A few years back, we saw a spate of Bluetooth-enabled, banking-data-gobbling skimmers installed at gas stations in the Southern US.
Eventually, 13 alleged thieves were charged with forging bank cards using banking details chirped out via Bluetooth to nearby crooks from devices that were impossible for gasoline-buying customers to detect, given that the skimmers were installed internally.
Of course, it’s much easier to detect thieves’ attempts to get at your credit card when they’ve gone the kludgy, model airplane route. That route entails thieves 1) gluing a card catcher onto the front of an ATM (hopefully in a nice, wiggly fashion—much easier for victims to detect that way!), 2) hoping it doesn’t fall off before it catches some cards, and then 3) hanging around the machine, pretending to look innocent, as they wait to snatch the cards after victims give up on ever getting them back.
True, the Bluetooth skimmer was installed internally, making it tougher to spot than the glued-on kludge of a card catcher. It still presented a problem for the thieves, though: namely, using Bluetooth meant the skimmer still relied on the thieves hanging around nearby, given the limited range of this wireless technology. It also meant that anybody else using Bluetooth in the vicinity could get an eyeful of “Oooo, payment card details up for grabs!”
Now, as security journalist Brian Krebs reports, New York City police have started to see a new sort of skimmer on gas pumps that cuts the Bluetooth tie, instead relying on wireless GSM text messages to get card details to the crooks anywhere in the world.
No more hanging around smelly gas pumps! No more returning to the scene of the original crime – as in, the place where the skimmers were initially installed – to retrieve the booty. Now, the thieves can plug the skimmers in and make themselves scarce, taking off to wherever their counterfeit card making setup is located.
Mind you, wireless transmission of stolen card data is nothing new. There’s a US Secret Service task force in Los Angeles that’s been looking into fuel theft and fuel-pump skimming since 2009, and it’s found that there are distinct crime gangs, working in tandem, that steal the gas and that skim the card data. They use SMS/text messages to exfiltrate card data. And like the GSM skimmers, use of the SMS skimmers likewise means that thieves don’t have to return to the scene of the crime: all they need is mobile phone service to collect card data and PINs.
Krebs quoted Secret Service agent Steve Scarince in a 2015 article:
Generally the way it works is the skimmer will sell the cards to a fuel theft cell or ring. The head of the ring or the number two guy will go purchase the credit cards and bring them back to the drivers. More often than not, the drivers don’t know a whole lot about the business.
They just show up for work, the boss hands them 25 cards and says, ‘Make the most of it, and bring me back the cards that don’t work.’ And the leader of the ring will go back to the card skimmer and say, ‘Okay out of 100 of those you sold me, 50 of them didn’t work.’
But this is apparently the first time that we’ve seen GSM-based pump skimmers show up in gas pumps – at least, in New York – according to a New York police officer. The devices were pulled off of three New York filling stations this month. The officer shared some images of the devices with Krebs.
Krebs identifies that, like other pump skimmers, these GSM skimmers draw power from the pumps they’re attached to, allowing them to operate indefinitely.
Analysis on the T-Mobile SIM cards apparently hasn’t turned up any data on the thieves. All that investigators have found so far are the unique serial numbers—what’s known as the integrated circuit card identifiers, or ICCIDs—of the SIM cards.
It’s common to see skimming devices on ATMs – or gas pumps, or any card processing device – used with some type of remote sensing or telemetry, whether messages are being sent out via GSM or mobile phone. Thieves can take off-the-shelf devices, including the bits and pieces of a mobile phone used in this recently discovered GSM skimmer or, say, a video recorder, and then just jam it behind some believable-looking moldings. It can make it tough for a customer to tell there’s something fishy going on.
What to do?
Don’t use a card machine on a gas pump, an ATM or anything else if you think it may have been tampered with.
In cases like this, where the machine itself seems to have been compromised and there are no external clues to the tampering, there isn’t much you can do beyond deciding if you trust the gas station or not.
As always, it’s smart to regularly check credit card statements and keep an eye out for anything that doesn’t look right.
Keep your bank’s phone number handy on your phone too. If you see anything suspicious, whether it’s on your statement or at an ATM, a restaurant or the filling station, report it to the credit card company.
And don’t forget to call the police: if there’s fraud going on, they’ll want to know.
anon
Any trend info on what gas station companies are involved (i.e., are Shell stations more vulnerable due to lax security)?
Lisa Vaas
I haven’t seen any particular companies tagged as being more or less vulnerable. Good general advice on avoiding stations where pumps may have been rigged with skimmers, per the Secret Service’s investigations in Los Angeles, is to bypass stations that are easy marks: those that are close to major highways; those with older pumps; those without security cameras; and/or those that don’t display a regular schedule for inspecting security.
Instead, stick with stations that look like they care about physical security. And avoid using your debit card, since PINs can be stolen and your bank account subsequently drained.
MrBlz
And a good rule of thumb is to set an alert for all of your credit cards to get a text message if there is a charge at a gas station or in an amount over $15 so you know if someone has gained access to your number. I don’t mind a few extra text messages. I received one at 11 pm once and immediately called the credit card company.
Bryan
How “internally” were these devices installed? Is it the sort of internal that would require a maintenance tech’s involvement? I’ve paid little attention to the design of gas pumps, but I know the cabinet locks.
I suppose I just answered whether I’d likely notice the housing or lock was broken anyway.
:-/
Steve
Bryan, those skimmers were actually installed internally; the cabinets had to be opened. But the locks for most of those pumps are not unique for each pump, or even each station – if you have a key, you can open virtually any pump of that type. More recent models have been improved in that regard, but there are bazillions of pumps out there that can be opened by many, many keys that are loose out in the wild. All it takes for the skimmers to be installed without observation is to provide a brief distraction for the owners/employees.
Bryan
Thanks Steve. Yeah I figured the cab had to be opened for an install–though my phrasing is admittedly odd for the question I was really asking. Not sure if I was hoping there’s a rash of corrupt repair guys or like you said–a kajillion keys floating about in the wrong hands. Thanks again.
Jeff
One of the filling station companies in my area have placed serialized tamper resistant sticker strips over the edges of the card reader slots and all points where the internals of the pumps can be accessed. I always check the strips before using the pumps. While those could be counterfeited, it would be an extra step for the crooks, and thus should provide some extra margin of safety.
Bryan
Great idea Jeff, thanks for sharing.
Anonymous
Or one can just pay cash for gas. Cash that one obtains inside their bank… from a live teller.
Anonymous
Another option for paying with a credit card is to pay the clerk inside the store. You know, how we used to do it.
Greybeard
ITYM “GSM”, not “GMS”. I mention it because the mistype has spread to yesterday’s story about Russian pump fraud.
Paul Ducklin
Fixed, thanks.