
Visa warns that hackers are scraping card details from gas pumps - fortran77
https://www.engadget.com/2019/12/16/visa-gas-station-fraud-malware/
======
Animats
Migration to chip cards started in 2012. US retailers other than gas stations
had to convert by 2017. Gas stations got 3 extra years. Now that time is
running out. Many pumps can be upgraded. Here's a migration guide.[1]

This is classic gas station operator whining. Back in 1984, US gas stations
were required by the EPA to install double-walled tanks and leak detection.
One in four of the old tanks was leaking. Gas stations got 15 years to do it.
At the end of 1998, many were hoping for a further extension. They didn't get
it. No more fuel deliveries, and they had to go out of business.[2] That's
also why, for some years, you saw recovery systems at former gas station
sites, trying to suck the gasoline out of the soil.

[1] [https://www.gilbarco.com/us/emv-migration-
guide](https://www.gilbarco.com/us/emv-migration-guide) [2]
[https://www.latimes.com/archives/la-
xpm-1998-oct-25-me-35989...](https://www.latimes.com/archives/la-
xpm-1998-oct-25-me-35989-story.html)

~~~
dogma1138
Chip based systems don’t prevent card skimming, in fact you also get the pin
with those since you can still read the track 2 data and also get the pin with
a skimmer that is placed on top or even inside of the pin and chip reader.

This is essentially the same exploit as ATMs with often lower risk since gas
station pumps aren’t inspected for skimmers.

The only way to prevent track2 skimming is to remove the magnetic strip
however there are also many skimmers today that don’t read the track 2 data
but rather scan both sides of the card giving you the CC number, exp date,
CVV/CVV2, issuer code (if present) and the card holder details then you can
usually perform a card not present transaction fairly easily at best you’ll
only have to match the card holder with a post code or a billing address
however most issuers will let you pass security with any address that was tied
to the card for the past 5 years so your google search results on the name
doesn’t even have to be super up to date.

Basically anything but a bulletproof wireless E2EE system will allow skimming.
And I’ve seen PoCs for near IR photographic skimmers that try to photograph
the card from within the wallet or sleeve with moderate success.

~~~
miohtama
I believe the goal of chip based system is to get rid of "your username is
your password" problem of credit cards in the long run.

Is the world ready to remove the magnetic stripe and numbers on the card? Only
expose them through your online bank and keep them separate from the card.
Then only some online payments will be vulnerable - like hotel bookings.

For example Revolut cards still have the stripe, but the card details are hard
to read, almost invisible for the eye unless under proper light

------
shmoogy
I wish they had NFC so I could use Apple Pay. I hate inserting cards into the
pumps even though I always check for skimmers. I'm pretty sure the past two
(read: only) times my card got stolen it was through gas stations.

~~~
menage
I've encountered a couple of gas stations that supported NFC, in the last
year. The most recent one was at ARCO - although in that case I couldn't
actually use it since they only accept debit and at that point I only had my
credit card in Google Pay.

~~~
ac29
ARCO near me has been accepting credit for about a year and it works fine with
their NFC.

~~~
menage
Where's that? This was in Mountain View. I'll have to try again.

------
stevage
Still shocks me how widespread magnetic stripe credit card use is in the US.
The rest of the world moved on a very long time ago.

~~~
jcranmer
In my recent US experience, gas pumps are the only things still using
magstripe. Everyone with a card reader at their register seems to be using the
chip reader.

~~~
superhuzza
Many places nowadays seem to have card readers that accept swipe, chip or tap.
Yet many of them don't seem to have tap activated, and if someone else handles
your card (very common in bars and restaurants), you can be sure they will
swipe it.

I was in NYC for a week and had to swipe my card at least 6 times during that
period. I imagine the rest of the country isn't leaps and bounds ahead.

~~~
vonmoltke
> I was in NYC for a week and had to swipe my card at least 6 times during
> that period. I imagine the rest of the country isn't leaps and bounds ahead.

Really? I have worked in NYC for over three years, and the only card I have
ever had to swipe in that time is my FSA/transit card that, inexplicably, does
not have a chip yet. There were a few smaller merchants in suburban New Jersey
that lagged behind, but even they were on chip by 2017.

~~~
perl4ever
If the chip interface doesn't work, the backup is swiping. People talk like
everything always works perfectly every time. The shinier a new technology is,
the more unprepared people usually are for it breaking.

“The major difference between a thing that might go wrong and a thing that
cannot possibly go wrong is that when a thing that cannot possibly go wrong
goes wrong it usually turns out to be impossible to get at or repair.”

~~~
vonmoltke
My point is that I have never had to resort to said backup. I have had
problems with my chip from time to time, but even in those cases the chip has
gone through eventually.

~~~
perl4ever
Well, philosophically, you could convince yourself that the chip will always
work if you try it enough times. One can't prove that's false. I have no
interest in arguing angels on the head of a pin; what I know is that after a
few failures, a cashier will tell you to swipe it, and it's obvious it isn't
an unusual experience for them, seeing a ton of transactions per day. So any
argument you may have based on technical, logical, or scientific grounds seems
beside the point. Let alone plain incredulity.

------
crb
I take my UK credit card to the US and can't pay for gas at the pump as I
don't have a valid zip code.

I have to go inside and pre-auth. This process sometimes only requires a
swipe, sometimes chip and pin - but never a zip code.

Could they just fix that?

~~~
nikanj
Canadian postal codes are of the form a4b 5c6. Most US things that ask for a
zip code will accept either 00456 or 45600. Do UK postal codes have numbers in
them? Have you tried left- or right padding those numbers with zeros?

~~~
scarejunba
They have letters. SE16 4EP is a code from near my home there. It's probably
not worth making it work.

~~~
nikanj
So do the Canadian ones, you just skip the letters and add zeroes. Try 00164
or 16400 for SE16 4EP.

~~~
scarejunba
Oh I misunderstood what you meant! That's a clever thing to have tried.
Fortunately, I have local cards in all of these countries so I haven't tried
anything like that. How interesting that it works!

One of my British cards (Capital One?) has me use all zeroes.

------
zrail
I try my hardest to only go to stations that accept Apple Pay. If they don't I
use a card that I know will overnight me a new card if I get a fraud alert (in
my case, Chase).

------
exabrial
This to me is Visa and Mastercard's problem, not anyone else's. I'd LOVE to be
able to enter a password or pin to authorize and cryptographically sign a
transaction proving I authorized the transaction. Someone can literally take a
picture of your card, or listen with a sensitive radio to "hear" credit card
numbers being swiped. This technology is needs to be replaced.

------
larnmar
> The problem is, many such businesses have very old technology and must
> replace the entire pump at an estimated cost of up to $250,000 per station

This feels like a business opportunity. Surely there must be a way to build an
adaptor?

~~~
nilkn
This is a bit of a tangent, but my parents owned a gas station in the late 90s
and early 2000s. When they bought it, pay-at-the-pump was rare. Towards the
end of their ownership, it was becoming common, and they were under a lot of
pressure to install it. The installation was going to cost more than $250k on
top of eating into the profit margin on gas sales (through credit card
transaction fees) _and_ discouraging folks from going into the store -- and
in-store sales were by far the primary profit generator, as gas margins were
low, zero, or negative depending on the constantly changing state of hyper-
local competition and global gas prices. They opted to just sell the entire
business instead and let it be someone else's problem.

------
xboxnolifes
Aren't gas station supposed to be all on a chip system this time next year
anyway?

~~~
snarf21
They are liable but why wouldn't they just keep making us type in our zipcode.
We are basically doing chip and pin how about we do it for real.

~~~
kube-system
IIRC, gas stations are doing it voluntarily to get lower transaction fees. If
we had chip+pin, we'd be entering a pin everywhere, right?

Call me old-fashioned, but I still like being able to open a bar tab.

~~~
miohtama
You can do this with the chip card as well, also you can still tip.

~~~
kube-system
With chip+sig, yes. But I’ve never managed to be able to open a tab in a
chip+pin country.

------
rconti
The chip readers in the US don't do chip and pin. It's just chip or chip and
signature. Wondering if the article just got the details wrong, or if
something is changing.

------
Havoc
Ouch. That seems quite hard to fix.

I've taken to using my revolut card for places that look a little shady. But
ACME petrol station probably wouldn't register as shady for most.

~~~
simcop2387
This is why I've got live messages from my bank for all transactions possible.
Makes for a good deal of noise on my phone but it's caught stolen cards twice
for me so far.

~~~
kingo55
Which banks support that?

~~~
xur17
I have this setup for all of my Chase and American Express cards. The
notifications show up within seconds of me making a purchase, which makes it
very easy to sanity check.

~~~
iamben
My UK debit cards are great for this. AMEX is a bit 'meh' \- sometimes I'll
get an instant notification, sometimes it'll happen a bit after, sometimes it
just doesn't seem to happen. Annoying because I use that card the most.

~~~
simcop2387
That's possibly as much a problem with the merchant as it is the bank,
sometimes they don't fully commit the transactions until the end of the day.
Though usually I see a message at first that there was an authorization for
purchase at least in those case.

------
fonix
whew, this garbage is starting to make that tesla worth it

~~~
tartoran
If only the problem would stop at gas pumps. Many POS devices that have old cc
tech are vulnerable for this type of hack.

~~~
mark-r
That suggests a different acronym for POS than the one you probably meant.

