25
Nov 19

Hidden Cam Above Bluetooth Pump Skimmer

Tiny hidden spy cameras are a common sight at ATMs that have been tampered with by crooks who specialize in retrofitting the machines with card skimmers. But until this past week I’d never heard of hidden cameras being used at gas pumps in tandem with Bluetooth-based card skimming devices.

Apparently, I’m not alone.

“I believe this is the first time I’ve seen a camera on a gas pump with a Bluetooth card skimmer,” said Detective Matt Jogodka of the Las Vegas Police Department, referring to the compromised fuel pump pictured below.

The fake panel (horizontal) above the “This Sale” display obscures a tiny hidden camera angled toward the gas pump’s PIN pad.

It may be difficult to tell from the angle of the photograph above, but the horizontal bar across the top of the machine (just above the “This Sale $” indicator) contains a hidden pinhole camera angled so as to record debit card users entering their PIN.

Here’s a look at the fake panel removed from the compromised pump:

A front view of the hidden camera panel.

Jogodka said although this pump’s PIN pad is encrypted, the hidden camera sidesteps that security feature.

“The PIN pad is encrypted, so this is a NEW way to capture the PIN,” Jogodka wrote in a message to a mailing list about skimming devices found on Arizona fuel pumps. “The camera was set on Motion, [to] save memory space and battery life. Sad for the suspect, it was recovered 2 hours after it was installed.”

Whoever hacked this fuel pump was able to get inside the machine and install a Bluetooth-based circuit board that connects to the power and can transmit stolen card data wirelessly. This allows the thieves to drive by at any time and download the card data remotely from a mobile device or laptop.

The unauthorized Bluetooth circuit board can be seen at bottom left attached to the pump’s power and card reader.

This kind of fuel pump skimmer, while rare, serves as a reminder that it’s a good idea to choose credit over debit when buying fuel. For starters, there are different legal protections for fraudulent transactions on debit vs. credit cards.

With a credit card, your maximum loss on any transactions you report as fraud is $50; with a debit card, that protection only extends for within two days of the unauthorized transaction. After that, the maximum consumer liability can increase to $500 within 60 days, and to an unlimited amount after 60 days.

In practice, your bank or debit card issuer may still waive additional liabilities, and many do. But even then, having your checking account emptied of cash while your bank sorts out the situation can still be a huge hassle and create secondary problems (bounced checks, for instance).

Interestingly, this advice against using debit cards at the pump often runs counter to the messaging pushed by fuel station owners themselves, many of whom offer lower prices for cash or debit card transactions. That’s because credit card transactions typically are more expensive to process.

Anyone curious how to tell the difference between filling stations that prioritize card security versus those that haven’t should check out How to Avoid Card Skimmers at the Pump.

The compromised pump with the hidden camera bar still attached. Newer, more secure pumps have a horizontal card reader and a raised metallic keypad.

Tags: ,

91 comments

  1. Brian-

    excellent information thanks for the great reporting. Cyber criminals never stop !

    We put out a free e-paper that is synergistic to this article:

    stay safe !
    Scott

  2. One slight (but important) correction: your article says “With a credit card, your maximum loss on any transactions you report as fraud is $50; with a debit card, that protection only extends for within two days of the unauthorized transaction”

    Per the FTC (https://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards) the clock starts “when you learn about the loss or theft,” not the date of unauthorized transaction.

    There are other good reasons to use credit over debit, but the monetary exposure to the consumer is identical as long as you immediately report the card lost or stolen when you find it missing or learn of a fraudulent transaction.

  3. This is why I have a gas (Sunoco) credit card. I am hoping that this will limit my exposure.

  4. There is never any reason to ever use a debit card over a credit card for a purchase. It’s a terrible practice and people should stop doing it.

    Debit cards should be for ATM withdraws only.

    • There’s no need to carry a debit card at all. At my request, my bank issued an ATM card that cannot be used as a debit card.

      • And as long as you qualify for a credit card, that’s great advice.
        But not everyone does.

        • Yes; and some of us cannot afford the cost of credit charges on regular credit cards. My debit card pays back all fees, and saves me big money over a year. Before I realized you shouldn’t use debit cards online, I was compromised by a legitimate site that was hacked – but I caught the transaction immediately and had to do some research to make sure it was not me that did the transaction. I turned it in to the credit union the next day, as I realized someone had bought 3 months of server space on a questionable hosting site. Obviously the crook only wanted it to support his command and control server for a bot net or spam system.

          I got my money back but the union said they lost out. Fortunately it was only about 28 dollars or so. I’ve since learned my lesson. I only use it for local purchases, and never far from home. It is easier to get local LEOs to investigate small cases like that. You will never get a response from another remote county, state, or FBI, just forget it.

          • Not sure what you’re talking about with respect to costs. I have a no fee credit card that doesn’t charge me per vendor. Fix your spending habits and you will qualify.

            And the only thing worse than using a small bank is using a credit union – they haven’t got the funds to pay for cyber defenses and are notorious for taking short cuts in that area. Beware.

            • That’s just fearmongering. My credit union had proper cybersecurity and 2-factor authentication 15 years ago. Chase Bank and Bank of America still doesn’t have proper 2-factor authentication. And the big national banks are a bigger target. I’m sure some smaller banks and credit unions are hamstrung by their finances, but the big banks that theoretically have the money to do this clearly aren’t: in addition to poor user security, Capital One, JP Morgan Chase, and Citigroup were all recently hacked.

            • Jake, I’m not sure why you would make such broad generalizations since I feel certain you can’t know about the security habits of all small banks and/or credit unions. I can’t speak for everyone but my credit union does not take any short cuts when it comes to cyber defense. We’ve had cutting edge security for years and will continue to add layers as needed. If you are assuming that “big” banks are spending more on cybersecurity, I’m afraid your assumption may come back to bite you. We’ve found some of the worst security at some of the biggest companies.

        • “In God we trust. All others pay cash.”

      • damian, thanks for the info on getting a card just for the ATM (no purchases at all).
        For someone who dropped their card in the parking lot (at night ) and had $2000+ siphoned out of my acct in 3 days I am grateful for this idea.
        …yes, I got my money back…

      • My bank insists that my ATM card cannot be used at point-of-sale terminals at all. However, I have used the card at gas stations. Of course, now I have to deal with this new information.

    • Per the article and my experience, credit card purchases can be more expensive than those made with a debit card. Depending on the price difference, it may or may not be a worthwhile risk. Stating there is “never any reason” to use a debit card is overstating your case.

  5. I just bought an EV, so I no longer have the need to ever visit a gas pump.

  6. Hey Brian, I think you might want to double check or check in the sources you tap regarding card fraud from various institutions. Regulation E for Debit Cards is different from Regulation Z for Credit Cards yet holds no difference in consumer unauthorized fraud and is not capped.

    There would be riots in the streets if a bank made the customer liable for the remainder of a fraudulent attempt. Due to the various amounts of breaches and how much a bank shoulders in a run rate on fraudulent transactions making either the bank liable or if the merchant is not EMV capable (except outside gas stations) they would be liable in the event of that chargeback. Actually, in most cases anything under $50 can’t be chargeback either by certain stipulations or it costs more to charge it back than it is worth.

    • I hear this every time I write about this subject. The truth is while there may be little difference on paper, there can be a huge practical difference in the impact to the cardholder in the short run (bounced checks, fees from third parties for insufficient funds, and the temporary lack of cash in one’s checking account while the investigation takes place). IMHO, claiming that there is no difference in risk to the consumer is disingenuous, and (no offense to you) usually this kind of comment comes from people working in the financial or retail sector that simply don’t wish to dissuade consumers from using debit cards + PIN.

      • oh snap…that knowledge drop

      • Working at a FI, I just ran into this issue of competing priorities when drafting a series of tips for safe holiday shopping, and having to tap-dance around the debit vs. credit issue. My personal recommendation (and practice) is to never use debit, except in those rare cases where I need cash back, or when I’m using it via Samsung Pay or Google Pay.

      • Honestly, it makes no difference to me if a customer uses Debit vs Credit in confirmed fraud situations. It does make an impact for customers in how fact they can receive a credit dependent on the amount of fraud (instant vs 4-10 days+ depending on issuer). NSF fees, and other associated fees are a drop in the bucket in comparison to the actual gross or net fraud. Normally dependent on what system you are running it will automatically credit these back instantly.

        I took aim at the comment of “With a credit card, your maximum loss on any transactions you report as fraud is $50; with a debit card, that protection only extends for within two days of the unauthorized transaction. After that, the maximum consumer liability can increase to $500 within 60 days, and to an unlimited amount after 60 days.”

        Very confused about this statement. It is true that the rules vary between MasterCard, Visa, Amex, and Discover but have worked between all of them at some point and currently this seems to be not aligned with industry or regulations. There is an issuer liability of how many transactions be aggregated into a case that can be charged off at one time making it a loss factor on the bank. As far as the customer it does become liable if they file a dispute/chargeback after an allotted period of time has been depleted dependent on issuer which is not based on dollar amount.

        The way the statement is laid out would GREATLY benefit the issuers/banks….and they would take full advantage of that situation if it was designed as so. However, this is not the case at least in peer groups, benchmarking, and industry reporting to lower basis points.

        The original comment possibly came across wrong, but it was truly intended as “hey..you might want to double check this”. Thanks for all of your hard work and you have been a good source, and helping factor in my line of work especially compromises.

      • Please remember the US consumer protection for you are called RegE and RegZ. One is for credit cards and the other Debit cards. They are what limits liability to $50. There is little difference except that you must notice and report the fraud for debit cards in a time window. By practice banks will remove all liability for fraud but if you consumers run into any problems make sure you say you are protected until RegE and RegZ. The customer service agents will know that you know your rights. There are some games played by banks around breakage processes such as requiring you send in a form to identify fraud… but this is not required. The banks so deal with consumers misreporting which causes us all problems but you are protected where many countries do not have these liability protections.

  7. The Sunshine State

    The PC board in the above picture looks professionally made , it’s doesn’t look like some D.I.Y. project seen in many skimmers in previous articles.

    • It looks professional because the only circuit board visible is from the pump manufacturer. The skimmer is the small board wrapped in black tape in the lower left part of the image hanging from a short jumper cable.

    • Take a look at the soldering on the connector at the upper end of that ribbon cable. If that’s professional, then the “pro” who did it is in the wrong profession!

  8. Wow!
    This made me look twice. I would never look at Gas Pump stations in the same light again.

    Thanks @Brian!

  9. Are pump and ATM operators required to have any physical security, such as cameras mounted high but pointed at the pump so they have footage of someone messing with the pump or ATM? Seems like that would be a requirement for ATMs, at least, especially generic kiosk versions in lobbies of hotels, shopping centers, etc.

    • Cameras not a requirement on Fuel Dispensers. I do not believe it is a requirement on ATMs either.

      That being said – most places have cameras- but it is usually for the security of the customers and employees, not for fraud related reasons.

      Having Cameras is only beneficial after the fact, – for law enforcement or prosecution. Unless of course you have someone watching the cameras 24/7 (which is not feasible). This particular skimmer was located 2 hours after installed which is fairly quick considering they do not have unique locks, security stickers, or entry detection. Is that 3 strikes?

      Ultimately, the best thing for Fuel Dispensers is to have encrypted CC readers and Pin entry Devices, along with Entry detection with position shutdown and unique locks. This limits someones ability to open the Dispenser – but even it they do, the dispenser will not work after they open it, and the likelihood of them getting any information is very low due to the encryption.

  10. My credit card causes me to be prompted for my zip code at the local gas station. Since a significant portion of users at this station have the same local zip, I wonder if this is a vulnerability?

    • It’s the gas station that requires the use of the zip code, not the credit card issuer. If the station requires it, they require it of all credit cards, not just those from a specific issuer.

    • Yes, that is call Address Verification and is part of the security model for evaluating the transactions. Acquiring entities — such as gas stations — can lower their cost by using that processing service so they will like it. It also limits the extent to which skimmed cards can be used.

      But yes, I would think the camera could, and will be, used to capture the zip code information.

  11. Local gas stations charge $0.10/gallon more for credit than debit.

    • What? I thought it was illegal to charge different prices for cash v credit.

      • Definitely not illegal in my experience, though state laws may vary. Credit card providers may prefer that vendors not do so, or even order them not to. But that’s at best a civil tort, definitely not illegal.

      • Definitely not illegal, at least in CA. (Though it may be against CC vendor agreement terms; I remember there was a big deal a year or two back when the Credit Cards Venders and the clients were renegotiating, over the chip cards I believe).

        Though normally its phrased as a “discount” for using Cash/Debit card, rather than an additional fee.

      • No illegal in CA, at least. (Though it may be against CC vendor agreement terms; I remember there was a big deal a year or two back when the Credit Cards Venders and the clients were renegotiating, over the chip cards I believe).

        Though normally its phrased as a “discount” for using Cash/Debit card, rather than an additional fee.

      • It would be against the merchant agreement to add an unadvertised charge for using CC, but that’s about it. Also, it’s a contractual thing, it’s not “illegal”.

      • It is not illegal, but is usually a violation of the merchant’s contract with the CC company.
        However, in some states, such as NY, state law overrides that restriction.
        It is supposed to compensate merchants for fees charged by banks.
        However, those fees are seldom more than 3%, usually in the 2% range.
        Currently regular gas is about $2.65 a gallon. 3% of that is about 8 cents. Yet, almost all stations charge 10 cents extra for CC transactions.

  12. I started using the BP app and I loaded my BP card into the app. I can activate the pump and pay from the app, never dip or swipe a card at the pump

  13. Scary. It’s nice to see pumps allowing electronic payment by Google Pay for example which eliminates any chance of obtaining PINs. I also just got an offer to replace my primary cc with a “tap to pay” card so another safer option.

    • So then we will worry about malware in the cell phone using the app, or even a vulnerability in the app that gets compromised by the crooks some how.

      • Yeah… I worry about the transition too.
        It is a layer of abstraction that moves the risk from a local card reader, to the mobile phone.

        The upside, there is a higher level of difficulty in such an attack. The downside, is that the attacker need not be local, so less risk for them.
        What it amounts to, is decreasing the likelihood of compromise, but increases the impact significantly.
        Instead of occasionally hearing about the ongoing skimmer problem, we may get a big compromise article every few years, where thousands are affected at once.

  14. @sunshine state, the pcb is the pump pcb what they’ve done is wire up the blue connector to the card reader port and piggy in the middle the Bluetooth module unit and then connect the connector that should be connected to the pcb on the other end of their homemade unit.
    Keys for the pumps are all standard (by manufacturer) could even be an inside job
    Or tell the attendant to look the other way it’s a low paid job.
    What puzzles me is why there is no cctv watching over (then again the attendant will be busy serving rather than keeping an eye on the actual operation which was what they had to do at one point.

  15. Obviously this doesn’t apply to IRL purchases like gas pumps, but does anyone have experience using privacy.com?

    It’s a website where you provide a debit card, or link your bank and they create prepaid debit cards you can use for each individual site, similar to a password manager.

    I tried to start using it with digital ocean, but they don’t accept prepaid cards 🙁

    • I use Abine (abine.come) for online shopping (no physical card). Costs a little bit, but it’s great.

    • Hi Dustin,
      I just started using Privacy a few days ago after hearing about it from Leo on Security Now(they are a sponsor). Steve Gibson said he was going to check it out as it sounded good(he hasn’t actually endorsed them yet). I checked them out the best I could(I’m only a wannab IT geek). I’ve created 4 cards & did 2 transactions with 2 of them(Amazon & Geico). So far so good! I like having different cards for different sites. I also was thinking today(before reading this) that a card to use at pumps would be good. While paying at the pump is easier than walking in the store, my issue is having to stand in line(sometimes long lines) behind all the lotto buyers!

  16. Just another reason why I always use cash or Apple pay at the Pump.

  17. No security stickers.

  18. This site is read by people all over the world, so laws for credit card and debit card consumer protections vary greatly around the world.

    Inside the USA, both debit and credit cards have limited liability. But with debit cards, the thieves already have your money, so you have to convince the bank to give it back. With credit cards, they don’t have YOUR money, they have the bank’s money.

    Protections in Europe are very different.
    Protections elsewhere are often non-existent. Check local laws, especially when traveling internationally.

    In some jurisdictions, charging more for using a card is illegal, but not everywhere.

    Lots of different rules everywhere.

  19. I always shield the pinpad/screen when entering anything (e.g., zip code for the credit card). Hidden cameras are nothing new, so I’m always in paranoid mode. I imagine there’s either a camera around or someone with binoculars checking out the screen. Welcome to Cyber Security. 🙂

  20. I have customers that had reported the camera being hidden in the valance of the dispenser directly across , on a parallel pump island.
    It has been happening for years. Once again an electronics gas pump alarm may have prevented this.

  21. Charles Margolin

    ARCO stations, at least in CA, take only debit cards (for a 35 cent fee) or cash. Most have a Google/Apple Pay reader, but you still have to enter a PIN.

    • Charles Margolin,
      With all these reports of machine tampering I pay with cash at gas stations…. except Costco.
      They don’t take cash but at least there is an attendant out side 99% of the time.

    • I have a similar experience with Arco, but I travel up and down the West Coast, and Arco has the cheapest gas in most areas. Outside of California, Arco does not require a debit card, and often does not charge the $.35. But I’ve not seen Apple Pay available at most of the Arco stations I’ve ever been in. What’s up with that company’s weird practices?

  22. I buy my gasoline from only one oil company – the same one that issued me a credit card that can only be used at their gas pumps and inside their attached convenience stores. If anything ever goes wrong, the only loser is the oil company – because I can dispute the charges and nothing is coming directly out of my bank account or regular credit card. I can only imagine how stressful it would be to have my debit card compromised by a fraudulent transaction.

    Also, unless things have changed in the past few years, my understanding is that bank debit cards do not have the same legal protections as real credit cards when it comes to disputing fraudulent transactions and getting a resolution.

  23. well, i told you so. i pay in cash.

  24. There is another reason not to use a debit card at a fuel pump, authorization holds. When you first turn on the pump, the station “authorizes” an amount on the debit card, generally in the $100-150 range (This is normally pretty prominently displayed on the pump face). After the transaction is complete, the amount of the transaction is processed as a debit charge, and the authorization hold is removed…within a few DAYS. That means that you are locked out of a portion of your bank account until the charge is fully processed, which can cause problems for people with low account balances. Let’s say you put $20 of gas into the car, and then you have $250 to last the next three days…you could really only have $100 that you can access before you become overdrawn, until the charge is finalized.

  25. Most of the Gas stations in our area have switched over to the newer key pads that are inset and card swipes that are very easy to tell if a card reader has been put over top of it. But with the card thief’s now going internal with gaining access into the pump and bypassing the newer security features. I am afraid that Cash is king here.

    So the only fool proof plan is to pay cash and bypass what could be a lot of pain clearing up charges on your credit card that you didn’t do.

  26. The Shell station that’s near my house has the new-fangled pumps with the horizontal card readers & metallic raised pads, but several people have had their card information stolen there too. Not sure how that’s being done, but even the newest tech is already being hacked. I’ve resigned myself to going in to pay with my credit card.

  27. This is why i ride a horse.

  28. Shell has an app which can tie to Apple Pay. When at a Shell station, you select “pay at the pump” within the app then it asks for the pump number. You are then given a three-digit code to enter into the pump to activate it so you never have to swipe a physical credit or debit card.

    I’ve been using the app for a few months and it is very convenient and secure.

  29. Just use apps to pay, Exxon and Mobil have them, can’t skim those yet

  30. Reg E doesn’t differentiate credit card vs debit card. It covers an electronic funds transfer not device product type specific. Meaning this article is incorrect when it says you have higher liability with a credit card.

    You should use credit at a pump because it doesn’t require a PIN and therefore a PIN cannot be stolen. In the end cover your PIN whenever you use one, jiggle the card insert before inserting and use the pump closest to the attendant. Report anything unusual on the machine immediately.

    See Regulation E: Electronic Fund Transfers 12 CFR 205
    Section 205.6 Liability of consumer for unauthorized transfers
    Limits a consumer’s liability for unauthorized electronic fund transfers, such as those arising from loss or theft of an access device, to $50; if the consumer fails to notify the depository institution in a timely fashion, the amount may be $500 or unlimited.

Leave a comment