Friday 24 January 2014

That Gas Pump May Be Stealing Your Credit Card Data

card skimmer
Authorities indicted 13 thieves for using Bluetooth-enabled card skimmers at multiple gas stations throughout the southern United States to steal more than $2 million over a one-year period.
The four lead defendants are accused of installing card skimming devices at various Raceway and RaceTrac gas stations in Texas, Georgia, and South Carolina, according to a statement by New York District Attorney Cryus R. Vance, Jr. The gang created cloned cards using the stolen credit and banking card numbers and PIN codes to withdraw money from ATMs and deposit them into New York-based bank accounts under their control. A group of money mules in California and Nevada then withdrew the money in small amounts.
The ring laundered approximately $2.1 million in this multi-state operation from March 26, 2012 until March 28, 2013, when the leaders were arrested, according to the statement. "By using skimming devices planted inside gas station pumps, these defendants are accused of fueling the fastest growing crime in the country," Vance said.
"This type of fraud is getting tougher and tougher to protect against as attackers are getting more intelligent in their implementation," Tom Gorup, security operations center analyst of Indianapolis-based security consulting and services firm Rook Security, told Security Watch.
Stealing Data Remotely
Fraudsters have been using card skimmers on ATMs and gas station pumps for a while, but the use of Bluetooth-enabled skimmers became a problem fairly recently, in late 2012. In the past, thieves generally had to come back and physically remove the skimmers in order to harvest the stolen data. Using Bluetooth in the skimmers makes it significantly easier to extract data, as thieves can grab the data remotely, making it harder to catch them in the act, Gorup said.
These thieves can be across the street with a laptop downloading the information since Bluetooth can easily transmit over 100 feet. It also means the attackers can just leave the skimmer in place and keep collecting the data over and over again.
It is difficult for customers to even detect the skimmers in the first place because they are installed internally. A law enforcement source in California told security writer Brian Krebs the attacks frequently take place on weekends and in the early hours of the morning. One person would pretend to pump gas while the other would enter the store to buy something. With the station attendant distracted, the person outside would then open the front of the pump with a universal key and place the skimming device inside. "Time to install/remove is between 5 – 10 minutes," Krebs reported.
What You Can Do
Even though there is virtually no way for the average consumer to tell if a pump—or the ATM, or any of the many places where you would swipe your payment card—has been modified, there are some steps you can take to help minimize the risks.
First and foremost, avoid paying at the pump using a debit card. While banks offer the same zero-liability protection on debit card as they do credit cards, it will take time for that money to come back into your bank account.
Get in the habit of tugging, or wiggling, the card reader before you put in your card. If it moves, then look for a different pump, ATM, or kiosk. I've also been told by security experts to wiggle the card when taking them out to make it harder for the skimmer to read the data.
When possible, become a creature of habit and use the same device, such as the same pump at the gas station, the same ticket kiosk at the train station, or the same ATM at your bank. That way, you will be more likely to notice physical changes, such different colors on the keypad, exposed cables, or just the way the keys feel when pressed, Gorup said. It's also a good idea not to use a machine that has exposed USB or Ethernet ports since attackers could have tampered with the device.
"Attackers are going to limit their risk by attacking the low hanging fruit," Gorup said. They are less likely to compromise terminals that are in highly-visible or protected areas with cameras. Those are the terminals you should be using.
And of course, stay on top of your bank statements and track all account activity. Report suspicious transactions immediately.
"Cybercriminals and identity thieves are not limited to any geographic region, working throughout the world behind computers," Vance said. We do what we can to stay out of their clutches.

No comments:

Post a Comment