
Gas Theft Gangs Fuel Pump Skimming Scams - bronz
http://krebsonsecurity.com/2015/11/gas-theft-gangs-fuel-pump-skimming-scams/
======
skeuo
The real solution here is to have contactless chip & pin systems at the pump,
but apparently that is years away because of cost. In the meantime I find the
best way to monitor my CC expenses is to enable SMS/Push alerts for any
transaction above $0. This way I always expect to get an alert at the point of
sale for any transaction. Anything unknown is a red flag and it also works
well for subscriptions that I may forget about and want to cancel.

~~~
superdude
What service or cards offer SMS alerts for any transaction? The best I have it
American Express which will alert me only when I have a transaction over $10.
V.me by Visa used to offer an alert service for any amount and it was great,
but unfortunately that service got shut down.

~~~
bonestamp2
When I added my American Express card to Apple Pay, it started sending me push
notifications for every transaction. It's crazy how fast it is, before I can
even put my card back in my pocket my phone buzzes. You see pre-authorizations
too, so when you swipe at a gas pump it usually shows a $100 authorization
check.

~~~
Mandatum
Is that not only for Apple Pay transactions? I'd expect payments made directly
w/ Amex wouldn't buzz you.

~~~
kevinchen
For Amex, adding the card to Apple Pay will notify you of all transactions.

------
scurvy
Playing devil's advocate here, why do I care (as a consumer) if my credit card
number is stolen? I'm not responsible for illegitimate charges as long as I
report them within a reasonable time. That's generally accepted to be up to 40
days considering paper billing cycles.

Why do people sign up for text alerts and notifications on smartphone apps for
certain purchase amounts? You're just doing the credit card company's job for
them. At that point, what's the point? You're probably getting a new card
number in a few days anyway.

Not trying to be flippant, I'm genuinely curious why people obsess over some
of this as a consequence-free user.

~~~
pm24601
Or just do what I have started doing: use cash a lot more.

This way I have to only worry about the ATM having a skimmer attached to it.
Not every random semi-seedy place that I buy food or gas from.

Sure I know cash can be a pain. But CC fraud and skimmers are making using a
CC a pain as well.

~~~
scurvy
But what about the fraud makes using credit cards a 'pain?' It's a pain free
system for consumers.

~~~
pm24601
Not true. The rules aren't as generous as you think. Banks in the US have been
covering more than they are legally required.

But what about outside the US?

Also this requires someone to religiously check the credit card statements,
there is a time limit in which to report fraudulent transactions. (FYI: this
is why I still get paper statements -- to remind myself to check)

------
dsharlet
> “The stations know they’re buying stolen gas,” Scarince said. “They’re fully
> aware the fuel is not coming from a legitimate source. There’s never any
> paperwork with the fuel driver, and these transactions are missing all the
> elements of a normal, legitimate transaction between what would be a
> refinery and a gas station.”

This seems like the easiest way to tackle this problem (aside from chip
cards). I doubt it would take much pressure on these guys to get the market
for this to dry up, or at least considerably reduce the profitability. I'd
guess the gas station owners have a lot more to lose than the thieves actually
stealing gas.

~~~
TwoBit
If that were the case then the same approach might stop cooper theftvas well.

~~~
FireBeyond
As a firefighter, this is an issue around here (Washington state).

People steal the brass end caps off hydrants. Dozens of them. Sell them to
scrap metal places.

That conversation, I'm certain, doesn't go like "Oh, hey, I'm Bob from the
Fire Department, getting rid of old hydrant caps" "Oh, sure! Sounds legit,
Bob, let me give you some cash!"

------
jpalomaki
Banks, credit card companies: Give me an API for accessing my own data. Give
me an opportunity to set a callback address that gets pinged whenever my card
is used somewhere. Even better: make it possible for this callback to decline
transactions (obviously this comes with certain problems).

This would open up innovation and I'm sure this would lead to interesting
solutions for combatting the fraud.

~~~
pm24601
I am sure the scammers would love such an API as well. Then the could model
their fraudulent transactions on yours.

For example, they would make sure to go to the gas stations that you frequent.
Or to the electronics store that you made a purchase at recently.

I worked at Citibank. They are barely competent. Don't ask for more access,
they will probably screw it up.

~~~
jpalomaki
In EU something a little bit like this will become mandatory for banks. To my
understanding one part of Payment Service Directive 2 (PSD2) is that banks
will be required to allow third party access to bank account statements (on
customers permission, of course).

[http://europa.eu/rapid/press-
release_MEMO-15-5793_en.htm?loc...](http://europa.eu/rapid/press-
release_MEMO-15-5793_en.htm?locale=en)

~~~
pm24601
Presumedly, those third party providers need to have some sort of security
audit, bonded or somehow "known".

------
elwell
Order gas straight to your car with my startup, Purple, and avoid the concern
entirely.

[https://purpledelivery.com/app](https://purpledelivery.com/app) (LA, OC, &
San Diego)

~~~
jlgaddis
How do we know you aren't buying stolen gas from these gangs? /s

~~~
ceejayoz
Why /s? That's actually a really good question.

------
sandworm101
These guys are criminals. Someone should be going after them. But the secret
service?

This should be handled by the CC industry. US pumps should have chips like
they do in most every other developed nation. It's an arms race, but
prevention is easier than investigation.

And do not blame "the attendants". I worked as a light mechanic at one of the
last truly full service stations. The pump/retail guys are payed minimum wage
on flexible shifts to do a job that is actually rather dangerous. Only one of
possibly a hundred attendants may know anything about the skimmer install. The
guys who own/run the stations should also not be above suspicion. My bosses
were some rather shady characters.

~~~
cortesoft
Credit card companies DO have chips in their cards, but thousands of merchants
around the country don't yet support them. Credit card companies are doing
their best to pressure merchants to upgrade their systems, but they can't just
suddenly cut off those thousands of merchants.

If they did, the headlines would suddenly be "Credit card companies forcing
mom and pop shops to spend thousands on new equipment"

~~~
Symbiote
From the article:

\---- On Oct. 1, 2015, Visa and MasterCard put in force new rules that can
penalize merchants who do not yet have chip-enabled terminals. Under the new
rules, merchants that don’t have the technology to accept chip cards will
assume full liability for the cost of fraud from purchases in which the
customer presented a chip-enabled card.

But those rules don’t apply to fuel stations in the United States until
October 2017, and a great many stations won’t meet that deadline, said
Verifone’s Turner. \----

According to "Yearbook 2005: British Retail Consortium" [1], by the time of
the liability shift (1 January 2005) "retailers accounting for 75% of
transactions" had a chip+PIN terminal, with the remainder "well on the way".
It goes on to explain that small businesses including petrol stations were
consulted as the change was planned, there was no relaxed deadline for them.
(If my memory is correct, petrol station pumps were among the first to switch,
as they had the highest level of fraud — relatively high-value transactions
with no supervision.)

[1]
[https://books.google.dk/books?id=csUYwwVZ2AUC&pg=PT207&dq=ch...](https://books.google.dk/books?id=csUYwwVZ2AUC&pg=PT207&dq=chip+pin+liability+shift+petrol)

~~~
sandworm101
Gas/Petrol stations were, along with restaurants, also the rare places where
the CC was physically separated from the customer. By mandating chips+pin,
customers no longer handed their cards over to people who might scan/copy them
while out of sight.

------
mindslight
Given the sensationalist scare quotes (such as there possibly being _30_ of
these unsafe trucks in existence), I presume the Secret Service is going after
Mastercard and Visa for their willful negligence that created this situation?

------
csense
Go inside and pay with cash. Problem solved.

~~~
MikeNomad
Yep. Have not had problems where people try to skim my cash.

------
presidentender
Just based on the headline, I had guessed that some enterprising miscreant had
figured out how to siphon off some of the gas as customers were fueling -
perhaps through a small tap on the line.

~~~
klenwell
The way I've seen it done around here (Southern California) is more social
hack than technical hack: the enterprising miscreant comes up to you with a
gas canister while you're pumping and gives you some sob story how he lost his
wallet and needs a few gallons to get back down to San Diego.

The article involves a scam that is slightly larger potatoes and was newer
than I expected. I was under the impression that skimmer problem had been
largely neutralized (not sure where I got the idea, maybe something to do with
new chip card rollout). Guess not.

~~~
thrownaway2424
In what way is that a scam?

~~~
CamperBob2
Once you give him some gas, he sloshes the can in your direction and threatens
you with a lighter to get you to hand over your credit card.

Or something. I'm having trouble understanding this scam as well.

~~~
bookmarkacc
His family is fine and he just got a few gallons for free off you. Do this a
few times to different people and you got like $20

~~~
pavel_lishin
Do... do they then sell the gas? Or do they just get free gas?

------
mikepalmer
Love the snappy title for this post... It's poetry.

------
jimjimjim
The rest of the world had to put up with the EMV change-over. But the US just
keeps delaying and delaying. If the card industry applied the same tactics to
the US then merchants would switch over pretty quickly e.g if the shop doesn't
have emv certified chip card terminals then the shop has to accept the loss
from the fradulant transaction.

~~~
spiralpolitik
That is now the case for retail since October 2015. Any fraudulent transaction
using the magstripe and the retailer is responsible for the loss. The rollout
has been slow but I think the only major chain I use on a daily basis that
hasn't got chip readers is Starbucks.

This doesn't apply to gas stations until October 2017. Assuming that the card
industry doesn't blink, the problem should solve itself fairly quickly given
that margins on gas stations are razor thin so if they have to eat the fraud
then they will be lining up to install the new readers.

------
ck2
at $2/gallon theft should go down somewhat?

personally I use cash everywhere I can, it's not just tinfoil-hat thinking,
it's far less hassle

for everywhere else, just use low-balance gift cards

------
nraynaud
There is some kind of genius in the propaganda around the gas thieves. They
are stealing stuff, but let's paint them even darker by saying their trucks
are unsafe. You know what's probably more unsafe? a policeman with a gun. But
the prosecutor is elected, every case is more than a legal case, it's an
election campaign PR operation, you have to win indictment, the trial and the
reelection with every case.

I just love it, nobody can state anything objectively and with detachment
anymore, everything is politically overloaded, even stuff that could be even
as consensual as thievery.

~~~
mschuster91
> They are stealing stuff, but let's paint them even darker by saying their
> trucks are unsafe

These things are literal rolling bombs. Diesel is not as critical (it doesn't
emit explosive vapours and you need higher temperatures to get it to burn, and
unless you vaporize it it will just burn and not explode), but take one of
these trucks with 1 ton of petrol in plastic tanks and you got yourself a
pretty nice fire/explosion hazard. Not to mention that ordinary plastic gets
attacked by the petrol and thus will be weaker than the same tank filled with
water.

All this needs to go off is a single drunk driver slamming into such a truck.
To those who still think "ah that's harmless, just a fire", go visit your
local fire department at an exercise session and watch how powerful just a
liter of burning petrol is, then scale this up to a 1-ton-payload truck
spewing the stuff everywhere.

There's a reason why ordinary fuel trucks are heavily regulated (e.g. in
Germany, they're not allowed on roads in environmentally protected zones, must
carry a number of fire extinguishers, have a speed limit of 60 km/h on country
roads and 80 km/h on Autobahns, the drivers must be specially licensed).

~~~
nraynaud
We are not talking about Europe, we are taking about the US, there is no real
safety regulation on the streets, and people heavily mod cars on the war tank
model (rigid box for everybody). It's not 30 sketchy tanks in a State the size
of Germany that will add any significant risk. Every single handy US guy will
weld his own tank instead of buying a plastic one because it's manly and DIY.
And they love gas: for the home generator connected to the AC in the summer
when the electricity is out, because in the wild everything works with gas
engines, because of boating, for preparation to the apocalypse etc. So many
reasons to make your own welded gas tank.

~~~
schrodinger
I've never seen or known anyone to make a welded gas tank. Nor an a/c on a
generator. And yet I've known a lot of "handy" people, including specifically
welders. Where in the US are you referring to?

~~~
bagels
Only people I know to do that are motorcycle customizers.

