Is it actually Bluetooth, or did they get their hands on keys or remotes for the dispenser?
The dispensers have constant real-time communication to the forecourt controller and the attendant inside. What are they showing when this "hack" happens? Are the attackers taking the RS485 line down (which would show the pump offline immediately inside) and forcing the pump to manually dispense?
I'd kill to see some more actual information than this. I am not aware of a single pump on the market with Bluetooth right now but I do remember some IR-based remotes for some old Wayne pumps.
In the article one of the attendants says "I hit stop on Pump 3 and nothing happens" so they are at least seeing the pump is on and running. Whatever is happening must be either locking the attendant out or is leaving the attendants machine in a bad state with the pump running switch "on" so to speak.
I wonder if it's actually NFC. It'd be interesting to see what a Flipper Zero would come up with.
Agree, sounds like some kind of poorly-protected function has been discovered that's putting the pump into a "maintenance" or "test" mode where it will dispense fuel without a prepay having been completed.
I've seen people getting ready for a day of working on yards fill up 30 different things each on multiple trucks. The quantity might not stand out, and the attendant(s) might not be allowed to intervene if they think something looks suspicious. A "better to lose some money than risk losing a longtime customer over a mistake or an attendant getting shot playing hero" policy makes a lot of sense.
This is set by the card issuer. Different cards will have different limits. I have been told that you can call your bank and have them adjust this limit.
> In the post-apocalypse or some other lawless society perhaps
> Detroit man steals 800 gallons
> Detroit
Jokes aside, it's common policy pretty much everywhere for cashiers and other employees who are not specifically security personnel to never confront shoplifters or other thieves, always comply with robbers, etc. Insurance covers material losses as long as reasonable precautions are taken.
Detroit has really come up in the past 5 years. I recommend folks visit and check it out. Motor City's downtown actually has decent public transit via bus and light rail, and it's very walkable* during the nice season. Lots of entertainment.
* oh but watch out for bird/lime/lyft/uber scooters literally everywhere and everyone's drunk
Downtown has improved wildly since when even when I was growing up near there in the 80s/90s, but people don't realize how large Detroit is. It's nearly 140 square miles. Downtown is, charitably, 2sqmi, and that's including all the way up to Wayne State. The light rail is the People Mover loop downtown plus a trolley up Woodward, within that range.
The theft mentioned in the article occurred at 8 Mile and Wyoming, which is a 20 minute highway drive from Campus Martius in no traffic. "Clean Downtown" that happened when the city hosted the super bowl and other related efforts have very lopsidedly focused on the downtown area.
It's different, and it's not like it's without its problems. Of course there are still depressed neighborhoods, but there are a ton of development projects going up, lots of new restaurants, bars, nightlife venues, and arts and sports programming. By "coming up" I mean on the upswing, and you can definitely see the difference from a few years back.
I'm really into driving and all, but I've been in Detroit a year ago and it sucked. The only good thing about it was the Henry Ford Museum and the fact that Canada is just across the border.
You probably don't know how it used to be (which is also very different from my grandfather's idea of "how it used to be"). I was there last year, but I was also there for 25 of the past 30 years and the change from when I was a kid is startling. "I recommend folks visit and check it out" is not something someone would have said about Detroit unironically for a long while.
Maybe a nitpick, but I think it would be more accurate to say that it has, in recent years, become policy to not confront thieves, even verbally and non-violently because so many of them are now willing to escalate to lethal force on the most trivial of provocations, effectively giving them a heckler's veto[1] on any measure except locking them up or asking the police if they'll find time to arrest.
I know in my grocery store training c. 1998 they definitely told us to give verbal warnings to thieves that we saw what they did, but now, even that much is dangerous.
>Insurance covers material losses as long as reasonable precautions are taken.
No one would get insurance to cover small, regular losses. And even so, insurance isn't some magic pot of gold that restores the losses that lead to closure, it just means the impact is absorbed over everyone. It's still there.
"insurance" for small losses == higher prices for everyone. Some amount of "shrinkage" whether due to shoplifting, employee theft, or unknown reasons is built into the economics of a retail store.
Back when I was a gas station attendant, my manager made it very clear that if you're being robbed, the only correct answer was to offer them smokes and help loading or bagging.
This was not Detroit, or even the USA. Think slightly North.
I personally know of an incident where Walmart shelf stacker chased shoplifter of $5 hat out of store and got into a tangle with the getaway driver's car and they ended up in a coma for three months which apparently cost Walmart almost $2m in medical bills.
Why do people think there's some kind of insurance that has anything to do with people shoplifting from a standard retail store?
Like that's not a thing. There's insurance for catastrophic losses and out of the ordinary stuff but there's not an insurance policy that's paying for people stealing from gas pumps, or grabbing a TV from an electronic store and running out the door.
It's about insuring employees, not the items. Businesses have insurance so that if a worker is hurt during work, they don't have to directly pay the related bills. That company will assume the risk that an employee helping a customer put a tv on a cart results in injury, but they absolutely won't assume the risk of confronting a potential thief.
Stores like Walmart and Winn-Dixie used to take out life insurance policies on all their low level employees ("dead peasant" policies) so that every employee who died got them a payout anyway. I wonder if that's changed their policies.
Of course it's covered. You can insure anything (with very few exceptions protected by law for obvious reasons). An individual case is likely not worth claiming when considering the deductible. 800 gallons might be. But, it can definitely be covered.
You actually can’t insure everything. And you definitely can’t insure everything for less than the cost of just suffering the loss.
There’s no viable or common policies that cover run of the mill retail shrinkage. It’s not a thing. Stores just have to eat it.
Before you argue this point try to consider how such a policy could possibly work.
You just total up what you think shoplifting is costing and tell the insurance company and they give you money? What business model is going on there exactly? How does the overall market work, where does the money come from that is reimbursing you for those losses?
You could insure that though. The cost of the policy would be higher than the cost of just eating the losses, but there are insurance companies willing to write the policy if you are stupid enough to pay for it. For things that happen all the time you are better off self-insuring it - that is eating the loss - than getting a policy. Insurance makes sense for rare events that are high enough loss that you would not want to self insure. Any common loss you should self insure, and the same for small losses. Only for larger losses that are not common are you better off with a pool of people who also might have that loss but probably won't - odds are one of you will but not all so you all limit your costs.
And since literally nobody wants a policy that reliably and predictably costs more than not having the policy it's not a thing. And since it's not a thing anyone wants insurers don't really have it.
Yes somewhere there's like someone that might have something similar for sale, sort of. But the point of the comment is that in general businesses don't have it.
I constantly see people say that retailers don't confront shoplifters because insurance will just cover it and it's not worth it. It's true they often don't, but not for that reason, since it's basically not ever insured short of a more extraordinary event.
There are special insurance companies that will insure anything legal if you pay the price which they will figure out. As you say it wouldn't be cost effective, but it still exists if you want it anyway.
Risk is calculated on a per incident basis. Deductibles prevent frivolous claims. It's pretty simple really. There's no need to downvote just because you don't understand something. That's just petty.
You can’t insure repeated ordinary course of business losses that you have almost total control over and are a core part of your business function.
You didn’t answer my question because it’s impossible to come up with a reasonable answer.
In insurance the cost of losses is borne by people who did not suffer loss.
So the cost of your car crash is borne by someone who didn’t have a crash. But they’re OK with it because they don’t know if and when it’ll happen to them. And an accident is a major loss, so they’d rather pay a little every month to avoid the uncertainty.
But shoplifting is a week in and week out thing. If you have a shoplifting policy that’s reliably more expensive than the shoplifting why would you keep it?
You wouldn’t because it’s not a thing.
You can insure for major losses, robberies and burglaries and so on. But no retail stores can’t and don’t insure for things like someone driving off with a tank of gas, or pocketing an iPad, or a steak, or something. It’s not an insurable risk.
You're making a straw man argument. That it's inadvisable is something we already agree on. That it's impossible has nothing to do with that. It's POSSIBLE despite being inadvisable. Choose your words more carefully next time.
Even if every business is completely and scrupulously honest this kind of insurance policy is completely unworkable because it's not an insurable risk, it's just a cost of doing business.
It's like trying to buy insurance to cover your monthly cost of airline travel. Like it's not a thing, that doesn't make sense.
Agreed. On the finance side, typically each store has a shrink allowance as a % of sales. The account is adjusted following the periodic inventory audit (usually annually). It rolls up to cost of goods sold so it is reflected in the margin.
So if shrink was forecast at 0.75% of sales but actually came in lower the store would see better margins on their financials.
Here in British Columbia, Grants law was passed requiring all gas purchases to be prepaid after a gas station worker named Grant was ran over and killed as he tried to stop someone attempting to gas and dash. Back then gas was much cheaper so someone died over like $50. Doesn’t need to be a lawless society just one where someone makes a stupid choice. And we have lots of stupid people out there.
"The Law was named for Grant De Patie, a gas station worker who was killed in 2005 by an underage drunken driver ... Grant was dragged 7.5 kilometers before his body was dislodged from the white Chrysler LeBaron."
It's pretty standard policy in most retail places.
Stories abound of staff at Walmart and Target being fired for attempting to enforce store shoplifting policies (https://www.ksl.com/article/14319284/4-walmart-employees-fir...). Broadly speaking, the risk of injury to other employees and customers, the risk of lawsuit if their staff misinterpret the law in the moment and overstep the authority each state gives them (a patchwork of law that stores are not interested in training its staff on), and mostly, the risk of brand harm if these stores gain a reputation for being a place where fights break out between employees and the public, regardless of reason, are far costlier than the opportunity cost of being unable to sell lossage.
Instead, companies just track lossage and sales, and if a given neighborhood proves to have too many shoplifters, they pull up stakes and close the store.
Its not necessarily good that they just losses happen and close up store.
I guess it gives room for small business owners, who are willing to shield themselves behind bullet barriers, willing to defend their own property with guns, and don't care whatsoever about bad PR.
Not to mention that small business owners can sometimes change dynamics, depending on why people steal.
It is, sometimes, one thing if it's Susan's shop (you know Susan; she lives in the apartment down on the corner of Fourth and Mission, stealing from Susan would be like stealing from your own aunt) and another if it's Walmart (you will never meet Sam Walton in your life, or any of the management of that company. There isn't even a franchisee).
My local big-box stores have taken to putting half the store's inventory in locked glass cabinets. Started with liquor, then detergent, socks, electric sawblades, car batteries, regular batteries, flashlights, bike parts, medicine, Monster drinks...if it's something you'll need to survive the apocalypse, it's behind glass.
It's unshoppable; nobody is ever around to unlock them.
Yeah, I feel like policies like the locked racks were thought up before the great decrease in retail staffing levels. At current staffing levels, a lot of places are operating on what would have been considered a light skeleton crew, all the time. I bet there were more workers on the graveyard shift of a 24-hour Walmart 20 years ago, than there are at most stores during the day today (not counting pickers for delivery/pickup orders).
They watch trends. If the store isn't making money - losses is only a part of this - they will not invest. The building and parking lot is only expected to last 20 years or so - they will stop maintaining them to milk out more profit until they fall apart and then pull up shop. Stores that are making money get remodeled and the parking lot repaved.
Precisely. And when everyone knows that the commercial lifeblood of a town is so hinged on multiple factors outside people's control, well... Might as well get those underpants while they're still in town, right? If you don't steal them and then Walmart pulls up stakes next month anyway because it makes more sense to invest in Tallahassee than your poor neck of the woods, you'll just feel like a sucker.
Murder rate in the UK is roughly the same.
It's lowest in countries with low immigration rates per capita.
Considering the lax immigration process in the US the crime rate is exceptionally low.
And let's not compare a slice of the US the size of the UK or it will be zero. Maybe the better comparison is US vs EU. Or would that be too unfavorable for your argument?
your statement that "the murder rate... is lowest in countries with low immigration rates per capita" is largely bullshit. Even the laziest of googling "crime and immigration rates per capita" shows that.
At best, the relationship is weak, and not well understood.
This connection is even more tenuous than your original claim that "the murder rate... lowest in countries with low immigration rates per capita". Now you're talking about crime and poverty, not murder and immigration.
Also, the first paragraph of you link explicitly says: "reliability of underlying national murder rate data may vary". I think k your argument is largely bs, and I'm not interested in researching the citations.
The second paragraph reads "Research suggests that intentional homicide demographics are affected by changes in trauma care, leading to changed lethality of violent assaults, so the intentional homicide rate may not necessarily indicate the overall level of societal violence.[6] They may also be under-reported for political reasons."
I don't think this list even makes the point that you seem to think it does, or, at least, doesn't make the point very well.
I love that this was downvoted and then all the linked pages in protest agree with me. Did you guys downvote because you don't like to know the truth? Do you wish the US was as horrible as the TV told you?
I’m not sure what you mean. It sounds like you’re implying that in the ideal lawful society, the gas station clerk is supposed to be the one defending the gas station against theft?
Yes. It is part of the job requirement and the essential character of a good wage slave for an hourly, minimum-wage employee to lay down their life with joy and zeal in defense of their employer's profits and property.
In an ideal lawful society, a disagreement over gas won't escalate into a violent confrontation. So the attendent can intervene, because they aren't in physical danger.
A robbery there would go something like:
(Note: for some reason this seems to work best in a New Zealand accent)
“Listen up, sir. I intend to steal the contents of that till. Be a good pal and hand it over.”
“I’m afraid not. As you know, I’m duty-bound to protect this till, and I’m not about to hand it over to you.”
“I’m afraid I must insist. I intend to take it, all of it. Don’t make this uncomfortable. I don’t want to use harsh language, but I’m serious.”
“I’m sorry, but it’s simply out of the question. There’s policies and regulations. I can’t just give this money out to you. If we did that, do you know how many people would be in here robbing us every day? There wouldn’t really be a gas station at all, would there? May as well shut the whole thing down then.”
sigh “No, I’m sorry. I should have expected you weren’t about to give me the cash. I’ll leave. Obviously I’m not about to use physical force, and it’s clear you’re not budging on this one.”
Yeah, if we're dismissing the possibility of direct physical violence with the wave of a hand, why not wave the hand a second time and dismiss the possibility of gasoline theft?
Bluetooth controlled? The device sure, for all we know it's just kicking over the dispenser. The clerk isn't looking but I'm sure if they look at the pump on the register it's counting.
It's still all serial based comms, but unless the attendant is trained or aware they might just think someone is pumping. It will show up on the daily report when the dispenser report doesn't match the sales report.
If the attack were better understood by people who didn’t perform the hack then it wouldn’t have happened.
I don’t think any engineer in the last 20 years would put IR on the thing. At the same time I wonder “who would put Bluetooth on the embedded controller for such a machine?”
With so many multifunction SOC embedded controllers out there it's possible some one just didn't cut the lines to the radio built into the board that was selected for other reasons. Would not surprise me to see a lot of control boards that expected firmware or dip switches to disable unneeded functionality versus having a different line for similar boards if they weren't being made to a specific end customer anyway.
If this is a language thing it's a neutral idiom, compare it with 'kill two birds with one stone' for something that deals with multiple issues at once or 'kill some time' to occupy yourself while you wait for something. If I say I'd kill for decent documentation I'm going to be reaching for a text editor rather than a rifle!
This is a weird hill to die on (pun intended!). Idioms and colloquialism are the spice that make language fun and interesting instead of bland and clinical.
The source article is so poor it's mind-boggling. Is this the kind of "news" people actually spend their time reading? My IQ has temporarily dropped from subjecting myself to that.
Reading between the lines, it sounds like one person performed the hack, and numerous people then proceeded to fill up for free -- knowingly or otherwise. There's no specific assertion anywhere that one particular individual stole 800 gallons of fuel. Of course that doesn't stop dozens of news sites all over the web from reporting inaccurate "information".
The article seems a little light on details. I don't expect them to explain exactly how it works, but is this a bug/feature in the pump design?
If you can just roll up to the pump and communicate with it over Bluetooth, then I'd argue that it's a design flaw and the manufacturer should be held accountable as this seems like a gross laps in security.
The article is poorly written. "Scammers are using cellphone's Bluetooth option to hack the pump - and get it for free." is all the detail you get. My cellphone's Bluetooth doesn't have that option.
This sentence doesn't know if it's in the local paper or at a slam poetry reading:
"Paying at the pump is for chumps - when you can get gas for free - and illegal, but it didn’t stop a Detroit man from stealing almost 800 gallons of gas at the Shell at Eight Mile and Wyoming."
If you're on android, there's a bunch of bluetooth-serial apps that let you send more or less whatever raw data you want.
On iOS, there's nrf connect. Which is slightly more limited, but can still do BLE. I think there's other bluetooth-serial apps for iphones, but apple has a stick up their butt about bluetooth-classic not working super good unless the other device has a "made for i" chip/cert in it.
If either of these don't work well enough, ESP32s can be had for <$5 and can act as a bridge between your device and whatever you want to exploit.
> On iOS, there's nrf connect. Which is slightly more limited, but can still do BLE. I think there's other bluetooth-serial apps for iphones, but apple has a stick up their butt about bluetooth-classic not working super good unless the other device has a "made for i" chip/cert in it.
Is BLE why "modern" iphones don't have issues with android/3rd party devices/accessories? I remember a long time ago when an iPhone meant you could only share bluetooth with other Apple devices. My iPhone today doesn't seem to be like that.
Kinda. From reading the docs, apple really didn't want the battery drain and software jank that came with classic bluetooth. Pretty sure bluetooth audio has been exempt most of the time though.
You have to enable the DevTools, but that requires a $99 annual fee. If you can't afford gas, it's not likely you can afford that fee too. So it's kind of a perfect catch-22
Why would you have to enable devtools? Also, with just an unpaid icloud account, you can build, sign, and install apps to devices with an expiry time of one week.
It's better to just return it to a different gas station. Selling gas is more difficult than you might think because of rampant dilution/adulteration in the secondary market. Can't just go door to door saying "Hey I bought too much gas" or "My car only takes 93 octane" -- nobody trusts anyone anymore.
When you make a return without a receipt you generally just get store credit instead of cash. If you don't need some chips and tallboys, you can typically sell the credit to someone behind the station for .3 to .4 of the face value. That isn't great but since the gaming machines only take cash its a solid way to get liquid.
Just act normal and ask for the manager. Like the parent comment noted "probably very much worth the small investment in tools." Be sure to get one of the fancy black rubber hoses instead of the green ones so things look more professional.
Yes it's a clear design flaw but it's still theft. It's not like you're legally allowed to rob a store if the front door lock isn't installed properly and doesn't work.
I think the point of the Kia and Hyundai cases is that customers had some expectation that the locks would actually provide a higher level of security than they actually did. Otherwise why even bother having locks? Saying that "stealing is illegal and we should pushing the thieves not the companies for failing to provide security" completely negates the point of having any security industry.
If you provide a product that is intended to offer a certain level of security you should get punished when your product fails in a spectacular manor.
Weird how the level of protection the Kia and Hyundai locks provide change depending on whether your local law enforcement agencies are effectively able to deter theft?
To some extent, but the TikTok craze was just crashing it, which happened to my parents. The car made it all of 30 ft and they hit a tree. Honestly not sure what local police can do to stop that.
Is an ignition a lock? How about the wiring to the ignition…?
It would be one thing if Kia and Hyundai advertised “anti theft” via an immobilizer then didn’t actually put one in. They just left it out because the company is being cheap. The cars being sold with this vuln are cheap. You get what you pay for.
Models affected by this extend well into the 30k range. This is not just affecting the cheapest possible vehicle someone can buy and we're running into people not setting expectations accordingly. Equally cheap vehicles from other manufacturers are not nearly this easy to steal, particularly by completely inexperienced thieves.
Cheaper than the mean perhaps, but again not bottom of the barrel for many of these models.
However, even if you want to keep focusing on these being 'cheap' vehicles, it STILL stands out in the industry as highly unusual. Even back in 2015, 96% of vehicles from other manufacturers had these devices (https://www.iihs.org/media/0e14ba17-a3c2-4375-8e66-081df9101...). It's a pretty easy argument to make that consumers would not be looking specifically for a feature that is near universal elsewhere. It was an abnormality and Hyundai/Kia will, unsurprisingly, pay for it in the long run.
30k car is definitely not "cheap". That statistics is skewed by 1) high-end cars (Bill Gates walks into a bar, everybody's average income doubles) 2) the fact that people that can't afford expensive cars just buy used ones. That doesn't make the new ones less expensive in any way.
Stating "You get what you pay for" is a strange way to both blame the victims & attempt to absolve multi-billion dollar corporations for not including a standardized piece of security equipment, when you consider that every major manufacturer sells vehicles firmly in the same price bracket - up to half the price of your reported average (we love to forget about outliers, don't we) that have this equipment.
Pedantry about what security was advertised or not will not make a compelling case. What a strange thing to try to argue.
Nobody even knows what an immobilizer is or how it works. They put key in car and go. People don't even read the manuals that come with the car. Most people don't even read signs along the freeways while they're driving.
This kind of willful ignorance about cars goes so far that insurance companies willfully chose to insure these cars against theft, and claimed they had no idea that the cars didn't have immobilizers. And now they are suing the manufacturers. It's the insurance company's job to evaluate risk. All they had to do was read the fucking manual and if it didn't say something in there, ask.
I’m stating the manufacturer did not advertise this security feature, nor did any of the purchasers really care until their cars started getting stolen and used to cause mayhem.
You stated a basic security feature such as an immobilizer should be installed by default because it’s cheap.
Well, then I suppose you could rightfully punish the manufacturers for cars sold in Europe that don't have them. But, you should probably not punish manufacturers for cars sold in the US that don't have them until you make it illegal to sell cars without them in the US...
If you distill it down, it essentially comes down to not doing things that no law explicitly requires (lest you end up with walls and walls of law books simply describing very specific matters), but can be reasonably expected of you to have done.
What’s reasonable depends from time period to time period and the norms that exist, nevertheless the concept exists.
A good example would be you owning a house with a balcony in an unincorporated area where no law exists that sets requirements on structural integrity of such things.
You’re aware that the balcony might be a bit iffy and it has been decades since last it was checked out by a professional.
You have guests over, you don’t bother telling anyone to stay away from the balcony.
Some of your guests walk underneath the balcony, or worse, they go out onto the balcony to have a smoke.
The balcony collapses and your guests get injured or die.
You’re on the hook for negligence. Specifically negligence that resulted in tort in this case.
Hell, in some places, depending on the prosecutors in the area and the laws on the books, you might even be criminally liable for negligent homicide.
My comment on the EU and the regulations there isn’t to imply that the laws there apply to here in the US, rather it’s used (and could be used in real life) as a way to argue that the solution is inexpensive and not implementing it could be considered negligent because there is an easy solution available due to that regulation.
But what we're talking about here is that there are "bad guys" (tm) who stopped by your party and used a chain saw to cut the supports under the balcony, which would not otherwise have fallen down. But you could have prevented this if you had reinforced the supports with steel posts.
The Kias and Hyundais didn't steal themselves. Let's put the blame where it lies, on the f**ing criminals.
Are you really taking the side of the idiots who made a modern car you can Hotwire in 45s with no special tools? And then refused to issue a recall and fix the problem?
The pump itself is the least secure piece of technology in existence. They keys to open them are common, the communication is all serial based and hasn't changed at all in 40+ years.
It wasn't more than a decade ago that I was swapping 3des pinpads out. If you had really old pump all you needed was a small screw driver to stop the meters from turning after you popped the front panel off.
I suspect it might've been something like a default feature of the embedded PC that they didn't bother to disable, so you can "plug in" a BT keyboard / mouse and take control of the system.
Gas pump hacks in the past have been related to opening up the cabinet and adjusting the flow sensor to lower the sensitivity so that you pay for way less gas than what actually came out of the dispenser. These sensors have an interface between them and the controller so it could be possible to add some MITM device that can edit the flow reading to something much lower or none at all while gas continues to come out of the dispenser. Add Bluetooth to the device and you can turn it on and off at will so that no law-abiding citizen complains about the pump supposedly putting out less gas than what they need. These pumps aren't inspected frequently so if the replica tamper sticker looks good, the pump puts out the right amount during a state inspection, and you aren't so greedy that the owner notices, you might get away with the scam for a long time. 800 gal is a lot of gas and could have easily filled tanks for at least 50 cars. This guy could have slowly stolen 800 gal over the course of a year and probably no one would have noticed.
This happened back in the 90's so I'm sure things have changed a bit since then.
One of the guys I went to high school with worked the swing shift at a gas station in our town. The shift was 11pm-11am. It was a small town so the gas station rarely had any business after midnight. I guess the guy got bored and started reading all the manuals the manager had in his office.
To this day, I'm not even sure how he did it, but he managed to change the price of gas/gallon on two of the four pumps down to 5 cents a gallon. Then he proceeded to call all his friends and family to come fill up for almost nothing. He reverted it back sometime around 5 or 6am. It took the station a few months to figure out what had happened, but by then, we both had graduated and were on to college. I remember running into him at a bar when I was home and he told me the whole story.
When I worked there (before he was working the night shift) I remember there was a box on the floor by the cash register which displayed the price of gas. It had a sizable chunk of cables going in and out of the box, along with some buttons on top near the display. The manager at the time told explicitly not to fuck around with that box, its a federal crime and I will go to jail. I'm guessing the guy figured out how to change the price from that box.
The manager always has power to change the price of gas. At the big chains the manager is required to drive around and note the price of all the other stations and then apply that to some other formula to decide what price to mark. If any station doesn't everyone in town figures out where the low price is and that station runs out of fuel and has to pay for an expensive emergency delivery. This is why stations in the same area all have the same price.
Your story is from the 1990s, just based on the state of technology we can assume that the pump prices were set at a computer inside the station that wasn't networked. The computer probably had a modem that called headquarters once a day to upload information, but the manager directly edited the prices when there was need to change prices.
Note that the manager drives around to look at the posted prices on all stations around. The manager is not allowed to talk to the managers of each station as this would violate federal monopoly laws (this does happen all the time, but legally they cannot do it and that is policy any chain will have - they may or may not ignore a manager ignoring the law depending on if they think they would be caught).
Because the phone company as a log of who called who, and if the feds see that record they will assume illegal collusion. No sane franchise will allow a phone call in their policies as that policy is allowed in court as evidence they are talking to the other station. If you drive and write down prices that is the easiest way to stay legal.
I'm sure gas stations do illegal collusion all the time in some towns. However it is illegal and so at least some station managers will not do it and all company policies will say drive.
As someone who works in IOT, my guess is this is a new feature for servicing. Letting a technician communicate with appliances, machines, etc.. over bluetooth using their phones is becoming more and more popular and the security around these features is designed to be as simple as possible to avoid calls to tech support. Getting access could be as simple as entering the service companies id. It's like how heavy machinery drivers just leave the keys in their vehicle cause it's easier to share and they assume no one else will try to use it.
Heavy machinery all has the same key unless the customer paid for the option to have different keys. Most modern stuff has a GPS attached and some form of cell connection: the machine won't start if the machine isn't in the geographical area it is supposed to be. If you have the key you can start anything.
I've been looking at my unifi SSID log recently, although most of my APs are in a secure area (there's a ring of steel), clearly some are close enough to the road to pick up a fair few cars over the previous 24 hours -- 114 Audi_MMI_nnnn APs (and a few like "Frazer's Audi", quite a few "My Skoda/SEAT/VW 1234" too
> They could be keeping logs of unique identifiers to sell to location data brokers.
Not to say no one did that, but it seems pretty stupid to integrate that into the pump itself (as well as extra trouble).
Seems like if someone wanted to do that, it would be far easier to those companies to just ship a Raspberry Pi-sized device and bolt it to the side/top of the pump, or put it up in the canopy with the lights.
On a related note, I recently went out of town and received several spam calls from phone numbers in that area. Some app on my phone seems to be selling my location data to these spam callers.
I'd be quite surprised if they didn't come up with other identification techniques. Even if you couldn't pin point an individual anymore, I'm sure you can still learn a lot if you could somehow get version numbers from devices, wifi signal strength, etc. (especially when you can just dump it all into an AI now)
RF range is down to how good your antennas are and the local environment rather than hard limits. With a good environment I can pretty easily get about as far away as pumps are from the building without losing connection. PHone and headsets are generally using tiny antennas to fit their form factor so they fall off quick.
I wouldn't base a national franchise's business on what BT 5.0's 'up to' states, but it's not impossible that they would rely on at least 50 meters working. I can think of very few gas stations that have a separation from pump to cashier of more than that and most of them are truck stops.
Nothing is stopping you from using a high gain antenna though (well, other than regulations, but if you're stealing has you presumably don't care about FCC violations...)
Originally you were talking about bluetooth being there for the cashier to work the pumps, now you're talking about what the thief is doing, which are two different things.
The interesting question is how often they notice, and whether the pump keeps logs. Because not everybody is stupid enough to invite their entire neighborhood to a free-for-all.
Just drive up, unlock pump, fill up, lock pump, leave.
I would not be surprised if the pump doesn't have a time-stamped log of Bluetooth service function calls. And even if it does, how long can you run this scam before they notice missing inventory from their underground tanks? How long do they keep CCTV footage?
You're talking about running image detection on the video footage and correlate with payment system receipts?
You could probably hack that together in python in 15 minutes, but I doubt there's commercial software offering that functionality. Which means nobody (outside a digital forensics firm) is doing that, and certainly not for $60 worth of gas.
And still, that requires the station even noticing missing inventory. I really wonder how long people have been using that hack, you'd probably check for leaks in the underground tank before checking whether your pumps have been compromised...
>You're talking about running image detection on the video footage and correlate with payment system receipts?
Or, do what has been done since the beginning of video recordings used in investigations...have a human sit in front of the screen scanning the footage.
You're advocating paying a dev at a significantly much higher hourly rate to develop something that will find Ryan Gosling stole the gas from Santa's sleigh with a pattern of snakes painted on it. Now what?
If you can make such a program in 1 week there are plenty of franchises willing to pay for it. It doesn't have to be very good, even if 50% of what you show is a false positive and you only catch 20% of all crimes you say that is still more than enough for a human to look through everything you flag and get the police involved. While it probably directly costs more than eating the loss from these crimes, you only need to catch a few cases to be worth it.
Hell, if you're doing it all with Bluetooth anyways, get one of those electronic license plate cover devices that have become a plague with all of the worst drivers in every town who try and avoid tolls and red light cameras...
My memory is that pay inside was a forced prepay option? My entire adult driving time has been after the advent of card readers being on basically every gas pump so I'm going off vague childhood memories of going in to pay for my parents.
And in most places, what they lose on fuel theft, they more than make up on sales in the petrol station shop which is where they really make their money, so they have little incentive to change.
When I still had a motorcycle (early 2000s), I'd find a lot of rural stations didn't have modern tech on the pumps, and there were a lot of stations that still allowed pump-then-pay.
Some stations just have shitty tech. A station near me fails open if you initiate a credit card transaction, take the pump off the hook, and then abort the transaction.
Last week I had some idle time, and I was looking up whether they sold multi-color e-ink displays in a 6"x12" size.
My state doesn't even emboss plates anymore. If I did mount one and kept my real tag number on it, could anyone even tell? I'm boring as shit, so I don't know why I'd have a James Bond gadget on my car...
> Looks like pump then pay is more regional than I assumed. Yes it’s still a thing in some parts of the US in 2023.
I haven't seen this in forever. Even the shitty little gas stations where I grew up, I thought those were all upgraded ages ago. The EPA tends to frown on tanks that have been in the ground a long time, and since that's the biggest cost, they tend to get the electronics upgraded too so that it's pay at the pump. No idea why anyone with cash wouldn't be forced to pay first.
There was a post on here where some one mentioned a lot of people just install bike racks to block the plate and said Amazon sells lots of plate hiding stuff. I'd definitely seen plastic covers that obviously made the plate very hard to read in the wild but I'd never really thought about using different kinds of luggage racks to obscure plates.
Of course, my state used a bunch of bad paint on license plates for a number of years so you could just peel off all the paint removing any contrast from a legit plate and you'd look no different than most people's unreadable plates anyway.
Except that hitting "Pay Inside" probably activates the "get high res photos" function because that's a known fraud profile. If the pump is tricked into giving gasoline for free how long does it take for the gas station employee(s) to notice something went wrong?
Interesting - in Canada, if you want to "Pay Inside", you have to go in and actually pay - they authorize the maximum transaction, and it unlocks the pump and sets it to a maximum amount. If you pump less than that amount, you pay only for what you use. But, OTOH - Canada seems a bit ahead of the US when it comes to Interac/debit-card transactions in general (... but also a little "behind" Europe and AU/NZ...)
A lot of places in the US are either pay by credit card at the pump or pre-pay inside only. I've also seen where "pay inside after" only works if you leave your driver's license with the attendant inside before the pump is activated.
Huh, interesting.. the usual default in most of Europe is pump then pay, with nothing required beforehand, they have your license plate on video anyway?
It used to be like this in the US too. Now we have “upgraded customer interactive digital displays” that stream ads, TikTok, “cheddar news” , and propaganda into your brain while you pump and I haven’t seen a pump then pay in some years.
Side note: If you're at a pump with those stupid TV things, try and hit...right side, second button from the top. This usually activates mute. Some people go to the effort of putting little stickers indicating where the mute button is. Other times you can tell which one it is if the button is heavily scuffed. If that button doesn't work, just try pressing each of the other ones on there. In my own experience, it doesn't hurt to try. I think one time the left side, bottom button worked too.
Whatever the case, I find those infernal things to not only be obnoxious, but a potential safety risk. I mean, you have a customer literally in the process of handling large quantities of dangerous, liquid flammable material which emits fumes that can be ignited by a spark, with potentially inadequate controls in place to stop it killing people. So, let's distract them with shrill, unwanted blather-boxes showing distracting imagery. I make a point of trying to avoid gas stations that have those stupid things installed precisely for that reason - I don't trust that location to put my safety above them making $.0002 from some shady ad network.
I just can't stand that there is such a concerted effort for this war on silence. Just give me a few minutes of simple contemplation.
Just a personal anecdote, but miss-timing your button-press sometimes results in a car-wash being added to your pump charge.
I was trying to hit skip or cancel or something (this was in the Before Times, barely remember what it was asking) and what was the skip button became the "Yes, I'd like a car wash" button as the next ad started. I always suspected this was a bit of Dark UI level trickery, but could also have just been unfortunate button selection between two separate ads.
Since then, I just avoid those buttons when ads are playing lest they get me again!
It would be better to put some tape over the speaker grille to cut the volume by a good amount, since it would help the next person and generally improve the place. Hostile defaults and having to repeatedly do some action to "opt out" means the shitheads essentially still win modulo an illusion of choice, like so many modern dynamics.
While I fully support this if user hostile then hostile user idea, I remembering hearing stories about people putting Biden stickers on pumps getting charged with crimes. Apparently any sticker or even magnet could be argued to be an attempt at changing its pumping mechanism. So maybe just be discrete.
There's always the possibility of malicious arrest/charging/prosecuting when bucking the authoritarian order of just accepting that it's proper and just for shit to be rolled downhill. Funny how there's never any charges against hostile pump owners for assault, disturbing the peace, possible stalking [0], etc. The answer is to be aware of the vanishingly small possible downside, do it regardless, and then be personable to mitigate the damage if you do end up drawing aggro.
(Not that anti or pro Biden stickers terribly upset that status quo. The problem is having upset the wrong person with a modicum of power)
[0] If the nuisance pump is tied into the commercial surveillance databases for choosing what content to blast. I've no idea if we're there yet.
I recently learned that you can mute some of these! I've had success with the top right or second from the top on the right button near the screen. No reason not to try them all if you're a captive audience anyway...
I spam all the buttons on any pump to attempt to mute it, and like you have had success with top right, or second from top on the right having the highest success. In my area, I'm only about 1/4 in being able to mute it, but when it works, usually top right.
You can't buy a toothbrush without calling a attendant where I live, no way they let you pump $100 of gas without paying first. Pay after was the norm when I was a kid though.
>in Canada, if you want to "Pay Inside", you have to go in and actually pay - they authorize the maximum transaction, and it unlocks the pump and sets it to a maximum amount.
I'm in a good-sized city, and every gas station I've been to lets you pay inside after filling up. The only ones that require pre-pay (either by going inside as you described, paying for a max amount, or by CC) are the farthest pumps away from the store.
this is insane to me. I have not been to a single station in the continental united states in the last 7 years where "pay inside" does not equate to "pay first"
That being said - perhaps its an "attendant" state? Several states have laws which restrict motorists from pumping their own gas, is this the scenario which you are talking to?
Laws saying you can't pump your own gas? Having to prepay inside? Wow, I'm flabbergasted, and it's a bit funny you're thinking it's insane the other way around. I guess it's what you're used to.
When tanking before paying, I also used to get into the car and move it so that someone else could fill while I was inside(it would start a new transaction when you put the nossle back), probably to you look like a dash from the bill. Then walk inside saying "hundred and fifty something on pump 3 is mine".
But I haven't seen a pump not accepting card in what, 20 years, here? So haven't used anything else for ages (and now got an electric car anyways)
thank you! This pattern essentially disappeared from the US with the exception of perhaps the very smallest and remote locations (public accessible) seemingly since the late 1990s (I do remember this pattern as you have described, just not in the last 20years)
I'm in Canada and I have never seen a pump or gas station in the last 10+ years that allow you to pay after filling up. I had thought all the stations have changed since incidents like this: https://www.theglobeandmail.com/news/national/attendant-drag...
Perhaps only BC made the switch? Not sure. But I filled up this morning and paid after the fact at PetroCan, so it's definitely not a Canada-wide thing.
That was normal in Texas ~15-20yrs ago. But in the intervening time, I've seen that become less common. I've run into places that won't let you pay after and will instead just ask you to prepay (full transaction) and come back in to get the difference refunded.
But I've also ran into plenty of places that if you hit "pay inside" on the pump will simply just turn the pump on, or will call you via the pump intercom (is that common everywhere?) and tell you they're turning the pump on for a max of XX gallons and to prepay or use the card at the pump if that's not enough.
The pump intercom is done because then you know someone inside actually saw you and is expecting you. If you drive off without paying they are much more likely to notice and call the police in time for the police to catch you. Or at least that is what they want you to think.
Yeah, I figured the intercom call was to get you thinking that they're watching closely, even though they're usually too busy with other customers to really be watching someone on the chance they drive off.
Nope! It's actually because there's a financial standard transaction flow for things like pumps!
-Confirm account: super small test move to confirm liveness of endpoint
-Place hold: (locks $⁷5 worth of funds attached to an account)
Finalize transaction
-Finalize transaction for final amount
-Release hold
This is actually a really troublesome thing for people who have trouble keeping their account balances positive, because you can end up locking them out of further financial activity until the hold is expired/released.
It's one of those things you don't really think about but are all over the place, and are a big part of making the world turn the way it does.
Similar problem for people this close to the financial edge: saying "I want exactly $23.46 worth of gas" because thats all the cash they have, a penny more wouldn't fly. Much easier and safer to ask the attendant to preload the pump with that amount and run it down to zero than to try and get as close as you can with the trigger without going over.
This comment is kind of confusing; maybe others have had a different experience, but I live in the Midwest and what you're speaking of has been the norm for like the last decade. I've been driving for 13+ years and don't have any memories of being able to pump gas without first paying at the pump, or paying inside and my pump automatically stopping at the amount I paid for.
I starting driving in 1990 - back then there was no pay at the pump so the norm everywhere was to pump gas then go inside and wait in line to pay. You knew you were in a bad neighborhood if you had to pay for your gas before you pumped it (you probably already knew you were in a bad neighborhood, but this confirmed it). About 15 years ago stations started to realize that nearly everyone was paying at the pump even if they were going to come inside for something else - which made it much more likely anyone not paying at the pump was trying to steel gasoline and so they went to pay first as few were inconvenienced.
I do not miss at all standing in line behind someone who couldn't figure out which lottery ticket they wanted to buy.
Presumably they find out within a week when they reorder gas and the filling truck has to fill substantially more than expected.
They probably start investigating for a fuel leak, pull the data from all the pumps, and then realise the number of gallons pumped and the number of gallons paid for don't match up, and then check the CCTV.
Depends really. Most businesses will assume some amount of shrinkage. If you fly beneath the radar eg only hit the station once a month or every other month. You might get away with it.
Not to mention the margin of error. Do fuel delivery quantities really exactly align with sold gas, to within a gallon or so? Or is there natural variation from each transaction being +/- $0.01, plus evaporation, plus any other rounding/physics considerations?
Here in NL it's 'pay inside' or 'pump then pay' by default unless you're in a border region where there are a lot of scammers. And judging by some recent foreign trips pretty much the same happens in other countries in the North of Europe.
Around here I've been noticing an alarming number of vehicles being driven around with deeply expired tabs, dubious bits of paper tacked in the license plate area, or frequently no plates at all ever since the pandemic. Depending on where you live this just might not be enforced very much at the moment.
>>Edit: Looks like pump then pay is more regional than I assumed.
The only place I have ever seen the requirement to pay first was in some tourist resorts in Spain, I guess to prevent theft. Weirdest thing ever, it's like....lady I have no idea how much fuel this rental car will take, how can I possibly prepay you.
All the credit cards have a reserved amount they can pre-allocate so that once the final bill is due, you're required to pay at most X dollars (the max that you chose at the pump). It's fraud proof. Like it or not, it'll likely be deployed everywhere eventually because it should be able to cut down on fraudulent purchases significantly.
....is it common that people fill up and drive away without paying where you live? I have literally never heard of that happening, ever - I guess if you tried you wouldn't get very far, police would be called and they'd find you quickly with the reg plate.
What do you mean by common. The vast majority of people do not do this every. However even in the best areas someone will do it (I'm guessing a few times per month). In really bad areas it happens several times per hour. Generally the police are good at finding who did it when this happens, but only if the station notices in the first place - they don't always.
>I have literally never heard of that happening, ever
How would you hear about it? Unless you're friends with a gas station owner/employee, how would you know? The amount is small enough that it'll never show up in local media, just like the local teenager shoplifting wouldn't show up on local media.
For whatever reason, everyone within 25 miles of Detroit "lives in Detroit" even though a whole lot of us might visit the city less than once a year.
The media will usually say "Metro Detroit" when referring to someone who doesn't actually live in the city[0] of Detroit and given the location of the gas station, it's probably an actual person who lives in the city.
[0] In which case it could be someone living in one of three different counties.
I always got the impression that it's based on not wanting to say you're from "Detroit". You say you're from Royal Oak or whatever. People get confused. You hold up your palm and point to the lower right corner. People are still confused that you just pointed to Detroit...
Meanwhile people living within 40 miles of Chicago 'live in Chicago'. Some insist on it themselves, others are put into that box by the rest of the Midwest.
The dispensers have constant real-time communication to the forecourt controller and the attendant inside. What are they showing when this "hack" happens? Are the attackers taking the RS485 line down (which would show the pump offline immediately inside) and forcing the pump to manually dispense?
I'd kill to see some more actual information than this. I am not aware of a single pump on the market with Bluetooth right now but I do remember some IR-based remotes for some old Wayne pumps.