geekwright Blog > Skimming at the Gas Pump

Skimming at the Gas Pump

Recently, the TV news was warning of the discovery of card skimming devices at multiple (undisclosed) area gas stations. Skimmers have been around for quite a while, and are not typically so newsworthy. What sets the current wave apart from some earlier versions is the slickness of the hardware, and the addition of wireless communication to make the resulting theft potentially instant. The news team in their typical alarmist ways tried to instill fear by implicating all that that nasty modern hi-tech stuff. They worked in phrases like "identity theft," when in fact is, it is just good old fashioned opportunistic thievery. As with most such cases, a little bit of common sense applied at the right time could have made this current problem far less severe.

Credit card skimming involves having a second card reader attached to a legitimate one, and typically some means to capture keyboard data entry. Before the proliferation of magnetic readers, skimming involved employees pocketing copies of credit card slips, extra carbon copies lifted from the manual imprint machines. As mag-readers became common, printing duplicates receipts became the easy choice, as the printed receipts usually included the entire card number.

With the advent of the unattended and consumer operated terminals, a new strategy was needed. The first skimmers added an extra piece to the card reading slot with a separate magnetic reader head. That head was connected by wire to some decoding electronics. To capture PIN numbers from a keypad, a tiny video camera was trained on the keypad, sometimes with an extra light source thrown in to make sure the little CCD would pick up an image. This arrangement usually worked best on ATM's located in bars, as the inebriated were less likely to become suspicious of the evident tampering. After a session of collecting card numbers and PIN entry video, the would be theif had to match up the numbers to the PIN pad images, hoping that the camera's view wasn't obscured by a stray shirt sleeve, and hope there was still enough money in the potential victim's account after the night's festivities to make it worth it. Later refinements added keypad overlays to replace the error prone camera; making the capture more automatic, but at the cost of another telltale sign of tampering.

Back to the present, this new wave of skimming is much improved. The TV news images revealed complete replacement keypads and readers, so identical in appearance to the real thing, it suggest that they were legitimate replacement parts with reworked electronics to give them their evil twin skimming capabilities. Another shot showed a small confiscated wireless transmitter circuit board resting in a police officer's palm. This kind of threat would be very difficult to detect by simple visual inspection.

So just how do those parts get into the gas pump, anyway? In the older ATM scheme mentioned before, the physical security of the machine made it necessary to use external readers and keypads. The ATM is secured to prevent the theft of the cash contained therein. You can't just go behind the bar and grab the key. In stark contrast, consider the gas pump. The nice modular, easily replaceable electronics on the models shown on the news are in the same physical cage as the routinely accessed receipt printer. Thoughtfully, the nearby video surveillance equipment is likely to be focused on the license plate areas of the big SUV that is blocking the view as the illicit replacement parts are installed.

Of course, just like the old fashioned extra carbon, insider involvement is key. But so is an inadequate security audit of the basic design. I can somehow imagine the poor soul who dared point out this deficiency being inundated with phrases like time to market delay, cost containment, being globally competitive and the like. Sad to think that some simple changes at the start of the pay at the pump revolution could have made the current scam nearly impossible to pull off.

Go Kiosk has an interesting piece on new security standards for encryption being mandated by Visa (along with a lot of other good juicy information and links for the curious reader.) While an encrypted keypad is a good step in securing legitimate data after collection, it doesn't address the problem of being physically able to tap electronically into the same reader and keypad that collect that legitimate data. Since the industry is already reportedly balking at the expense of new software and keypads, any additional physical security needed to effectively combat the continued escalation of skimming technology is unlikely to make the budget, either.

Better strap in for the long haul, as this threat isn't going anywhere soon. Anyone else thinking of keeping cash in the mattress?


Share |
Click to Close
QR Bookmark for This Page
View mode: Standard | Mobile