Mobile security

The Strange Case of Gas Pumps & Bluetooth Skimmers

You might not think of an IEEE Summit as the most likely place to hear an intense talk about the lack of security at America's gas pumps, but that's exactly what happened last week at the The 38th IEEE Sarnoff Symposium in Newark, N.J.

Scott Schober, president and CEO of Berkeley Varitronics Systems (BVS) , used his 20 minutes on the podium to talk about how unsuspecting customers are putting themselves at risk using a debit or credit card at a gas pump in the US.

"Security and convenience don't go in hand-in-hand," he chided the crowd.

In fact, he explained that gas pumps are one of the easiest targets around for scammers looking to clone people's cards, using data collected by bluetooth or cellular wireless "skimmers." These devices are installed in the slot where you put your card to pay and scan your data off the magnetic strip.

Typically, a bluetooth skimmer is used and the scammers sit in a car a couple of hundred feet away and collect the data. There are also, however, cellular skimmers that can text the stolen data to the scammer's phone.

"I can buy a skimmer on the dark web, and the details on how to install it, for under $100," Schober said.

So what makes the around 250,000 gas pumps in the US such an easy target for this particular brand of cyber criminal? "There are only six master keys to open up a gas pump," Schober told the crowd. That's any gas pump in the US!

These gas pumps "typically only get inspected once a year," he added. Which could give a lot of leeway to harvest card data.

Berkeley Varitronics, of course, makes several different Bluetooth skimmer scanner systems. These, however, start at nearly $1,000 and are aimed at police and other large security operations, not Joe or Jolene Public out to fill up before a ride on the weekend.

A couple of people in the crowd asked about chip and PIN systems -- where you insert the card and it reads the chip rather than a magnetic strip -- and while Schober allowed that these were moderately more secure, he reminded people: "There's no chip and pin in any gas stations in the US," and there is unlikely to be until 2020.

"We're well over a decade behind the rest of the world," Schober stated.

Checking for Bluetooth signals around you -- via your phone -- is unlikely to help either, since it is impossible to discern who is friend or foe just by looking at the signal ID tags.

So what's the average person to do?

"Cash is king," Schober said. "Use cash wherever possible."

"Use the pump closest to the attendant," he added, since this would be the one that criminals would be least likely to have messed with.

Comforting, right?

— Dan Jones, Mobile Editor, Light Reading

Page 1 / 2   >   >>
Michelle 9/30/2017 | 11:34:22 PM
Re: Order the bouillabaisse... Wow! I didn't know about the banking response to early chip+pin card functionality. I can't believe the banks believed the technology was too perfect to be compromised.
Joe Stanganelli 9/30/2017 | 1:12:08 PM
Re: Order the bouillabaisse... @Dan: You and I haven't said it was perfect. Some have, though (more or less).

And that has created much of the problem. So many victims of ID theft via their compromised EMV cards in its earlier days in Europe were told by the credit-card companies and banks that they were on the hook for the money stolen from them because the security of chip-and-pin was so perfect that there's no way they could have been breached. The academic paper I linked to discusses at length the enhanced problems these false notions of supreme superiority of EMV have created.

(Not to mention the technical problems that are unique to EMV vs. swipe-the-stripe.)
DanJones 9/29/2017 | 10:11:57 AM
Re: Order the bouillabaisse... Nobody said it was perfect, just marginally better.
Joe Stanganelli 9/29/2017 | 5:57:43 AM
Re: Order the bouillabaisse... @Dan: Well, come on, now. Let's not act like chip-and-pin is perfect when it comes to security (or, for that matter, necessarily a substantial improvement).

Exhibit A: (link)

Exhibit B: (link)

Exhibit C: (link)
Joe Stanganelli 9/29/2017 | 5:53:22 AM
Re: Pure click-bait scare tactics Krebs's work on how to find skimmers by pulling on the slots, among other methods, is actually what I thought of when reading this piece. From there, I realized that a gas pump was the place I would be least likely to check because neurotic me sees them as dirty and wants to touch them as little as possible.

I wouldn't go so far as to call the piece or its (perhaps partly tongue-in-cheek) conclusion to be "fearmongering." The security, privacy, and civil-liberties problems of credit and debit cards have been on the radar for years -- and well before skimmers were being widely talked about. Cash has its distinct advantages -- and even Krebs has offered similar warnings when it comes to using cards vs. cash at certain establishments (particularly chain restaurants and hotels). Moreover, the IEEE research is worth discussing, IMHO.

I respect Krebs's work, but he doesn't hold a monopoly on skimming journalism.
Gabriel Brown 9/29/2017 | 5:01:40 AM
Re: Order the bouillabaisse... Face ID checks your balance, and if you have enough money, you get gas, if not, no gas for you! 
mendyk 9/28/2017 | 2:01:54 PM
Re: Pure click-bait scare tactics If you actually read the story, you will see that the quote came from the expert speaker, and not from Light Reading.
dcharlap 9/28/2017 | 1:50:31 PM
Pure click-bait scare tactics Brian Krebs has been writing about skimmers for seven years now.  See https://krebsonsecurity.com/all-about-skimmers/ for all the articles.  They will tell you far more (and far more useful) information on the subject.


Skimmers are nothing new.  They have been found at payment devices everywhere, not just gas pumps and ATMs, but they are also not nearly as widespread as you would have us believe.


Your article's conclusion of "use cash or be pwned" is just fearmongering.  That's something I'd expect to find on click-bait advertising banner, not from a respectable journal like Light Reading.
DanJones 9/28/2017 | 1:43:06 PM
Re: Order the bouillabaisse... So Apple will pay to get pumps to support Apple Pay? Maybe...
Gabriel Brown 9/28/2017 | 12:41:46 PM
Re: Order the bouillabaisse... Face ID is included in your iPhone, so no need for gas pump upgrades
Page 1 / 2   >   >>
Sign In