Here’s A Gas Pump Skimmer That Texts Victims’ Card Data To Crooks

Image courtesy of Krebs on Security

For the crooks operating skimmers on gas pumps, ATMs, or retail credit card terminals, an important part of their business model is getting the data from the devices. One way around this problem is to integrate a SIM card and have the device send text messages with the freshest payment card numbers. For the first time, such a device was found inside a gas pump.

While skimmers that can text isn’t a new thing, having an invisible one lurking inside a gas pump is new in the United States. A law enforcement source showed it to the ever-vigilant Krebs on Security, saying that similar devices were found at three different stations in New York state. Police are still checking them out, but they do know that the devices have T-Mobile SIM cards, and the skimmers plug right into the pump’s power sources.

Sending text messages solves a practical problem for crooks, since it delivers the numbers directly to them without having to visit the gas station again. They either have to go back and get the physical skimmer, or extract the data using Bluetooth, which means getting physically close to the skimmer, and risking detection when anyone with a smartphone can detect the Bluetooth device.

How do they gain access to the innards of the pump? Some crooks bribe station attendants, and others test out old universal keys that may still get them access inside the pump mechanism.

Gas pumps can keep on using magnetic stripe readers until 2020, instead of October 2017 as planned, thanks to an extension from Visa and MasterCard. That means gas pumps will remain a juicy target for skimmer gangs after retail points of sale and ATMs have had their own liability shifts.

How can you protect yourself? For 100% security, pay using cash inside the store. If that seems like too much, remember to use a credit card, not a debit card, at gas stations if you prefer to pay at the pump. You will have no liability for fraudulent transactions, and those transactions won’t drain your bank account and lead you to bounce checks or rack up overdraft fees if the crooks successfully clone your card and buy stuff with it.

Covering your hand while typing in your PIN will not protect you here, since it’s simply your card number that the skimmer slurps up from the payment system. Check for seals along the seams on the pump, and report any broken seals or things that don’t look right.