
Gas Pump Skimmers - whalesalad
https://learn.sparkfun.com/tutorials/gas-pump-skimmers
======
watertom
Chips aren't anymore secure, I can read the data off my card with a standard
chip reader, and I have. The same data on the chip is on the mag strip.

Just because you are using the chip doesn't mean you are doing an EMV
transaction. The unique transaction codes only happen with and EMV
transaction, almost every time you dip your card it's a regular old card
transaction, just as if you swiped the card. Why?

Getting EMV certified requires every part of the transaction chain to go
through unified system testing, __for each combination __of hardware,
software, card type, processor, issuing bank.

I've been eyeballs deep in this nonsense for the last year or so. We just
can't justify the expense of getting EMV certified, so we just accept the chip
and do a regular transaction.

As a consumer you have no way of knowing if your transaction is and EMV
transaction or just a chip enabled regular transaction.

~~~
jjeaff
But also, I don't care as a consumer. Because I don't have any liability. In
fact, I prefer the swipe as it is a few seconds faster.

~~~
jmanderley
Except getting skimmed and disputing charges is annoying, not something I care
to deal with. I'd rather we have more secure infrastructure that doesn't
sustain criminal activity.

~~~
notyourwork
It takes 5 minutes and a few clicks on a web site now a days. I'm all for more
security too but like OP it isn't really my responsibility nor my liability so
I have little care.

~~~
nmcfarl
My last bank made that easy. But required a new card and a new PIN, and
immediately and automatically cancelled the old one. As I was abroad at the
time, this was not a fun process. Not that it's particularly fast even if you
walk into a branch.

~~~
astura
This is one of the reasons I think it's important to have more than one credit
card when traveling (especially abroad). Redundancy in case one get shut down
at an inconvenient time in an inconvenient place.

------
kozak
I recently traveled to the US, and stayed in a hotel of a major brand which
had some outdated payment terminal that only used the magnetic strip of the
card (without even a possibility to enter the PIN). The transaction was over a
thousand USD. I had cards from two different banks: one failed because the PIN
wasn't entered, and the second one got through. But after several months the
second bank somehow freaked out and charged back about a third of the amount
(probably flagging the transaction as fishy or something). I tried to contact
the hotel to somehow return them the money that were mistakenly returned to
me, but apparently there is no mechanism to do that.

~~~
dionidium
> _some outdated payment terminal that only used the magnetic strip of the
> card_

Sadly, this isn't all that "outdated" here. There are still lots of places in
the U.S. that don't use the chip and basically none -- does anywhere? -- use a
PIN with it. I don't even _know_ if I have a PIN on any of my credit cards,
much less what it is.

~~~
astura
I think Barclaycard is the only major CC issuer in the US to have actual PINs
on their cards but it defaults to signature. Here's what they say about it:

>Your credit card is a chip and signature card with Personal Identification
Number (PIN) capability. In most cases when you travel abroad, you'll be asked
to sign for your transaction. However, at some unattended terminals, such as
train ticket kiosks, you may be asked to enter your PIN instead of signing.

------
kbart
I still don't get why _all_ credit cards have magstripe when we have chip&pin
for decades. Yes, I know it's required by a standard, but I see no
justification for that. I have never used magstripe , but it's right there on
my every card and there's no way to disable it (I've asked my bank for it),
unless you deliberately destroy it (scratching or similar manner).

~~~
nikcub
It's a backup. I've heard from retailers that the failure rate on the chips is
much higher than it is for swiping.

In Australia you pay for fuel after filling up, and one fuel station owner is
dealing with an average of a driver or two a day who is unable to pay for
fuel.

They don't carry cash, the chip/EMV is failing and they don't have the mag
stripe linked to a facility since they're often debit cards.

Apparently the failure rate on phone based payments is also high(er).

It's one of those issues I wouldn't have considered before speaking to
retailers.

~~~
jordanthoms
Yeah, the chips are nowhere near as reliable as the magstripe. It seems like a
transitional technology only - NFC is fast and reliable.

~~~
reaperducer
> NFC is fast and reliable

I know you're speaking of NFC chips in cards, but you might know — Does the
phone version (Apple Pay/Android Pay/Samsung Pay) still work when my phone's
battery is dead?

~~~
jordanthoms
It won't - one reason why I think NFC-enabled cards will be around for a long
time even people only carry one as a backup for their phone.

Though theoretically your phone could have a RF-powered NFC chip in it that
took over when the phone is off...

------
zodPod
This is an awesome article breaking this down really well. So why are you all
talking about Chip and PIN? Talk about the article and about the technology
stop arguing politics of chip and pin.

------
anemic
Most interesting part is that they managed to get the hex dump of the
software. Quick glance shows there are no copyright texts in it, bummer!

I'm not an expert in PIC assembly but it seems there is very little code and
there are no obvious code paths, like a switch..case like construct for
processing the serial commands. Lots of I/O and not much more. Most likely
they are not decoding the magstripe data in PIC but just get the decoded data
and store it.

~~~
jerryr
I just tried disassembling the hex file. Unfortunately, the code protect bits
are set (location 0x300008 is 0x00). This means that the ROM from 0x000800 to
0x007FFF will read as zero. And indeed, that entire space is filled with zero.
So, I think we're missing much of the actual firmware.

Edit: And the reset vector begins with a branch to location 0x001ACA, which is
all zeroes, so I'm pretty sure most of the firmware was not read out due to
the code protection.

~~~
Aissen
From a quick Google Search, a Russian company is offering microcontroller
code-dumping services:
[https://russiansemiresearch.com/en/faq/](https://russiansemiresearch.com/en/faq/)

I have no idea if this is legit or not. I doubt your law enforcement would let
you access their services anyway.

Edit: My guess would be they work with industrialized de-capping + software to
dump the memory, like this:
[https://www.bunniestudios.com/blog/?page_id=40](https://www.bunniestudios.com/blog/?page_id=40)

There are other "chip intelligence" companies in the US, some of which
probably have such services. At a different cost.

~~~
captaindiego
On some of these embedded chips there are methods to glitch the fuses for read
protection by messing with the power (a form of fault injection attacks).
These used to work a few years back but I haven't heard if they still do.

------
maherbeg
The first gas station chain that offers Apple Pay/Android Pay as a payment
instrument gets 100% of my business. I'm really hoping Costco will enable the
contactless payments on their pumps sooner rather than later.

~~~
nhf
A lot of Exxon/Mobil stations do now.

~~~
reaperducer
IIRC, when I lived on the East Coast in the 90's, Exxon was a pioneer with
contactless payments. They had a little round thing that looked like a quarter
of a pencil that you could put on your keychain to make payments at the pump.

~~~
dhritzkiv
I also remember this in Canada in the late 90s. ESSO had such a device. I
think other stations (Shell, Petro Canada) also did.

------
anonymousjunior
In the second image here [1] there's a security seal on the payment closure as
a whole; I'd imagine a simple security seal along the side of the card scanner
intake would thwart most would-be card skimmers, no?

At that point the employees could just make it part of the standard inspection
and it'd be more obvious to customers if they were missing.

[1]:
[https://cdn.sparkfun.com/assets/learn_tutorials/6/9/4/Gas_Pu...](https://cdn.sparkfun.com/assets/learn_tutorials/6/9/4/Gas_Pump_External.jpg)

~~~
forgueam
It seems to me that you could just put some kind of sensor on the inside of
the gas pump access door that notifies someone as soon as the door is opened.
If you know there is a maintenance guy scheduled for that day/time, then you
just ignore the notification. If not, then you know that there has been
unauthorized access to the pump.

~~~
reaperducer
Lots of people have access to gas pumps and their keys. Not just the station
owners, but the managers. Also city/county/state weights and measures
regulators, the guy who maintains the attached screen that shows the local
news and weather loop, and probably more that I don't even know about.

From what I've seen about gas pump locks, they look about as "secure" as those
round keys that came with every IBM AT-clone in the early 90's. They kept the
weak and the ignorant out, but you could unlock your buddy's rig at will.

~~~
netsharc
So... is the trick to have your own key so you can open these things and have
a look inside before you swipe your card? If the store is not going to offer
me security, I'm going to take care of it myself.

------
new299
Nice writeup. But in the article they write:

> Are you angry that your card has been stolen, again? Contact your local
> congress person or senator and ask them to pass legislation that fines gas
> stations $100 for every card that is discovered on a skimmer in one of their
> pumps. It’s ultimately up to the gas stations and pump manufacturers to
> secure their pumps.

Suggesting a solution like it's an easy fix always bugs me a bit. Would a
100USD fine actually work here? The issue seems more with the fact that the US
hasn't upgraded to a chip&pin style system. You might end up just costing the
gas stations more money, when they don't actually have the power to do much
about the problem.

It feels a bit like victim blaming, when in this case the victim has little
choice but to work with the system as they find it.

~~~
Gaelan
Pretty much all US cardholders have chip+pin now. I’d say about 75% of
retailers support it.

(Not sure if this is how it works outside of the US, but we currently have
cards with both magstripes and chips. You use the chip where it’s supported,
the stripe where it isn’t.)

~~~
cstrat
Here in Australia its pretty much 100% chip and PIN or contactless payments
(paypass). Has been for a number of years now.

I don't think anyone swipes cards unless there is something wrong with the
payment terminal. Even vending machines are tap and go.

~~~
Jaruzel
Same here in the UK - it's ALL Chip & PIN, I can't even recall the last time I
had to swipe my card[1], and I use it a LOT (yay, Airmiles!).

If the payment is <= 30 GBP, it's an offline transaction as well. Anything
over that amount triggers a round trip to the backend servers.

As an aside, it's now perfectly possible to live a cashless life in the UK if
you wanted to.

\--

[1] That said, I think ATMs read the mag-stripe... but I don't really use
those either these days.

~~~
reaperducer
> it's now perfectly possible to live a cashless life in the UK if you wanted
> to

Perhaps in London. Try spending a long weekend in Torquay.

~~~
Jaruzel
I'm sure the Tesco, Sainsbury, Co-Op, and Waitrose in Torquay can handle card
payments if you were really stuck.

------
jamez1
_If your credit card number is stolen you simply contact the provider and they
will (usually) refund any fraudulent charges and send you a new card. In turn,
the credit card companies simply do a charge back to the gas station (taking
the money from the station and refunding it to the customer whose card has
been stolen)._

There is no charge back to the gas station, the cards are used to steal other
things. They were just skimmed at the station.

------
aidenn0
It seems like one could make a bluetooth snooper that looks for people who
connect to the skimmer? Then you could catch skimmer users when they download
the data.

~~~
new299
I'd guess the police don't have the resources/are not interested in this kind
of crime. I also doubt it's much of an issue for the gas station itself. The
card is skimmed at the gas station, but does that mean the cloned card will be
used there?

I mean, sparkfun are great, but they're not pentesters. The fact that the
police went to them probably means they didn't have the resources to hire a
pentesting firm (or do it internally). I'd also guess they don't have the
resources to police these crimes either (which would mean a lot of hanging
around at gas stations).

~~~
yorwba
It might be possible to make a small device (maybe using the same Bluetooth
module as the skimmer) that listens for someone issuing the command to
download the card numbers and then automatically calls the police, no need to
have someone monitor it in person. I don't own a car, so I'm not that familiar
with gas stations, but I assume most will have security cameras that can get
you the perpetrators license plate. That ups the bar for successful skimming
to also include fake car papers and will probably deter small-scale criminals.

~~~
new299
If they already have security cameras, then they already have everything they
need to catch someone installing the device.

This being the case, the criminals have likely either already figured out how
to avoid the cameras (or park out of sight). Or the police are not acting on
this information because it's not seen as a priority.

~~~
sjwright
> they already have everything they need to catch someone installing the
> device

...except for the timestamp of the installation event. Or the resources
required to brute-force through mountains of footage to find the event.

~~~
throwanem
Or the ability to see through the hoodie the guy's wearing.

------
Brushfire
I'm curious if they are also logging the zip code entered via keypad. I can't
remember the last time I used a pump without zip code validation.

~~~
terryf
As a foreigner who travels to the US on occasion - and therefore doesn't
actually have an US zip code - what's up with that? If you have a keypad
installed anyway, then why the hell not accept the chip reader with pin code?
Not complaining or anything, but it's quite baffling. Nowhere else in the
world that I've seen, they don't restrict payments to locals....

~~~
js2
Try using a pump in Israel. I had to ask for help every time. Not only is
Israel still using mag stripe, there's also some sort of national ID # you
have to enter into the pump. And the license plate # too I think. I think
tourists are supposed to be able to use all 0, but I couldn't navigate it.

This is from 2012 but seems pretty close to what I dealt with there last year:
[https://www.tripadvisor.com/ShowTopic-g293977-i1733-k5730382...](https://www.tripadvisor.com/ShowTopic-g293977-i1733-k5730382-Buying_fuel_for_the_car_in_Israel-
Israel.html)

Which is to say: every country has its weird thing. :-)

~~~
sjwright
In Australia, we have this weird thing where you pump the fuel then walk into
the shop to pay. It's just a ruse to get you to buy energy drinks and two
chocolate bars.

~~~
js2
In New Jersey (and I think Oregon), you can't pump your own gas. Full service
only.

Years ago (this predated energy drinks by a couple decades) I filled up at a
rural station in GA that had old mechanical pumps. I went inside to pay,
having not taken note of the cost. When the cashier asked me how much I'd
purchased and I told him I'd have to go check, he waved me off and pulled out
a pair of binoculars to read the charge off the pump.

I like to think now he foresaw the coming age of skimmers and wanted his pumps
to remain immune.

------
userbinator
The overwhelming "defaultness" of the whole thing makes me think these were
actually intended as conversion adapters or something else that wasn't
purpose-built for pump skimming. The complete lack of code protection (setting
it is literally a single checkbox in the programming utility --- and almost
all commercial products with an MCU will have this protection enabled),
leaving the markings on the chips (I've seen more legal devices with them
scrubbed off), and default password unchanged are the most noticeable.

Googling "bluetooth magnetic card reader" also yields quite a few results like
this one:

[https://www.amazon.com/Deftun-MiniDX4B-Wireless-Bluetooth-
Co...](https://www.amazon.com/Deftun-MiniDX4B-Wireless-Bluetooth-
Collector/dp/B01F4X9GNY)

~~~
sounds
The code on the PIC is protected. The hex dump that is presented has sections
filled with zeros, as that is how PIC code protection works.

------
stevenh
I was skimmed at a gas station last winter. I pay with cash now.

~~~
Justin_K
Why? You're not responsible for fraudulent charges and now you're out on
points / cash back.

~~~
fancy_pantser
It's still a hassle.

I had my card skimmed while on vacation earlier this year. The next week I was
eating at a restaurant and got a call from an unknown 800 number that I didn't
answer. My card was declined at the end of the meal. I called the number back
and it was the issuing bank's fraud department saying my card was used
suspiciously and they've cancelled it. Because I was still on vacation it was
a big hassle involving finding a place to fax a typed, signed letter to get my
new card sent to an address I'd actually be at.

~~~
cesarb
> I was eating at a restaurant and got a call from an unknown 800 number that
> I didn't answer. [...] I called the number back and it was the issuing
> bank's fraud department saying my card was used suspiciously and they've
> cancelled it.

Once, I was also eating at a restaurant when I got a call from an unknown
number. I answered, and they said it was the issuing bank's fraud department,
saying my card had a couple of suspicious transactions...

But the call itself was the fraud. Luckly, I knew from the beginning that it
was a fraud (the value of one of the "transactions" was high enough that I
would have received a notification SMS), so I strung they along to waste their
time, and stonewalled the moment they asked for personal information. And just
to be sure, I went to a bank branch nearby (it was lunch time, and there are
several bank branches within a few hundred meters) and they confirmed the
"suspicious transactions" didn't exist at all.

------
exabrial
_Why are we still using magstripes?_ It's 2017! There's all this cool stuff
happening! I have a laser-guided robotic vacuum cleaner. SpaceX is landing
rockets on boats. The Navy has a real life railgun. We have self driving cars,
which means it's only a matter of time before there's a country song about a
guy who's truck leaves him. Yet... I can't pay for something securely.

Please, no more signatures. NFC or Chip/Pin please!

------
jimjimjim
in more civilized parts of the world:

cc companies (and country acquirers) have a thick book of rules and
complex/expensive certifications.

if you don't follow the rules either the device doesn't get to connect or any
loss due to fraud is applied on the site owner.

also: emv + single unit sealed/tamper resistant payment component (the reader,
screen and pinpad are one)

also: pumps are remotely monitored for case opening and video surveillance (at
the very least to counter staff theft).

this isn't a problem in some countries.

------
patrickfl
very thorough article - I've always wanted to know how these worked. I had no
idea that many of them used Bluetooth / serial etc.

One revision to the post I'd like to see - I'd love to see a section on _how_
they attach to the actual reader. I know they mentioned MitM attacks, but do
these readers fit over the top of the skimmer? underneath? behind the entire
skimmer? are the visible from the pump itself?

~~~
m1n1
They open the pump face, unplug the back of the existing reader, plug the
front of their skimmer into the back of the existing reader, and connect the
first plug into the back of their skimmer.

It goes from ? --> reader

to

? --> skimmer --> reader

The face of the pump appears unchanged (unless they broke a security sticker
and were unable to replace it)

------
jaredandrews
Very interesting, just installed the app they created. Going to be driving all
over the northeast for the next few months. I wonder if I will find any
skimmers...

~~~
excalibur
This should be fun for a while, but don't expect it to last. If the persons
producing these haven't seen this article yet, they will soon. Surely next
batch will use a different ID and password, but additionally they could set
the HC-05/1234 combo to do something nefarious when attempted. (Probably just
put the skimmer to sleep for a while, so it won't be detected. The things they
could potentially program it to do will be somewhat limited by the cost of
additional components.)

~~~
moftz
The people installing these skimmers aren't the ones writing firmware for
them. They have been mass produced in China and sold around the world. There
might be a v2 in the works that works better or is more difficult to detect
but people will still be buying the original version because it does the job
and works well enough to get at least some cards before being found. It is
similar to the OBDII reader chip, ELM327. Elm made a decent v1.0 release for
their PIC-based ELM327 and forgot to lock down the firmware. Everyone then
proceeded to make pirate clones of the reader. It is much easier to just keep
producing the exact same chip/firmware combo than it would be to actually go
back and decompile/write new code to add some stealth features that aren't
going to make your new v2.0 sell any better over the cheaper than dirt v1.0.

------
tmaly
I would be really happy to have a solution to detect these skimmers. Either an
app or device that can just pickup any of these default ids etc.

~~~
doubles
The article mentions this app:
[https://play.google.com/store/apps/details?id=skimmerscammer...](https://play.google.com/store/apps/details?id=skimmerscammer.skimmerscammer)

Essentially though it's just looking for a bluetooth device called HC-05, so
that is also an option.

~~~
tmaly
hmm I need an iphone solution

------
alkonaut
So if the attacker has to have a key to break into the machine and install the
skimmer, isn't that the problem then?

And if the attacker opened the pump to install the skimmer, why would he need
to use radios at all? Why not just log it to flash for a week, then go to the
pump and fetch the skimmer again? Presumably you'd _want_ to remove the
skimmer from the machine to avoid detection anyway?

~~~
koolba
Not quite. Most skimmers are affixed atop the actual card reader. From the
outside it's just a bit thicker. You don't have to open the machine at all to
attach them.

~~~
alkonaut
Yes, that kind of skimmer I'm familiar with. The reason those skimmers are so
easy to detect is because they need to mount on the outside which makes it
unnaturally bulky, and sometimes also contain a camera to monitor the keypad.

I'm not too worried about those because those are pretty easy to spot,
especially those with cameras. But this internal skimmer is more like a pump
"root kit" you can't see...

------
Shivetya
so can I just pull out my phone and look and assume any close by BT is
possible suspect for a skimmer.

~~~
kumarvvr
HC-05, is the module code and default name for the BT connection. Seems very
lazy. If I were to do it, I would atleast generate a random name and maintain
a list of such names, with a hash function forming the password derived from
the name itself.

------
paul7986
Makes want and just may force me to use my phone to pay for gas!!!

------
jlebrech
so you could download the data without needing to install a skimmer yourself,
what if someone whitehatted it by downloading the data and contacting each
bank.

~~~
S_A_P
Something tells me that doing so would raise eyebrows and require you to
explain yourself. While it would be easy to say, hey I read this article and I
figured I would help out. I cant help but thinking the bank would still press
charges because you are in possession of stolen credit card information.

Additionally, while you can tell what kind of card it is from the
CC#(3-AMEX/Diners club,4-Visa, 5-Mastercard, 6-Discover, etc) you cant always
tell what the issuing bank is. Is it a capital one visa? is it a chase visa?
do you want to do all that legwork, white hat or not?

------
asow92
I feel like I was just put on some watch list for viewing that.

~~~
MrZongle2
If it makes you feel any better, you're probably already on a watch list for
just _knowing_ what a watch list is.

------
electriclove
Top area mentions HC-05, later in the article it says HC-06. Which is it? Or
am I missing something - granted, I did skim the article.

~~~
tntniceman
From what I understand, both modules could potentially be used. HC-06 & HC-05
contain the same physical internals, but host different firmware.

------
sitkack
This sucks, I have been war-driving these skimmers for months. Thanks spark-
no-fun.

------
Pfhreak
> The Skimmer Scanner is a free, open source app that detects common bluetooth
> based credit card skimmers predominantly found in gas pumps. The app scans
> for available bluetooth connections looking for a device with title HC-05.
> If found, the app will attempt to connect using the default password of
> 1234. Once connected, the letter ‘P’ will be sent. If a response of ’M' then
> there is a very high likelihood there is a skimmer in the bluetooth range of
> your phone (5 to 15 feet).

Why isn't this just a part of the gas pump itself? (Or the payment station or
whatever.) Is there a market for someone to make skimmer detector addons for
gas stations? (If not, why not?)

~~~
gh02t
If you read it, the scanner software they wrote is pretty specific to this
exact skimmer. It looks for the default id of those Bluetooth modules and then
sends a couple commands to see if it gets a particular response.

In other words, the scanner isn't really general purpose enough to have in
every pump and it's easily defeated by very minor firmware tweaks or even just
changing the Bluetooth id of the device. You'd have to have something much
more complex to be reliable, and it'd have to have some sort of facility for
updating it's signature database akin to a virus scanner. Gas station owners
don't have much incentive to give a damn currently, especially not if it
involves retrofitting a fairly complex device onto all of their pumps that
they also have to pay for a service that provides updated device signatures.

