Hacked Petrol Pumps

Topic

New Reply

Hidden Cam Above Bluetooth Pump Skimmer

By Brian Krebs | November 25, 2019

 
Tiny hidden spy cameras are a common sight at ATMs that have been tampered with by crooks who specialize in retrofitting the machines with card skimmers. But until this past week I’d never heard of hidden cameras being used at gas pumps in tandem with Bluetooth-based card skimming devices.

Apparently, I’m not alone.
…
Whoever hacked this fuel pump was able to get inside the machine and install a Bluetooth-based circuit board that connects to the power and can transmit stolen card data wirelessly. This allows the thieves to drive by at any time and download the card data remotely from a mobile device or laptop.

 
Read the full article here

2 users thanked author for this post.

Elly, WildBill

Reply | Quote

Replies

My wife’s card got hacked once at a very popular gas station. The bank caught it immediately and called her.

Needless to say, we don’t shop at that particular gas station anymore. Sad, because they always have the lowest price.

I always choose “credit” rather than “debit”, because if you choose debit, they will probably put a hold on $75 on your bank account. With credit, there is never a hold. Now I have an additional good reason for choosing credit – I won’t have to enter my PIN when making the purchase.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

WildBill

Reply | Quote

In many countries, PIN entry is required for credit card payment at an EFTPOS terminal (where signatures have been phased out over many years).

Reply | Quote

Debit cards (in the USA) are a poor choice for anyone with half way decent credit. Stay FAR away.

Just because you don't know where you are going doesn't mean any road will get you there.

1 user thanked author for this post.

WildBill

Reply | Quote

Perhaps not so. I deliberately use debit cards which are associated with accounts with limited funds. At gas pumps, I run them as credit, which requires me to enter my billing zip code instead of a PIN. After I make my purchase, I instantly get a text message and an email alert from my bank about when, where, and the amount of the purchase. Debit cards always have much lower daily credit, versus the available credit on a credit card.

On the other hand and with most credit cards, the only thing I get are emails that the card was used to make purchases. I then have to log into my banking in order to see the charges.

The upshot is that I have turned on every possible alert and security feature which my banking institutions offer, including creating both verbal passwords and agreeing to voice recognition.

I also disabled any charges for any of my cards which were made from abroad, and I only enable this when I am about to travel abroad.

Reply | Quote

GoneToPlaid wrote:

I deliberately use debit cards which are associated with accounts with limited funds

With that arrangement one must have an alternative payment method (another debit card perhaps) because (as I have read) it is common for more funds totally more than the transaction to be put on ‘hold’. And credits cards offer better minimum protections. But if it works for you..

Just because you don't know where you are going doesn't mean any road will get you there.

1 user thanked author for this post.

WildBill

Reply | Quote

Over here, with debit cards the pump asks you how much to hold… and also they normally release the hold right after you’re done if the network connection hasn’t gone down while you were at it.

OscarCP wrote:

not particularly thirsty and its tank capacity is… … enough for some 180 miles

I’d say that’s either an underspecced tank or a very thirsty car.

Why yes, back when I was that age, one of the first repairs done to “my” car was to replace the fuel tank with a bigger one.

Reply | Quote

And with credit cards, one can always protest the charge after the fact, particularly a fraudulent one, as long is within 60 days of the questioned payment. With debit cards, once one pays with one of these, the payment money is taken from one’s bank account and goes directly and immediately into the fraudster’s pockets… and it’s gone, baby, gone.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

WildBill

Reply | Quote

MrJimPhelps wrote:

Needless to say, we don’t shop at that particular gas station anymore

It’s probably now a very safe place to shop as the police will have visited to identify the fraudster, so they will be very careful.

cheers, Paul

2 users thanked author for this post.

WildBill, wavy

Reply | Quote

I always have paid with cash (a.k.a. greenbacks in these parts) wherever I go, anywhere in the country and even abroad (in the local currency). When driving locally in it, my own car is not particularly thirsty and its tank capacity is some 8.5 gallons, enough for some 180 miles, which can last me a couple of weeks, given my driving needs (I can and often do telecommute). Even when gasoline has been expensive in recent years, the cost of filling the empty tank completely (something better avoided in practice) has been no much more than 40 US$ (more in Europe, of course) so it is possible for me to carry enough ready cash for that (I normally carry more, just not in my back pocket…)

So, gasoline pump hackers: hack this! I say.

This works and will continue to work, until the world goes crazy enough to switch from using paper cash to using plastic for everything, everywhere.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Of course that last gallon takes a minute because of the metering system. Call me impatient but a CC is faster and I am less likely to get bumped on the head for flashing a wad around.

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

I’m the same way.  Cash and carry for me.  I mostly use a credit card for online purchases.  Not too often do I use one in a brick and morter store.

You can’t hack a Federal Reserve Note.

1 user thanked author for this post.

WildBill

Reply | Quote

OscarCP wrote:

8.5 gallons, enough for some 180 miles

21mpg is terrible. I get over twice that and I’m still not happy. 

cheers, Paul

Reply | Quote

Don’t forget US vs. UK gallons differ!

1 user thanked author for this post.

WildBill

Reply | Quote

Paul-T: In gallons or liters, as an argument, the use of mpg or l/100 km is not a very good one here. Because it all depends on how many miles — or kilometers — one actually drives. At my age, the place where I live (near where I work, shop, have my mechanic’s, pharmacy, doctor and dentist), and my position in life, that distance is far below average (and I am glad it is, as I never much liked driving cars). Which just goes to show that using the mph as measure is not a good way to figure out either the carbon footprint or the expenses incurred using a particular vehicle. It makes sense only when discussing significant numbers of vehicles, whole fleets of them.

cheers, Oscar

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

wavy

Reply | Quote

Thanks to Kirsty the correct conversion is 11.2l/100km. Still terrible!

cheers, Paul

Reply | Quote

Not so bad if most of the time it is only being used for short trips around town. If it included much highway driving then it’s not good.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

1 user thanked author for this post.

OscarCP

Reply | Quote

Using your bank’s ATM chip-and-pin card and shielding your PIN is pretty safe, or so says Clark Howard (https://clark.com/). Some merchants hate this, but too bad.

The guy says that ATM chip-and-PIN cards put you at less risk that a debit card w/Visa/Mastercard logos on it, as it takes longer and is more hassle to get your dough back. He hates the things.

Personally, I pay cash, PayPal, or write a check for really big stuff. I don’t use a credit card any more, since the Equifax hack really took me to town.

“No, I am NOT John J. Jinksenhiemer Smith, and I was never in Nacogdoches, Texas, and I did NOT buy a Corvette!!”

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

VISA warns of POS malware incidents at gas pumps across North America
VISA says it’s aware of POS malware being deployed on the networks of five North American fuel dispenser merchants.

By Catalin Cimpanu | December 14, 2019

 
Payments processor VISA says North American merchants who operate gas stations and gas pumps are facing a rash of attacks from cybercrime groups wanting to deploy point-of-sale (POS) malware on their networks.

In two security alerts published in November and December, respectively, VISA said its security team investigated at least five incidents of the sort.
…
While the in-store POS terminals of some merchants might support chip-and-PIN transactions, most of the card readers installed on gas pumps do not.

 
Read the full article here

1 user thanked author for this post.

OscarCP

Reply | Quote

There was a spate of news reports a couple of years ago here where I live about hacked fuel pumps. It was happening at convenience store pumps more than anywhere else. I have always used cash when paying for gasoline, but these reports removed all temptation to use plastic.

I never, ever use my debit card anywhere except at my bank’s ATMs, or when out of town at banks that use the same interbank network that my bank uses (such as STAR) to minimize having to pay extra fees. At most places where I need to buy something, it is with cash I withdrew directly from my bank. Even bank ATMs are not immune to the kind of hacking described here. I remember some links to articles that described how these hacks take place and what to look for at ATMs, fuel pumps, etc., to help you spot machines with potential problems. Some of them can be quite sophisticated, and some have parts added externally to the machine that look like they are authentic components, that is unless you know what to look for.

When I do have to use plastic somewhere other than the bank, it is of course only with my credit card and even then I will not let it out of my sight. A friend used his at a restaurant for breakfast once where the server took it away to the register and came back with his card and the slip for him to sign and everything seemed okay. That is, until a few hours later when he found out that some very large charges had been taking place since breakfast. He was able to get everything straight, but it took a few days. (The restaurant could not tell who did it, since the server took it to a cashier and it could have been either of them who did it.) Anyway, I will never let my card out of my sight, which means I do not use it at restaurants (cash only for me).

The cashless society of the future many people want to see does not have me for a supporter.

Reply | Quote

Add me to the list of those who prefer to use cash wherever possible when “out and about” shopping. I use a credit card for online purchases but have nothing to do with online banking.

There have been reports of ceiling cameras being used in petrol stations in the UK for spying on card readers and since a friend lost a lot of money that way I’ve always used cash when paying for fuel.

I also avoid contactless card payments as it’s too easy to lose track of what you’re spending. I prefer to withdraw a cash amount from an ATM inside a local bank for the week and I draw a bit more if it’s a week when I’m going to need fuel.

1 user thanked author for this post.

Elly

Reply | Quote