25
Nov 19

Hidden Cam Above Bluetooth Pump Skimmer

Tiny hidden spy cameras are a common sight at ATMs that have been tampered with by crooks who specialize in retrofitting the machines with card skimmers. But until this past week I’d never heard of hidden cameras being used at gas pumps in tandem with Bluetooth-based card skimming devices.

Apparently, I’m not alone.

“I believe this is the first time I’ve seen a camera on a gas pump with a Bluetooth card skimmer,” said Detective Matt Jogodka of the Las Vegas Police Department, referring to the compromised fuel pump pictured below.

The fake panel (horizontal) above the “This Sale” display obscures a tiny hidden camera angled toward the gas pump’s PIN pad.

It may be difficult to tell from the angle of the photograph above, but the horizontal bar across the top of the machine (just above the “This Sale $” indicator) contains a hidden pinhole camera angled so as to record debit card users entering their PIN.

Here’s a look at the fake panel removed from the compromised pump:

A front view of the hidden camera panel.

Jogodka said although this pump’s PIN pad is encrypted, the hidden camera sidesteps that security feature.

“The PIN pad is encrypted, so this is a NEW way to capture the PIN,” Jogodka wrote in a message to a mailing list about skimming devices found on Arizona fuel pumps. “The camera was set on Motion, [to] save memory space and battery life. Sad for the suspect, it was recovered 2 hours after it was installed.”

Whoever hacked this fuel pump was able to get inside the machine and install a Bluetooth-based circuit board that connects to the power and can transmit stolen card data wirelessly. This allows the thieves to drive by at any time and download the card data remotely from a mobile device or laptop.

The unauthorized Bluetooth circuit board can be seen at bottom left attached to the pump’s power and card reader.

This kind of fuel pump skimmer, while rare, serves as a reminder that it’s a good idea to choose credit over debit when buying fuel. For starters, there are different legal protections for fraudulent transactions on debit vs. credit cards.

With a credit card, your maximum loss on any transactions you report as fraud is $50; with a debit card, that protection only extends for within two days of the unauthorized transaction. After that, the maximum consumer liability can increase to $500 within 60 days, and to an unlimited amount after 60 days.

In practice, your bank or debit card issuer may still waive additional liabilities, and many do. But even then, having your checking account emptied of cash while your bank sorts out the situation can still be a huge hassle and create secondary problems (bounced checks, for instance).

Interestingly, this advice against using debit cards at the pump often runs counter to the messaging pushed by fuel station owners themselves, many of whom offer lower prices for cash or debit card transactions. That’s because credit card transactions typically are more expensive to process.

Anyone curious how to tell the difference between filling stations that prioritize card security versus those that haven’t should check out How to Avoid Card Skimmers at the Pump.

The compromised pump with the hidden camera bar still attached. Newer, more secure pumps have a horizontal card reader and a raised metallic keypad.

Tags: ,

91 comments

  1. Maurice W Hilarius

    Promoting the use o credit cards is promoting an economy of credit where banks skim around 3 to 4% off all transactions.

  2. a simple cover above the keypad would help.
    It should be responsibility of vendor to protect its customer.

    A such exposed to public keypad is really a SCAM, maybe the vendor is in cooperation with such scammer ?
    😉

  3. Credit Union Guy

    I work in the FI in Credit Card Fraud Recovery at a Credit Union. I really appreciate this article and will be sending it to other co-workers.

    Because most gas pumps have not converted to Chip enabled terminals this theft continues unabated. External gas pumps are have the Merchant category code of 5542. VISA has repeatedly exempted year after year this category code from having to convert while every other merchant is liable if they dont convert to Chip enabled terminal readers. Why VISA keeps giving extensions to billion dollar oil companies? We all know the answer. Money. The gas stations dont want to pay for the upgrades.

    And why should they? According to VISA network rules the issuing bank or credit union that issued the card cant chargeback that transaction for fraud. However, the inside of the gas station is Merchant category code MCC 5541 and the issuer of the credit card or debit card CAN chargeback that transaction for fraud. Where I work at has a Zero fraud Liability for any transaction if its confirmed Fraud. That’s for Debit and Credit

    Why this this iimportant? Because the new chip cards are incredibly difficult to counterfeit. I have read this year where two hackers were able to counterfeit chip cards but its extremely rare.

    My question is this. So the Bluetooth camera caught the pin being punched in. Unless the thief stole the card what good is that? Are they cloning debit cards with the chip technology on this article above? Or are they just cloning the magnetic strip?

    • I believe the magnetic strip details on chip cards still contain information that allows criminals to create a counterfeit non-chip card and make spends at locations where merchants have not switched to EMV. I do not believe they are producing counterfeit chip enabled cards.

      • You don’t need to go to a store with non-chip registers. Go to any store with a counterfeit card that includes a dummy chip. Every chip-enabled register will take the magnetic strip as a backup when it can’t read the chip for whatever reason.

        • Magstripe is being phased out outside the USA. It is no longer allowed to use Magstripe in ATM’s and Fuel dispensers in large parts of Europe. Fallback has been disabled. It is as well a requirement from the large card schemes that terminals supporting contact chip cards must as well support contactless card readers.

      • The readers look to the magnetic strip to see if the card has a chip or not, the mag strip is just 0’s and 1’s essentially, you can see it with magnetic dust and it’s essentially a bar code… the difference between chip and no chip is one bit, so if someone can duplicate the card they can just change it to no chip.

        • It is correct that the “service code” in the magstripe tells whether or not there is a chip on the card, but some of the additional data in the magstripe has a different content as well. This is (should be) verified once the transaction reaches the issuer.

    • To your question, the hidden camera is usually installed in combination with a card skimmer. With the stolen data along with the PIN, they draw money out or run up charges elsewhere. My neighborhood association reported our local gas station on the corner as a target after 3 persons complained about erroneous charges appearing after gas up, and that is exactly what they found.

    • Hey uh… mom & pop gas stations, like most gas stations in America, are not “billion dollar oil companies.” Maybe that’s why they’re getting exemptions?

      And from what I have heard from many small retailers, the chip hardware is priced in the “unconscionable” range. Many simply can’t afford it. They are forced to get it anyway.

      Like many other regulations and policies, both public and private, all of this suits large corporations very well — because they can afford it, and it puts their smaller, independent competition in a world of hurt.

      • The rest of the world has adopted chip card readers for gas stations. The chip card reader is not the expensive part. The expensive part is making the overall terminal secure. The world outside the USA has been able to adopt to this.

  4. Buy an electric car. You’ll never have to visit a gas station again.

    • No, You buy me the car and I won’t have to buy gas again. Smh Bobby g up in here tryna tell people what to buy

    • Ah, but the ones at my workplace take a credit card to charge up your eCar. They don’t give away kilowatt-hours of electricity free. So it’s just a matter of time before this kind of fraud moves to charging stations also.

      • The vast majority of charging stations are pre-pay… no Point of Sale terminals, just NFC tags to charge your account.
        Now, of course, these tags are clonable, but there is a layer of abstraction that can be revoked. A layer between your bank and the cloned card… so it would only allow the thief to purchase that specific item (electricity), and nothing more.

        It is rare, and stupid, for Electric Car chargers to have point of sale terminals on charging stations. It is bad practice to have them unsupervised. Gas stations at least have cameras, and skimmers are still a huge problem. EV chargers are even more secluded and cannot really be supervised or have good surveillance coverage.

        Which EV charger maker has credit card readers at your work? This is not where the industry is headed, quite the opposite.

  5. I was there was some way to yell from the mountain top for people to stop using their debit cards.

    I’m always behind some little old lady at the grocery store who’s entering her pin number.
    Can I see it? Yep.
    Can the video camera above the register see it? Yep.

    Fortunately most of the businesses in the small Arizona town I live in have adopted the chip readers and some have even started using Apple Pay readers.
    A quick double tap on my phone or watch and out comes the receipt. You don’t even need to sign anything.

    Quicker than money or credit/debit cards and safer.
    I can’t remember the last time my cc was swiped.

    The Chevron gas station just put in new pumps and I can use Apple Pay there also.

    You know who’s getting my business.

  6. Another way to avoid this is go inside the store and tap. Until the service station actually change over to the chip and tap pay, you will see this happen over and over.

    • Two things:
      One, who has time to go inside and wait in line behind teenagers buying Big Gulps?
      Two, who really believes that if we solve the gas pump problem the bad guys won’t immediately think up some newer, better scam?

  7. Dear credit union buffoon
    Son, ineptitude is just as much a problem as negligence is.
    Dumb lead the dumb lest they jump off of a bridge. Perhaps somebody should direct him to gollumfungus podcast/blog posts. Facepalm….

    Btw please rtfm

  8. Wow, none of this crosses my mind as I go in and say to the cashier, “$20 on #4” and hand over the appropriate Federal Reserve note.

Leave a comment