Gas Pump Skimmers -- ** Let's all find them together! **

[PhillyFlyers]

Hi All,

I didn't see any discussions going on yet about this RE work that SparkFun has done (and just reported on a few weeks ago), on these 'Credit Card' skimmers that are installed inside gas pumps by criminals, to steal credit card numbers...

https://learn.sparkfun.com/tutorials/gas-pump-skimmers


supposedly many of the pumps out there still use universal keys, which must be easy to locate, so with the board, and a key, you can open the pump, install the MiM board, and start capturing cards.  All it takes is a drive by at some point, connect to the board via BlueTooth, and download the scanned data.

So, figured I'd make sure everyone on here is aware, if you aren't already...

We've had plenty of police reports this year alone for these devices being caught in pumps, in my little town in Maryland, so I'm sure there are millions of others out there, and god knows how many variants...



They did a great job with the initial RE work, and did a nice job at making an initial Android app (free of course) for actually identifying these chinese Bluetooth modules that these recent skimmers all seem to be using..


So, if anyone wants to help on here, it seems they could use a ton!

1)  They stated they are not app developers, so they could use some help with the current source code (posted public)..

2)  They only have an android app, they need help to see if an IOS version can be made...

3)  This may only be a small sample of what actual skimmers are being used out there, but this is a great start at trying to stop this crap...


I myself have been burned by a skimmer at one of the pumps near my house, as well as many of my friends, just wanted to start this thread in case anyone was interested and wanted to help!

[macboy]

Interesting.

Are credit and debit (Interac) cards in the USA chipped? Or do they still use just a mag stripe? Do you normally sign for credit transactions or do you use a PIN?

In Canada and many other places, Chip and PIN is the norm and has been for years, but for some reason the USA has always lagged behind with taking up these types of technologies. I wonder if the skimmers work on chip and PIN terminals. We now (last few years) also have RFID/NFC for small purchases, usually <$100 or <$50 depending on the store's tolerance for fraud. Hold the card to the reader and done. I can and do even pay with my phone, taking advantage of its NFC capability.

I think I'll install Sparkfun's app and see what I find.

[bd139]

This is why I like Apple Pay. A new card number is generated for each transaction and allows exactly only one transaction. Collected numbers are useless.

[rstofer]

In California, if you use a Debit card tied to your checking account, you need the card and a PIN at the gas pump.  For a Credit Card, you need the card and your ZIP code.  In both cases, it is a matter of something you have and something you know.

I haven't seen chip readers at gas pumps.  Retail stores are converting to chip readers simply because the banks will no longer cover losses at retailers who don't use them.

I don't use my Debit card for anything!  I have it only to access the ATM and that happens infrequently.  It turns out that skimming ATMs is also a popular sport.

As to the Credit Card, who cares?  I'm not responsible for the losses, the bank (actually, the retailer) is.  In fact, I get about 2 card updates per year, some I initiate when I see invalid charges and others the bank just calls and says a new card is on the way.  Getting a new CC number is a PITA!

[rstofer]

Credit Card charges < $25 don't require a signature nor do gas pumps.  Some CC companies limit gas pump charges to $50 and that caused no end of problems back when gas was > $5/gal.  There had to be some magic amount of time between charges.