
New Breed of Fuel Pump Skimmer Uses SMS and Bluetooth - Dowwie
https://krebsonsecurity.com/2019/02/new-breed-of-fuel-pump-skimmer-uses-sms-and-bluetooth/
======
morpheuskafka
Putting on my black hat for a minute, it seems that LoRaWAN would be a great
way to further "improve" these little pests. GSM is going to leave records
that are a subpoena away, with LoRa you control the base station, it claims
miles of urban range, and it's spread spectrum so the signal source can't
easily be traced. Uses next to no power when not transmitting.

Also, I wonder if there would be a way to enclose virtually all of the pump in
metal so that the card reader would be RF shielded and removing the shielding
would cause a noticeable change in appearance.

~~~
michaelt
Wouldn't you buy a prepaid SIM for cash in a convenience store, and use its
internet connection to send the data to some server in a jurisdiction that
doesn't respond to such subpoenas?

~~~
morpheuskafka
Could still trace the point/time of sale and pull security footage.
Additionally, the authorities and the telcom could work together with a bank
to generate a honeypot card, send it by SMS, and then track usage to identify
members of the network.

~~~
michaelt
Maybe. IMHO much easier to give a homeless guy $20 to buy a SIM card for you
than to get a homeless guy to mail order an obscure radio module on Digi-Key
for you :)

~~~
dasv
How traceable is buying through Aliexpress? I bought a couple of LoRa modules
there last year.

~~~
arthurcolle
Probably depends on what bank you used. Western banks are generally very
cooperative with LE. Offshore, much less so

~~~
londons_explore
The financial side isn't hard to hide - buy a prepaid card online with
cryptocurrency.

The delivery address gives you away though. Either you or one of your
associates is going to have to be in a specific place at a specific time to
sign for the package.

------
harrisonjackson
The article has been updated - turns out it was a GPS tracker that someone
dumped at the gas station and not a skimmer.

~~~
UncleEntity
With a little firmware hacking this thing could indeed be a remote
bluetooth->SMS relay. Why build a custom solution when you can just repurpose
one already produced?

Seems more likely than someone discovering a GPS tracker on their car and
sticking it to a gas pump that just happened to also contain a skimmer device.
I'd more likely attach the thing to a random landscaping vehicle so the
"stalker" could see it going to all sorts of upscale houses.

\--edit--

Or, after a bit of googling and not being able to find the specs on that
thing, it could be a canary device to tell the skimmers "the jig is up" as it
has motion tracking.

------
Nextgrid
The article has been updated (turns out it’s a totally unrelated piece of tech
someone left behind) but even if it was true, what’s the big deal?

What’s so groundbreaking about Bluetooth skimmers and a central hub with long-
range comms (GSM, etc)?

This seems like a logical evolution, and frankly I’m surprised it hasn’t been
done already (or maybe it has, but those guys were good enough to not get
caught yet).

In any case I was pretty disappointed by the alarmist tone of the article. Are
the people who investigate these things that far out of touch with the state
of technology nowadays ?

Anyone can buy a Raspberry Pi and a GSM module and get up and running with a
bunch of tutorials from Google. It’s not rocket science.

------
theandrewbailey
Is there anyone else that always uses cash to pay for gas?

~~~
dontbenebby
IIRC you can also pay with a CC inside (less likely to have a skimmer at
register).

I had to a couple times when driving to California for an internship, because
despite telling my CC company this I didn't specify exactly what days I would
pass through which states, so even after entering my billing ZIP (and calling
to confirm, yes, I assure you I'm traveling) I'd be forced to pay inside.

You had to specify a specific amount though and most interestingly, if you
overshot (asked for 50, used 46) they refunded the difference in cash.

Personally, since I am not responsible for credit card fraud, I simply choose
to have a separate card for re-occuring payments like my phone and internet.
If someone skims my daily spending card, I'll just report it as fraud and not
worry about it.

~~~
gruez
>if you overshot (asked for 50, used 46) they refunded the difference in cash.

I never seen that. What I always saw was they authorize for $50, then charge
$46. If they're doing how you described it, they're paying interchange on the
extra and not getting anything for it.

~~~
dontbenebby
This was someplace very rural, maybe the cost to upgrade systems was more?
This was also pre chip-and-signature, I haven't had the issue since the switch
as long as I can enter my ZIP code on the pump.

~~~
paranoidrobot
The Authorise / Charge thing has been around for a long time - it's the same
thing that hotels do when you check in. I'm reasonably sure that all terminals
have the feature.

It does, however, require that the machine operator is aware of how to do
those operations - it's probably easier for them to just charge the card for
the set amount, and refund in cash.

Though this slightly increases their risk, as any chargebacks means not only
do they lose the product, but the cash too.

------
ajay-d
The actual skimmers are still "traditional" in the sense. This thing just
relays that stolen information.

------
hinkley
I used to keep fish and my brain wanted a fuel pump skimmer to be something
like a protein skimmer in a salt water tank. Like fuel tanks need something to
skim the scum so it doesn't ruin your car.

Why do I care if someone hacks that, can they blow up the gas station?

Ten seconds later: ooooh.

