
Hidden Cam Above Bluetooth Pump Skimmer - fortran77
https://krebsonsecurity.com/2019/11/hidden-cam-above-bluetooth-pump-skimmer/
======
sumoboy
A few weeks ago filling up at Costco the attendant was inspecting the pump
from top to bottom, I asked what he was doing and responded "looking for
skimmers or alterations" to the pump. I asked how often do you do that, he
said "every hour". I was impressed.

~~~
Scoundreller
That’s a benefit of not sticking the clerk inside the convenience store all
day like other stations.

------
reaperducer
This was found in Las Vegas. It's worth noting that the head of Las Vegas
Metro (the regional police force) was on TV last year telling people that card
skimming is so rampant in Nevada that nobody should use a card at any gas
station — they should always use cash.

~~~
toomuchtodo
Or prepay inside with a credit card? No skimmer at the counter in the gas
station.

~~~
antiframe
Twelve years ago I had my card number and PIN logged at a point of sale inside
a shop. The authorities caught the ring and determined what happened was the
shop was burgled a week before and a week after. The first time the thieves
took a few items and swapped the card reader out for a compromised one. Then
they burgled it again and swapped it back, now laden with hundreds of card
numbers and pins.

~~~
toomuchtodo
"What's your threat model?" In a perfect world, purchases in person are
contactless, authenticated with a mobile device. Until then, don't sweat the
small stuff: you're not liable for any fraudulent charges on credit cards (US
centric advice), and I don't suggest using debit cards (keep an ATM card just
for cash access at ATMs).

------
fredley
I always cover my hands and make it as hard as possible to detect my PIN even
when there's no one around for this reason. Skimmers are already small enough
that they can be fitted inside the machine, completely invisible from the
outside. Cameras could be concealed in any number of places.

The only rational thing to do is never trust that the machine you're putting
your card into hasn't been tampered with.

------
ceejayoz
Time to start requiring gas stations to permit contactless payments. I'll
specifically drive a bit further to use one I can Apple Pay with.

The US seems to be one of the only nations that permits long outdated point-
of-sale systems to remain in use. In Australia, you lease them, and the bank
will force you to replace them when new tech is out. Pretty much everyone
seems to use contactless payments there as a result.

~~~
notatoad
PCI will require that gas stations accept EMV next year. It was supposed to
happen like four years ago, but the stations protested. Hopefully it actually
goes through this time.

~~~
ceejayoz
That just means they have to use the chip (or accept the liability on their
end). Doesn't protect you from a skimmer or a camera.

~~~
notatoad
you can't skim a chip though

~~~
ceejayoz
Sure, but when you dip your card, the magstripe _on_ that chip card gets
skimmed and the camera captures your card number and PIN entry.

~~~
Avery3R
If it's implemented properly, the card shouldn't go all the way into the
reader, just the smartcard contact

~~~
ceejayoz
None of which saves you from a camera looking at the numbers on the card while
you insert it.

~~~
notatoad
The camera is to record your PIN, which is only useful in conjunction with the
magstripe data. A camera to record the numbers physically printed on the card
isn't going to be super effective. Yeah, it might get a few, but probably not
enough to be worthwhile.

~~~
ceejayoz
There's no reason a camera couldn't capture card number, expiration and CVV,
especially if paired with a contact switch on a skimmer to trigger the photo.

My iPhone happily lets me add a card by taking a picture of the card and
OCRing it; my Discover card has number, expiration, and CVV all on the same
side even.

------
tasty_freeze
Anecdata:

After 20 years of not having credit card problems, about four years ago my
wife and I had to replace our card about twice a year due to the number
getting stolen. This happened six or seven times. The best is when the credit
card company asked us to confirm we had sent a payment of $200 to a prisoner
in Venezuela.

Since then I have strictly paid with cash at gas stations, but haven't changed
my credit card use anywhere else. We have had to replace the card exactly once
in the past three years.

~~~
sevencolors
Went to LA and Maui over the past two years and within a month after both I
had to close the card.

So I've just been going into the station and paying with ApplePay if the POS
device supports it. Then cash

------
01100011
I'm surprised there haven't been cases where criminals just mount two cameras
with zoom lenses so that they capture both sides of the card as it enters the
reader. You'd be able to reconstruct the number, the name and the 3 digit
security code. Sure, you're not going to get 100% of the cards due to people
blocking the cameras, but you also don't need to mount anything to the actual
pump and can better avoid getting caught.

~~~
fortran77
For things that are moving, you'll need a camera with a high framerate so you
don't get a blur. We have cameras to do automatic licence plate reading of all
the cars that come on our property and they were expensive (> $1500 + lens)
and large-ish.

~~~
simonlc
High frame rate is good, but to not get blur you just need a high shutter
speed. Most digital cameras can do this easily. But simply having a high
shutter speed isn't enough, as if it's fast enough no light will get it to get
a proper exposure. That's why you'll need a supplemental light source, like
infrared or a flash, a large aperture (aka large lens elements), or a lot of
gain (ISO).

It's really a balancing act between the three. The more zoomed the lens, the
bigger the lens elements need to be to maintain the same aperture ratio.
That's why a 600mm f4 is absolutely massive compared to a 50mm f4 lens.

For something like this application though, the quality of the sensor doesn't
need to be too high, you don't really that high of a shutter speed, nor do you
need to worry about image noise. There's always light on at the pump, so you
can easily calibrate for night time, if needed just bring a light meter (or
use an app) to the spot at night and check.

------
irjustin
This attack vector should not exist in 2019. i.e. card skimming should not
still be a thing.

Chip/paywave is strong enough w/ online backed by a 2fa (3D secure?). It's
just annoying companies don't want to replace their terminals because they own
them (rented ones get replaced by force) so it costs money to do that. Thusly
we're all stuck with this problem still being very real.

------
pnw_hazor
I have a low limit credit card that is used exclusively for sketchy stuff,
such as gas, restaurants, smaller ecommerce sites, and so on.

It is not attached to my normal bank nor does it have any
subscriptions/autopay so it is no big deal if it gets compromised (has
happened once).

~~~
Aearnus
I know a ton of people who use Cash App's card for that. Seems like it works
well for them. (I don't use it personally)

~~~
matwood
I loved that card for the $1 off at any coffee shop until they changed it.
It's still ok, but now you have to make 5 purchases with the card to get 5x$1
off.

~~~
samschooler
Huh, they might be A/B testing that. I still have the original $1 off any
coffee shop (min. $1.50; every 30 minutes). When did your deal change?

~~~
matwood
A couple of months ago. On podcasts I listen to, I've heard other people talk
about it changing. Basically the deals all get 'locked' until you make a
certain number of purchases to unlock them again.

------
noodlesUK
I’m curious how often this sort of scam exists in places like Oregon where
you’re required to have an attendant at the gas station pump for you, and are
therefore unlikely to get unfettered access to the pumps. Does anyone have any
data for that kind of thing?

As an aside, I’ve always thought that parking meters were the ideal target for
this kind of attack. Nobody that I’ve seen has ever checked for skimmers when
using a parking meter, and they all tend to look different anyway.

~~~
CamperBob2
Heck, for that matter, just put up a bogus parking meter in a space that
didn't have one to begin with. It's hard to believe that no one has ever tried
that.

~~~
tzs
The Simpsons, Season 24 Episode 10, "A Test Before Trying" [1], has Homer try
that.

> Meanwhile, Mr. Burns raises the price of electricity. As a result, Homer
> throws his domestic appliances in the dump, where he finds a parking meter
> that still functions. He decides to set it up at parking spaces around
> Springfield, moving to another as soon as someone pays.

[https://en.wikipedia.org/wiki/A_Test_Before_Trying](https://en.wikipedia.org/wiki/A_Test_Before_Trying)

------
ssully
I was pretty excited when I found a gas station near my house that accepted
apple pay at the pump. More often then not I will go there strictly for that
reason.

------
linuxftw
Step 1: Never use a debit card for anything ever. Step 2: Fraud is no longer
your problem as long as you review your statements in a timely manner.

~~~
ceejayoz
Fraud absolutely remains a problem. Not on a raw financial level, but there's
still the time involved (disputing, providing evidence, follow-ups, switching
the card number on 800 different services and hoping you didn't miss an
important one), and the risk of losing your banking if you're regularly being
compromised.

There's also a systemic cost to it, at the merchant and banking level. That's
money being siphoned from all of us into the hands of criminals.

~~~
linuxftw
> risk of losing your banking if you're regularly being compromised

Hmm, I hadn't considered this, and it might very well be valid if it happens
really outside the norm.

> but there's still the time involved

I've only ever had to call about fraudulent charges once, and that was because
a restaurant double-billed me (once with tip, once without), so it wasn't
outright fraud as much as it was a mistake/computer glitch. Every other time
the credit card company has called me.

> There's also a systemic cost to it, at the merchant and banking level.

Not really an individual problem, just like shoplifting raises prices for us,
and taxes, and regulations, etc.

------
staktrace
Another good reason to get an EV, don't have to visit gas pumps again! :)

~~~
mprev
In the UK we have more and more roadside chargers that take a card just like a
self service fuel pump.

------
MS90
Whenever I see reports about these skimmers, I always wonder how in the hell
someone managed to install that thing into the pump without anyone seeing them
do it. Every gas station that I've ever been to has had a direct line of sight
from the cashier to the pumps, presumably in case of fire so they can hit the
shutoff as quickly as possible.

Maybe a non-24 hour station and passersby just assumed it was maintenance? But
do they not have security cameras?

~~~
flapadar
Wear a high vis jacket and carry a toolbox and most people in most places
won't give you a second glance.

~~~
MS90
Hell, get a clipboard and a vest that says INSPECTOR on the back of it and go
to a construction site and people will actively avoid you.

------
sdiq
It is hard for me to follow Krebs from a mobile phone - an unresponsive site.

------
lr
I know not everyone has a credit card, but as someone once said to me, never
enter your PIN into anything other than a bank ATM, i.e., an ATM physically
attached to a bank lobby.

I was at a gas pump the other day with a never-before-seen-by-me card reader
that I tried to physically remove (as I always tug on them to make sure they
are not fake). After that I noticed, "Apple Pay Coming Soon". That is the
first pump I have seen with such a notice, and I am very much encouraged to
see that, hopefully someday soon, I won't even have to insert my card into one
of these machines!

~~~
exhilaration
_... as someone once said to me, never enter your PIN into anything other than
a bank ATM, i.e., an ATM physically attached to a bank lobby._

While I agree with you, Krebs has documented several ways your ATM card can be
skimmed even if you follow that advice:

Almost perfectly disguised skimmer on a Chase bank ATM:
[https://krebsonsecurity.com/2011/12/pro-grade-3d-printer-
mad...](https://krebsonsecurity.com/2011/12/pro-grade-3d-printer-made-atm-
skimmer/)

Skimmer on the vestibule door card reader:
[https://krebsonsecurity.com/2015/03/door-skimmer-hidden-
came...](https://krebsonsecurity.com/2015/03/door-skimmer-hidden-camera-
profit/)

~~~
lr
The card reader on the ATM is frightening (but I always hide my PIN with my
hand, but even then, it can be guessed by muscle movements). But Apple Pay is
another positive to not having to put your card in the door. If the door
doesn't support Apple Pay, then I try my AAA card, which works a lot of the
time. If I have to use my bank card, I really try to hide my PIN when I
eventually get to the ATM.

------
quartz
I’ve started using the BPme app which, while clunky, avoids having my physical
card interact with the pump.

Contactless can’t come soon enough!

~~~
ceejayoz
Shell has a similar tool that works pretty well.

------
afinlayson
Yet another reason to get an electric car.

~~~
afinlayson
Joking aside, I don't know why we are still using such simple tech to secure
transactions. Large numbers aren't good security measure.

