed overlays on the POS machines in retail stores when the cashiers weren’t aware or paying attention. Sure, the cameras got it all on tape, but it shows just how quickly this can be done. But, I’d imagine if the device is much smaller than a typical overlay, it may be much harder for the camera to pick this up. It almost pays to be paranoid nowadays.

  4. Robert Scroggins

    How expensive is this new setup? Is it cheap enough that it will become widespread?

    Regards,

  5. how tought that the fraud is over in usa..
    how Long the Federal reserve printing out the worthless dollars??
    IF fraud is on.. it means the FED Still printing more debt.

    My Question is are they gona write off all this usa Financial debt!?

  6. Another way to combat this is to use captive chain credit cards when possible, i.e. Conoco or Sinclair. Yes the interest rate is probably exorbitant, but not if you pay them off every month. The plus side is if they steal the card number all they can do with it is buy gas somewhere, which likely makes them unattractive. I don’t carry many of them or use them exclusively, but if you frequent one store or chain it’s a decent alternative.

  7. So the skimmer was found INSIDE the pump? They are usually locked up pretty well, so it involves people who either work at the station, or service the pumps. That’s a much smaller subset of people than just anyone rolling up to a pump and sticking on a skimmer over the existing card slot.

    • There were two different components. The small circular thing with the bluetooth and SMS capability was found on the external part of the pump, hidden under the cap of the NFC reader. There also were bluetooth skimmers inside the guts of the pumps themselves that relayed stolen card data to the device hidden in the NFC reader for sending out via SMS.

      • Maybe the pumps can be unlocked using a master key for service purposes…

        • I’m not sure you’d really need a master key for these. I’m a NOVICE-NOVICE lock picking enthusiast. The locks I’ve seen on gas stations are very cheap looking, and it wouldn’t surprise me if you would really “need” the actual key to open them up. I’ve often found that a key that is similar to the real key, plus some jiggling, can open most cheap locks.

          On top of that, I have a few pictures of times I’ve found parts of gas station machines unlocked with the doors somewhat closed. One time it was an access panel with two USB ports. I’ve seen the same machine showing a bash shell logged in as root, so I’m guessing those ports would be pretty valuable to an attacker that knew what they were doing.

          • Stations keep putting “no tamper” tape across the keyways and across the access door seams, but people keep breaking or cutting those tapes, just because it’s there.

            I happen to like the Exxon SpeedPass, which used to be a fob, but it’s now a phone app. Authorize payment through the app, and the pump is ready to go. It does not use NFC or Bluetooth, but uses your location via the app. My wallet never comes out of my pocket.

          • As far as keys go – my local sheriff department says you are correct. But then again, the new hardware may include better pump physical security. (I hope)

      • Question: How is that small external circular thing with the bluetooth and SMS capability powered? If it’s a battery, it won’t last very long and then someone would need to service it.

      • You reported on similar story back in 2014 Jan. You buy the $8 universal gas pump key on eBay. You install the bluetooth skimmer in the gas pump. Revisit and download the data using your smartphone via bluetooth. You don’t even have to open the gas pump again.

        https://techcrunch.com/2014/01/23/four-indicted-for-installing-undetectable-card-skimmers-inside-gas-pumps/

  8. I am a Cyber Security Analyst, but also a HAM radio operator. One fun item I have played with in the past is a SDR (Software Defined Radio). It uses a flash drive like receiver that plugs into a USB port where software is used to analyze the spectrum. It also connects to an antenna. It has the capability of a wide frequency range. I have adapters to hook it up to my Android phone also. I wonder if something like that could be used to “quickly” check for rogue BlueTooth devices. Does enabled BT emit a signal at all times (similar to a SSID beacon) or only when transmitting?

    • The problem when scanning for any type of Bluetooth transimission is that this is a protocol which was designed from the ground up to be hard (if not impossible) to hijack. Part of this is accomplished by switching frequenies many times a second, which means that even if you detect a signal it’s only temporary until it shifts, making tracking a full communication sequence pretty hard.
      It can be done, but it requires NSA-like resources to spy on a BT connection.

  9. I am just wondering: what is the best way to protect ourselves when, say, you are travelling & need to fuel your vehicle (or rental) up? Or you want to pop in a convenience store for a junk-food fix? Go back to carrying fistfuls of dollars???

    I’ve always used only CC cards (now ours have the chip), but does this skimming tech in this article even allow bad actors to still get all the info off one’s “chip”-ped credit card and commit fraud with it?

    Sometimes, I stare at the few remaining greenbacks I carry in my wallet and I’m overtaken by it’s simplicity, fungibility, anonymity, and relative safety. Dang………….

    • Currently most of the gas pumps don’t actually use the chip reader even if they have one. You can always tell when you get the prompt ‘Remove Card Quickly’, that means they’re reading the mag stripe.

      Until we get rid of the mag stripe on the back of the cards we’ll continue to have skimming.

      I prefer to use the ‘Tap’, but I’ve only seen a few gas pumps that actually implement it.

    • Belli,

      The vast majority of gas pumps in the US do not use chip reading technology. Until 2020, gas stations without chip reading technology at the pump are not liable for any fraud that occurs there, so they have no incentive to move to the technology.

      For now, the safest option is to pay inside using cash, the next safest would be to pay with your card inside the station and always use your chip when possible, and if its a debit card, NEVER use your pin at either the pump, or the terminals in the store.

    • You already have protection by using a credit card. If you check your account every few days and report any fraud you see, you will not be liable. Skimmers only work on debit cards users or the inattentive.

  10. In the 90’s, skimmers didn’t have nfc to contend with, and early researchers found that tuned devices could read nfc up to across the block. Now fast forward to today. The nfc does not have to be activated to be read. Oh cool. I would bet, Bart of the circuit is a reader, part of the circuit is an recorder, and the mini antenna, could broadcast thru the plastic trash can at the fueling spot. And don’t forget 5 g is coming up. New frequencies coming up. Smaller yet phones.

    • The article doesn’t state or imply that NFC signals are being intercepted in any way. It’s just that the hardware is hidden under a cap on the NFC reader. In fact it flat out states that the device is not collecting NFC data at all, it’s just using the scanner as camouflage.

      • Yes, and everyone is into nfc via Bluetooth, so far, the neat ideas are scams to let you recieve the open line, no one has yet deciphered the system. So there has to be a ram/ storage area to hold data in a convient format, it’s not bursted out as a overall reading of the card. And heck, I’ve even heard of quiet till command controls. So, can you read it? Or explore it cleanly. Or would a blanker assist you with safety? No.. but blankers are black market, and would have to be timed to the traffic burst. And would interferer with the nfc communication. Which would pose a interesting problem? Encrypted nfc, stronger signals? Pretty soon, you would have to have a power supply to use the nfc card, oh, that’s the why of using the phone as a tfa.
        But that defeats the purpose of the new cards. Speed of transactions. Safety of transactions, and convenience. But how does that reconcile, I need a gallon of gas, to run my lawnmower, and not lose my life savings?

  11. You do not catch the prey by removing their interests.

    In short, it would make sense to use the devices against the fraudster. For instance, find the device and feed it false information. The reputation of the individual selling the information will be tarnished and if or when the information is used, it will lay a trail of breadcrumbs for law enforcement. Law enforcement could provide the major credit card processing companies like VISA with the “false information” and when they get a hit, alert law enforcement to what’s happening and where.

    Providing the information to the card processors, which are fewer than the multitude of possible retail locations, will give law enforcement a larger net to catch the fraudsters.

    I hope that law enforcement has already thought of this.

  12. We need to tell these criminals they are not compliant with DSS requirement 4.2, then maybe they’ll stop…

    [4.2] Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).

    Some PCI humor for all those box ticker QSAs out there 😉

  13. APC

    Always Pay Cash

  14. The Sunshine State

    Awesome article , a real close up view of that multi-functional wireless device , would have been the icing on the cake !

  15. Implied but not stated by the article, use a contactless payment method whenever possible. The one-time use token most of them generate is useless to a criminal, they don’t transmit your actual CC numbers or anything so your data can’t be sold and exploited. IMH, uneducated opinion, that’s the safest method to pay for stuff in 2019. Magstripes are so 1965, like your headphone jack.

    • I was surprised to read here, that phone apps are so secure; but then, if you have malware on you phone it isn’t going to matter anyway, because you have already been pwned.

    • Or you could, you know, just upgrade to chip and pin with tokenization like most other countries.

  16. The only way this will stop is to pass PART of the cost of the fraud on to the business accepting payments and the company maintaining them. While not a popular opinion, it will force them to take their customers security seriously. Changing the locks on the pumps from master keyed locks, installing and checking tamper proof seals and measures. Cameras aiming at pumps etc.. while I know they contract out pump maintenance etc, they could still give the key to the manager to hold on to the master keys so they don’t get out in the wild. Have employees check pumps for oddities, changes etc. Right now there is basically zero reason for them to care about skimmers etc since there is no liability

  17. If the device uses SMS to send the data anywhere in the world, can’t the phone number be tracked to the owner? Just a thought.

    • Ever heard of “burner” phones? Just having the number would be of limited value, I’d suspect. But if you could get their location while gathering the data, you could catch them in the act. How to do that is very difficult, if they are no where near the location though. With this kind of tech, they could be 1000 miles away and be monitoring hundreds of locations all at once. The hardware is throw away – they don’t care if they lose it, and in fact probably never try to recover it.

      If it were possible to trace a phone location simply by calling the number, even if they don’t answer, then there might be success, but it would take a nation wide enforcement agency like the Secret Service to pull that off – I’m not sure it is possible though; without a response from the original number. They would have to be pretty stupid to answer any calls or texts no matter what origin.

      • If a cell phone is powered up, it can be located. The phone number can be tied to a service provider. The service provider can look up the IMEI / MEID /ESN. From there it’s just a matter of looking at which cell towers are pinging that phone. Triangulate…done. Within a small area. The three letter government agencies roll out equipment vans that can provide pin-point the phone’s location.

        • Thanks for your contribution! If this is the case, and I were the crook, I wouldn’t turn it on until I was ready to offload the data, then turn it off again. It still seems tricky, but as you say, the three letter LEAs can probably get to them anyway.

  18. Thanks. Brian. A helpful heads-up, as usual. Have a question, though. I noticed that the email notification for this article was sent from krebsonsecurity[at]gmail[dot]com, not the usual bk[at]krebsonsecurity[dot]com. I almost deleted the notice without reading it, assuming that some miscreant had appropriated your identity, but when I expanded the email header, I found that the return path was identical to past notices, so concluded that the message was legitimate. Just wondering if this is a permanent change.

  19. Thank you, Brian, for your quick response and for getting the notices out despite the hiccup …… and manually, to boot! You are indeed a man on a mission.

  20. If I found a tracker on my car, I wouldn’t put it on a pump, I’d put it on a long-haul trailer.

  21. “Fraud investigators say they’ve uncovered a sophisticated new breed of credit card skimmers being installed at gas pumps that is capable of relaying stolen card data via mobile text message. KrebsOnSecurity has since learned those claims simply don’t hold water.”

    Brian, just wanted to ask you to clarify something. Are you saying that cellular skimmers do not exist or that this particular device was not one designed to transmit track data via SMS? Ive recovered several skimmers with those capabilities over the past several years.

  22. Another great story Brian. You can tell the device on the picture is just a tracking device made by U blox. U blox makes tracking devices for cars to transform real time GPS information and that is why it has a mobile sim in it, so maybe someone just realized it and left it by the pump.Again unless it was tweaked to send messages of card numbers from the skimming device. However, it is really interesting how these guys try different ways to carry out this extortion on a daily basis

    • Not sure about devices, but U-Blox also simply makes GPS and other chips. I can buy a U-Blox chip for use on custom made drones for very cheap and they are compatible with everything from a PC to open source drone flight controllers to Raspberry Pi’s.

  23. Mmmhh “the much smaller, square module below and to the left is thought to be built to handle Bluetooth communications”…. That smaller square module is a GNSS, as you can learn by clicking on the link you provided.
    So, the full thevice seems much more a tracker than something else…

  24. Do these NFC skimmers impact Apple Pay payments that are available on modern pumps? I am assuming they don’t b/c Apple Pay is token based but I wouldn’t mind confirmation.

    My new “go to” solutions for fuel pumps are Apple Pay whenever possible or in Exxon stations that support it, app payments (you activate the pump using an app on your phone, I never touch the pump other than to choose the grade)

    @BK, thanks for all your work!

  25. Brian
    I’m unclear from your update if the device is capable of compromising NFC payment methods. Can you clarify please?

  26. I’d be curious to know how many articles were written off BK’s original story and never updated. Also, has the Secret Service retracted their original warning?

    I subscribe to the KOS RSS feed and didn’t get a ping that this article was updated. It’s only by procrastination and sloth that I came around to read it after the update.

  27. i had friend who is dead by now coz Drug overdose..
    here use to work with the dumps he did shopping with dumps he always had a lot money.

    one day he try to explain to me dumps Job how get them how to copy and go to shopping or ATM jobs.

    to be honest it was too complicated for me… and i Still think it is.

  28. That GPS device could well be a skimmer hub if they modified the standard tracker firmware to make it into a bluetooth-to-cellular skimmer hub. Repurposing an off-the-shelf gizmo into something else is a pretty common thing hackers and hobbyists do.

    Recently a local surplus store was selling a commercial truck tracker (new, unused, made by a defunct company) for $10. It had a GPS board, cell modem board, antennas, power supply, and a CPU board in it. I didn’t try to hack the CPU board, but did use the GPS and modem boards for other projects.

  29. “The most likely explanation as to why this tracker was on the side of a gas pump to begin with is that someone who was being tracked discovered it and left it at the station.”

    Pretty sure that was Walter White.

Leave a comment