
Inside Arizona’s Pump Skimmer Scourge - rfreytag
https://krebsonsecurity.com/2016/09/inside-arizonas-pump-skimmer-scourge/#
======
taxicabjesus
The first address I recognized is the Shell station just down the street from
my Grandfather's house. It's not a very nice neighborhood anymore (a planned
freeway just to the south was canceled back in the 1980's, and all the houses
that had been taken by eminent domain were auctioned off. The new tenants
didn't take care of their neighborhoods like the owners used to).

Some of the stations are in rather well-to-do areas. 4995 N Granite Reef Rd in
Scottsdale is a Shell station too, and is pretty close to downtown Scottsdale.
Lots of Circle K's - most of these stores are corporate, but a few are
franchises.

I usually paid cash for my gas, and I haven't been skimmed. I brought up
'skimming' at my credit union the other day, when I deposited to savings
rather than checking, and the teller said it's a problem for them in the
Phoenix area.

Edit: Looking into it more, these aren't little Mom-And-Pop gas stations,
they're mostly Circle K's (corporate) and franchises of big-name energy
companies - lots of Shell and Valero franchises.

[https://en.wikipedia.org/wiki/Valero_Energy](https://en.wikipedia.org/wiki/Valero_Energy)
\- for example:
[https://www.google.com/maps/place/1925+N+Scottsdale+Rd,+Temp...](https://www.google.com/maps/place/1925+N+Scottsdale+Rd,+Tempe,+AZ+85281/@33.4507211,-111.9282363,17z/data=!3m1!4b1!4m5!3m4!1s0x872b096adbaace2b:0x857f89f063f036fc!8m2!3d33.4507166!4d-111.9260476)

[https://en.wikipedia.org/wiki/Shell_Oil_Company](https://en.wikipedia.org/wiki/Shell_Oil_Company)
\- for example:
[https://www.google.com/maps/place/4995+N+Granite+Reef+Rd,+Sc...](https://www.google.com/maps/place/4995+N+Granite+Reef+Rd,+Scottsdale,+AZ+85251/@33.5090157,-111.9007588,19z/data=!4m13!1m7!3m6!1s0x872b0a5213ae16ad:0x6149ce885316ee98!2s4995+N+Granite+Reef+Rd,+Scottsdale,+AZ+85251!3b1!8m2!3d33.5089587!4d-111.9000426!3m4!1s0x872b0a5213ae16ad:0x6149ce885316ee98!8m2!3d33.5089587!4d-111.9000426)

Edit 2: Mile Marker 27 (Last Stop) is a Texaco:
[https://www.google.com/maps/place/Texaco/@35.7114132,-114.51...](https://www.google.com/maps/place/Texaco/@35.7114132,-114.5191791,11z/data=!4m8!1m2!2m1!1sfuel!3m4!1s0x0:0xdd2ce9b0d195bd2d!8m2!3d35.6843504!4d-114.4672394)

~~~
basseq

      ... a planned freeway just to the south was canceled back 
      in the 1980's, and all the houses that had been taken by 
      eminent domain were auctioned off. The new tenants 
      didn't take care of their neighborhoods like the owners 
      used to.
    

This blows my mind. So the local government forced people out of their homes,
then said, _" Nevermind!"_?

~~~
taxicabjesus
The freeway was also going to take out a private high school, which has many
influential members of the community as alumni. It was not even a necessary
freeway - parallel to I-10, but only a few miles to the north.

I might be wrong about the details (I was a kid at the time), but this page
confirms that a freeway in this general area was canceled 'due to neighborhood
opposition':
[https://www.arizonaroads.com/arizona/az50.html](https://www.arizonaroads.com/arizona/az50.html)

------
ndesaulniers
Family friend in CT was just telling me about this. He works for the Dept. of
Weights and Transfers. Said they usually make sure that pumps give you exactly
the amount you pay for, but lately they've been working with the Secret
Service and finding even the insides of pump machines compromised.

Recommends preferring paying in cash, then credit, lastly debit and if you do
so, move your money out of that account and into a savings account.

------
jimjimjim
This is a mostly solved problem in the most of the world. (but only mostly).

lock the cabinet, have cameras, have a non-flat shaped card reader slot
(preferably with a picture of what it should look like stuck next to the
reader), have a sealed emv/pci compliant reader/pin pad component, schedule
regular checks of the equipment, remote alarm the pump enclosure.

and finally have credit card companies or head office tear shit out of the
site if they don't have these.

~~~
67726e
Unless the legislature forces this, I doubt it will happen. The banks and
credit cards have turned these exploits into a problem of the individual
instead of a problem of the institution (which has shit security). So you and
I get stuck with the fraud and they get paid, typically.

~~~
basseq
I've been the victim of a couple forms of fraud (fraudulent charges in TX,
Macy's CC opened in my wife's name) and the CC companies bent over backwards
to accommodate us. No _hesitation_ that the charges would be reversed, holds
placed on the account, and new cards sent.

That and fraud detection is getting better. I went home to visit my parents (2
hours away), got gas, then exchanged USD for €300. That triggered their
algorithms (as well it should have), and I got a text about 10s after I swiped
my card.

~~~
67726e
That's interesting that my mom has had the exact opposite experience with
getting their identity stolen and fraudulent cards opened in their name.

------
mc32
Why don't the operators add a daily check for skimmers while they do their
daily pump checks? And with video so affordable now, even if it's only on a
7-day retention, they can turn over evidence to authorities to catch the
perps?

~~~
lifeformed
It would help, but a lot of places just don't do it. They said thieves target
places that neglect security, which there are plenty of.

~~~
mc32
Maybe GasBuddy or the like can begin identifying stations which have
experienced compromises (and are complacent) as well as ones which maintain
some operational security or at least actively seek to fight the skimmers.

I would certainly give preference to stations with better scores, in that
regard, even if there were a modest price premium.

------
technofiend
Cash is king now. But just enough some wayward cop doesn't confiscate it
because it's all shifty and suspicious looking.

------
ericmason
Will skimmers be rendered obsolete by chip cards? It seems like this will all
be over when the last magnetic strip reader is shut down. Although I've never
seen a chip reader at a gas station, so it may be a while.

~~~
kbart
It is impossible (yet) to hack chip & pin. The problem is that even chip cards
have a magstripe that can be skimmed. EMV[1] enabled fallback funtionality by
default, which is the biggest issue imho. Basically, if your chip is broken, a
terminal goes through fallback mechanism and uses magstripe instead. This way
you can clone a card with "broken" chip and copied magstripe. Some banks allow
to disable (opt-out) magstripe for chip cards, so unless you are in US, you
should do that. I've seen some people intentionally scratched magstripe, but
I'm not sure it's a very good idea.

1\. [https://en.wikipedia.org/wiki/EMV](https://en.wikipedia.org/wiki/EMV)

~~~
emp_zealoth
Or, you know, take your fingernail and scratch the shit out of the stripe. Or
play with some strong magnets. Or sand paper. Or... you get the point

~~~
kbart
Sure you could. But I'd like to have a backup options in case I end up in
strange place that doesn't accept chip&pin or my chip is really broken while
on travel. It could be opt-in, so in case I need magnet, I could call my bank
and ask to enable it.

------
Xunxi
There have been incidents where in-store attendants have been caught skimming
cards with handheld skimmers I would be surprised if done of these gas station
attendants are not in league with the criminals or even install some of these
devices on their behalf.

------
byron_fast
Now I want my car to be able to detect local Bluetooth signals and warn me
about skimmers.

~~~
TeMPOraL
The thieves will then switch to Wi-Fi, or Zigbee, or whatever.

------
desireco42
Oh look, Krebs rides again ! :)

~~~
desireco42
I wasn't sarcastic

