The Strange Case of Gas Pumps & Bluetooth Skimmers
You might not think of an IEEE Summit as the most likely place to hear an intense talk about the lack of security at America's gas pumps, but that's exactly what happened last week at the The 38th IEEE Sarnoff Symposium in Newark, N.J.
Scott Schober, president and CEO of Berkeley Varitronics Systems (BVS) , used his 20 minutes on the podium to talk about how unsuspecting customers are putting themselves at risk using a debit or credit card at a gas pump in the US.
"Security and convenience don't go in hand-in-hand," he chided the crowd.
In fact, he explained that gas pumps are one of the easiest targets around for scammers looking to clone people's cards, using data collected by bluetooth or cellular wireless "skimmers." These devices are installed in the slot where you put your card to pay and scan your data off the magnetic strip.
Typically, a bluetooth skimmer is used and the scammers sit in a car a couple of hundred feet away and collect the data. There are also, however, cellular skimmers that can text the stolen data to the scammer's phone.
"I can buy a skimmer on the dark web, and the details on how to install it, for under $100," Schober said.
So what makes the around 250,000 gas pumps in the US such an easy target for this particular brand of cyber criminal? "There are only six master keys to open up a gas pump," Schober told the crowd. That's any gas pump in the US!
These gas pumps "typically only get inspected once a year," he added. Which could give a lot of leeway to harvest card data.
Berkeley Varitronics, of course, makes several different Bluetooth skimmer scanner systems. These, however, start at nearly $1,000 and are aimed at police and other large security operations, not Joe or Jolene Public out to fill up before a ride on the weekend.
A couple of people in the crowd asked about chip and PIN systems -- where you insert the card and it reads the chip rather than a magnetic strip -- and while Schober allowed that these were moderately more secure, he reminded people: "There's no chip and pin in any gas stations in the US," and there is unlikely to be until 2020.
"We're well over a decade behind the rest of the world," Schober stated.
Checking for Bluetooth signals around you -- via your phone -- is unlikely to help either, since it is impossible to discern who is friend or foe just by looking at the signal ID tags.
So what's the average person to do?
"Cash is king," Schober said. "Use cash wherever possible."
"Use the pump closest to the attendant," he added, since this would be the one that criminals would be least likely to have messed with.
— Dan Jones, Mobile Editor, Light Reading