Posts Tagged: gas station pump skimmers

Sep 16

Inside Arizona’s Pump Skimmer Scourge

Crooks who deploy skimming devices made to steal payment card details from fuel station pumps don’t just target filling stations at random: They tend to focus on those that neglect to deploy various tools designed to minimize such scams, including security cameras, non-standard pump locks and tamper-proof security tape. But don’t take my word for it: Here’s a look at fuel station compromises in 2016 as documented by the state of Arizona, which has seen a dramatic spike in fuel skimming attacks over the past year.

KrebsOnSecurity examined nearly nine months worth of pump skimming incidents in Arizona, where officials say they’ve documented more skimming attacks in the month of August 2016 alone than in all of 2015 combined.

With each incident, the Arizona Department of Agriculture’s Weights and Measures Services Division files a report detailing whether victim fuel station owners had observed industry best practices leading up to the hacks. As we can see from the interactive story map KrebsOnSecurity created below, the vast majority of compromised filling stations failed to deploy security cameras, and/or tamper-evident seals on the pumps.

Fewer still had changed the factory-default locks on their pumps, meaning thieves armed with a handful of master keys were free to unlock the pumps and install skimming devices at will.

These security report cards for fuel station owners aren’t complete assessments by any means. Some contain scant details about the above-mentioned precautionary measures, while other reports painstakingly document such information — complete with multiple photos of the skimming devices. Regardless, the data available show a clear trend of fraudsters targeting owners and operators that flout basic security best practices. Continue reading →

Feb 13

Pro-Grade Point-of-Sale Skimmer

Every so often, the sophistication of the technology being built into credit card skimmers amazes even the experts who are accustomed to studying such crimeware. This post focuses on one such example — images from one of several compromised point-of-sale devices that used Bluetooth technology to send the stolen data to the fraudsters wirelessly.

This point-of-sale device was one of several found in an as-yet undisclosed merchant breach.

This point-of-sale device was one of several found in an as-yet undisclosed merchant breach.

In October 2012, forensics experts with Trustwave Spiderlabs were called in to examine the handiwork of several Bluetooth based point-of-sale skimmers found at a major U.S. retailer. The skimmers described and pictured in this blog post were retrieved from a retail breach that has not yet been disclosed, said Jonathan Spruill, a security consultant at Trustwave.

Spruill said the card-skimming devices that had been added to the small point-of-sale machines was beyond anything he’d encountered in skimmer technology to date.

“The stuff we’ve been seeing lately is a leap forward in these types of crimes,” said Spruill, a former special agent with the U.S. Secret Service. “You hate to say you admire the work, but at some point you say, ‘Wow, that’s pretty clever.’ From a technical and hardware standpoint, this was really well thought-out.”

Spruill declined to name the breached merchant, and said it was unclear how long the devices had been in place prior to their discovery, or how they were introduced into the stores. But the incident is the latest in a string of breaches involving bricks-and-mortar merchants discovering compromised point-of-sale devices at their retail stores. Late last year, bookseller Barnes & Noble disclosed that it had found modified point-of-sale devices at 60 locations nationwide.

The picture below shows the card skimmer in more detail. The entire green square circuit board with the grey square heat shield and the blue element to the left are the brains of the device. The eight-legged black component in the upper right is the memory module that stored stolen credit and debit card and PIN data from unwitting store customers.

Beneath the large grey heat shield in the center of the circuit board are the chips that control the Bluetooth radio. That entire component is soldered to the base of the board. The blue and white wires leading from the skimming device connect the skimming module to the card reader on the point-of-sale device, while the group of eight orange wires that come out of the bottom connect directly to the device’s PIN pad.

The Bluetooth point-of-sale skimmer, up close.

The Bluetooth point-of-sale skimmer, up close.

The image below shows the eight orange wires from the skimmer soldered to the POS device. Spruill said the quality of the soldering job indicates this was not made by some kid in his mom’s basement.

“One of the reasons suggesting that the attacker was fairly accomplished is the quality of the solder done with those very small connections to the PIN pad,” he said.

Continue reading →