Tiny hidden spy cameras are a common sight at ATMs that have been tampered with by crooks who specialize in retrofitting the machines with card skimmers. But until this past week I’d never heard of hidden cameras being used at gas pumps in tandem with Bluetooth-based card skimming devices.
Apparently, I’m not alone.
“I believe this is the first time I’ve seen a camera on a gas pump with a Bluetooth card skimmer,” said Detective Matt Jogodka of the Las Vegas Police Department, referring to the compromised fuel pump pictured below.
It may be difficult to tell from the angle of the photograph above, but the horizontal bar across the top of the machine (just above the “This Sale $” indicator) contains a hidden pinhole camera angled so as to record debit card users entering their PIN.
Here’s a look at the fake panel removed from the compromised pump:
Jogodka said although this pump’s PIN pad is encrypted, the hidden camera sidesteps that security feature.
“The PIN pad is encrypted, so this is a NEW way to capture the PIN,” Jogodka wrote in a message to a mailing list about skimming devices found on Arizona fuel pumps. “The camera was set on Motion, [to] save memory space and battery life. Sad for the suspect, it was recovered 2 hours after it was installed.”
Whoever hacked this fuel pump was able to get inside the machine and install a Bluetooth-based circuit board that connects to the power and can transmit stolen card data wirelessly. This allows the thieves to drive by at any time and download the card data remotely from a mobile device or laptop.
This kind of fuel pump skimmer, while rare, serves as a reminder that it’s a good idea to choose credit over debit when buying fuel. For starters, there are different legal protections for fraudulent transactions on debit vs. credit cards.
With a credit card, your maximum loss on any transactions you report as fraud is $50; with a debit card, that protection only extends for within two days of the unauthorized transaction. After that, the maximum consumer liability can increase to $500 within 60 days, and to an unlimited amount after 60 days.
In practice, your bank or debit card issuer may still waive additional liabilities, and many do. But even then, having your checking account emptied of cash while your bank sorts out the situation can still be a huge hassle and create secondary problems (bounced checks, for instance).
Interestingly, this advice against using debit cards at the pump often runs counter to the messaging pushed by fuel station owners themselves, many of whom offer lower prices for cash or debit card transactions. That’s because credit card transactions typically are more expensive to process.
Anyone curious how to tell the difference between filling stations that prioritize card security versus those that haven’t should check out How to Avoid Card Skimmers at the Pump.
Promoting the use o credit cards is promoting an economy of credit where banks skim around 3 to 4% off all transactions.
What? Funny how I pay my balance every month and never see that so called interest you’re talking about.
He isn’t talking about interest. He is talking about the fee retailers pay for accepting credit cards. Usually $0.3 + 3% of the purchase
You can always use cash, promote shadow economy and tax evasion!
You [Americans] could also do the world a favour and move to chip and pin….
You Brits could do the world favor and drop those extra “u” letters.
The European Union has “persuaded” the big card schemes to lower their fees. 0.2% for debit transactions and 0.3% for credit transactions. We have, in addition to this a number of national card schemes in Europe that are very competitive in their fees.
A recent analysis performed by our National Bank of Denamrk did show that the cheapest way of paying is by using the national card scheme, closely followed by debit cards. The cost of handling cash is higher.
a simple cover above the keypad would help.
It should be responsibility of vendor to protect its customer.
A such exposed to public keypad is really a SCAM, maybe the vendor is in cooperation with such scammer ?
😉
Not necessarily. Even seeing the motion of the index finger is enough to identify the numbers one is pressing due to the standardized button layout of the pin pad.
I work in the FI in Credit Card Fraud Recovery at a Credit Union. I really appreciate this article and will be sending it to other co-workers.
Because most gas pumps have not converted to Chip enabled terminals this theft continues unabated. External gas pumps are have the Merchant category code of 5542. VISA has repeatedly exempted year after year this category code from having to convert while every other merchant is liable if they dont convert to Chip enabled terminal readers. Why VISA keeps giving extensions to billion dollar oil companies? We all know the answer. Money. The gas stations dont want to pay for the upgrades.
And why should they? According to VISA network rules the issuing bank or credit union that issued the card cant chargeback that transaction for fraud. However, the inside of the gas station is Merchant category code MCC 5541 and the issuer of the credit card or debit card CAN chargeback that transaction for fraud. Where I work at has a Zero fraud Liability for any transaction if its confirmed Fraud. That’s for Debit and Credit
Why this this iimportant? Because the new chip cards are incredibly difficult to counterfeit. I have read this year where two hackers were able to counterfeit chip cards but its extremely rare.
My question is this. So the Bluetooth camera caught the pin being punched in. Unless the thief stole the card what good is that? Are they cloning debit cards with the chip technology on this article above? Or are they just cloning the magnetic strip?
I believe the magnetic strip details on chip cards still contain information that allows criminals to create a counterfeit non-chip card and make spends at locations where merchants have not switched to EMV. I do not believe they are producing counterfeit chip enabled cards.
You don’t need to go to a store with non-chip registers. Go to any store with a counterfeit card that includes a dummy chip. Every chip-enabled register will take the magnetic strip as a backup when it can’t read the chip for whatever reason.
Magstripe is being phased out outside the USA. It is no longer allowed to use Magstripe in ATM’s and Fuel dispensers in large parts of Europe. Fallback has been disabled. It is as well a requirement from the large card schemes that terminals supporting contact chip cards must as well support contactless card readers.
This is not really true. The merchant determines if they want to accept fall back transactions to mag stripe or not. If they wanted to be 100% sure that it was not a fake card, they could not allow fallback to mag stripe and root them out this way. Most will not do this though since it is seen as a hassle for the customer.
I work for financial institution, and in our case if you present one of our debit cards at an ATM and the chip cannot be read correctly, we don’t allow fallback to mag stripe. Can it be a pain? Sure. But our customers are sure happy when their accounts aren’t drained of their funds as well.
There certainly is a cost to adding chip and PIN functionality to all of these systems too, but at the end of the day it is the right thing to do. We not only went to chip and PIN but also added significantly improved physical security layers beyond chip readers when we rolled out the new functionality. If you want to look at it from the purely bottom line perspective, fraud costs a lot of money, preventing it is cheaper than trying to recover funds. Financial institution customers also have a tendency to blame the institution, not the unprotected merchant, for the fraud. So from a purely customer relations standpoint the more an institution can do to show they are being proactive, the better their customer relationships will be.
Unfortunately gas stations are still the wild west when it comes to chip and PIN. If Visa would stop exempting them from the new rules the US would be a better place. At this point it is clear businesses have placed their bottom line ahead of the safety of their customers. Yes this comment is aimed at the mom and pop gas stations as much as huge companies. Every time a mandate like this comes out the first excuse to be brought up is about how much of a financial hardship XYZ change will be and it will destroy the industry. Somehow the rest of the world has managed to come to terms with chip and PIN and it didn’t wipe out all of the gas station franchise operations. It is time to stop making excuses and just get it done.
If Visa would stop granting exemptions, the cost of the fraud would get to the point where the cost of adding the enhanced security features would make sense and these station owners would do it. Time and time again the only way to make change happen is to make the alternative so distasteful that to not change is unfathomable. Remove the exemptions and adding chip and PIN to gas station pumps will fall into this category.
The readers look to the magnetic strip to see if the card has a chip or not, the mag strip is just 0’s and 1’s essentially, you can see it with magnetic dust and it’s essentially a bar code… the difference between chip and no chip is one bit, so if someone can duplicate the card they can just change it to no chip.
It is correct that the “service code” in the magstripe tells whether or not there is a chip on the card, but some of the additional data in the magstripe has a different content as well. This is (should be) verified once the transaction reaches the issuer.
To your question, the hidden camera is usually installed in combination with a card skimmer. With the stolen data along with the PIN, they draw money out or run up charges elsewhere. My neighborhood association reported our local gas station on the corner as a target after 3 persons complained about erroneous charges appearing after gas up, and that is exactly what they found.
Hey uh… mom & pop gas stations, like most gas stations in America, are not “billion dollar oil companies.” Maybe that’s why they’re getting exemptions?
And from what I have heard from many small retailers, the chip hardware is priced in the “unconscionable” range. Many simply can’t afford it. They are forced to get it anyway.
Like many other regulations and policies, both public and private, all of this suits large corporations very well — because they can afford it, and it puts their smaller, independent competition in a world of hurt.
The rest of the world has adopted chip card readers for gas stations. The chip card reader is not the expensive part. The expensive part is making the overall terminal secure. The world outside the USA has been able to adopt to this.
Buy an electric car. You’ll never have to visit a gas station again.
No, You buy me the car and I won’t have to buy gas again. Smh Bobby g up in here tryna tell people what to buy
Ah, but the ones at my workplace take a credit card to charge up your eCar. They don’t give away kilowatt-hours of electricity free. So it’s just a matter of time before this kind of fraud moves to charging stations also.
The vast majority of charging stations are pre-pay… no Point of Sale terminals, just NFC tags to charge your account.
Now, of course, these tags are clonable, but there is a layer of abstraction that can be revoked. A layer between your bank and the cloned card… so it would only allow the thief to purchase that specific item (electricity), and nothing more.
It is rare, and stupid, for Electric Car chargers to have point of sale terminals on charging stations. It is bad practice to have them unsupervised. Gas stations at least have cameras, and skimmers are still a huge problem. EV chargers are even more secluded and cannot really be supervised or have good surveillance coverage.
Which EV charger maker has credit card readers at your work? This is not where the industry is headed, quite the opposite.
I was there was some way to yell from the mountain top for people to stop using their debit cards.
I’m always behind some little old lady at the grocery store who’s entering her pin number.
Can I see it? Yep.
Can the video camera above the register see it? Yep.
Fortunately most of the businesses in the small Arizona town I live in have adopted the chip readers and some have even started using Apple Pay readers.
A quick double tap on my phone or watch and out comes the receipt. You don’t even need to sign anything.
Quicker than money or credit/debit cards and safer.
I can’t remember the last time my cc was swiped.
The Chevron gas station just put in new pumps and I can use Apple Pay there also.
You know who’s getting my business.
“I wish there was”
Another way to avoid this is go inside the store and tap. Until the service station actually change over to the chip and tap pay, you will see this happen over and over.
Two things:
One, who has time to go inside and wait in line behind teenagers buying Big Gulps?
Two, who really believes that if we solve the gas pump problem the bad guys won’t immediately think up some newer, better scam?
Dear credit union buffoon
Son, ineptitude is just as much a problem as negligence is.
Dumb lead the dumb lest they jump off of a bridge. Perhaps somebody should direct him to gollumfungus podcast/blog posts. Facepalm….
Btw please rtfm
Wow, none of this crosses my mind as I go in and say to the cashier, “$20 on #4” and hand over the appropriate Federal Reserve note.