Putting on my black hat for a minute, it seems that LoRaWAN would be a great way to further "improve" these little pests. GSM is going to leave records that are a subpoena away, with LoRa you control the base station, it claims miles of urban range, and it's spread spectrum so the signal source can't easily be traced. Uses next to no power when not transmitting.
Also, I wonder if there would be a way to enclose virtually all of the pump in metal so that the card reader would be RF shielded and removing the shielding would cause a noticeable change in appearance.
Wouldn't you buy a prepaid SIM for cash in a convenience store, and use its internet connection to send the data to some server in a jurisdiction that doesn't respond to such subpoenas?
Could still trace the point/time of sale and pull security footage. Additionally, the authorities and the telcom could work together with a bank to generate a honeypot card, send it by SMS, and then track usage to identify members of the network.
Maybe. IMHO much easier to give a homeless guy $20 to buy a SIM card for you than to get a homeless guy to mail order an obscure radio module on Digi-Key for you :)
The financial side isn't hard to hide - buy a prepaid card online with cryptocurrency.
The delivery address gives you away though. Either you or one of your associates is going to have to be in a specific place at a specific time to sign for the package.
In some countries it's no longer possible to buy prepaid SIMs anonymously. You can buy prepaid SIMs, but they need to be activated online, with a government issued ID.
With a little firmware hacking this thing could indeed be a remote bluetooth->SMS relay. Why build a custom solution when you can just repurpose one already produced?
Seems more likely than someone discovering a GPS tracker on their car and sticking it to a gas pump that just happened to also contain a skimmer device. I'd more likely attach the thing to a random landscaping vehicle so the "stalker" could see it going to all sorts of upscale houses.
--edit--
Or, after a bit of googling and not being able to find the specs on that thing, it could be a canary device to tell the skimmers "the jig is up" as it has motion tracking.
The article has been updated (turns out it’s a totally unrelated piece of tech someone left behind) but even if it was true, what’s the big deal?
What’s so groundbreaking about Bluetooth skimmers and a central hub with long-range comms (GSM, etc)?
This seems like a logical evolution, and frankly I’m surprised it hasn’t been done already (or maybe it has, but those guys were good enough to not get caught yet).
In any case I was pretty disappointed by the alarmist tone of the article. Are the people who investigate these things that far out of touch with the state of technology nowadays ?
Anyone can buy a Raspberry Pi and a GSM module and get up and running with a bunch of tutorials from Google. It’s not rocket science.
IIRC you can also pay with a CC inside (less likely to have a skimmer at register).
I had to a couple times when driving to California for an internship, because despite telling my CC company this I didn't specify exactly what days I would pass through which states, so even after entering my billing ZIP (and calling to confirm, yes, I assure you I'm traveling) I'd be forced to pay inside.
You had to specify a specific amount though and most interestingly, if you overshot (asked for 50, used 46) they refunded the difference in cash.
Personally, since I am not responsible for credit card fraud, I simply choose to have a separate card for re-occuring payments like my phone and internet. If someone skims my daily spending card, I'll just report it as fraud and not worry about it.
>if you overshot (asked for 50, used 46) they refunded the difference in cash.
I never seen that. What I always saw was they authorize for $50, then charge $46. If they're doing how you described it, they're paying interchange on the extra and not getting anything for it.
This was someplace very rural, maybe the cost to upgrade systems was more? This was also pre chip-and-signature, I haven't had the issue since the switch as long as I can enter my ZIP code on the pump.
The Authorise / Charge thing has been around for a long time - it's the same thing that hotels do when you check in. I'm reasonably sure that all terminals have the feature.
It does, however, require that the machine operator is aware of how to do those operations - it's probably easier for them to just charge the card for the set amount, and refund in cash.
Though this slightly increases their risk, as any chargebacks means not only do they lose the product, but the cash too.
there are 168,000 gas stations in America. Any given day maybe 100 have a skimmer working...seems like an moderate inconvenience for something that will literally probably never happen to you.
And if it does... just call your bank and get a new card and get the transactions reversed in a 30min phone call.
You're assuming a random distribution of skimmers at pumps across the nation.
Such criminal activity tends to occur in concentrated pockets.
Gas stations around Joshua Tree, CA had been rumored to be skimming people's cards, and some now carry large official stickers warning users of their cards likely getting frozen for 72 hours should they be used at the pump, confirming the rumors.
I imagine the active number is probably more in the thousands nationally. There are a lot of lower income, high-crime areas where pumps are neglected. The Venn diagram of gas stations lacking squeegees and those compromised I suspect has a lot of overlap.
The gas stations near me now accept Tap/Apple Pay/Google Pay. I feel a bit safer using those, but alternatively, you can pay with debit/credit inside the gas station at the register.
Nearest petrol station to my house is the unattended one at a supermarket. Chip&pin upfront to reserve transaction, dispense fuel, wave to cameras, drive off. No option to pay by cash.
I used to keep fish and my brain wanted a fuel pump skimmer to be something like a protein skimmer in a salt water tank. Like fuel tanks need something to skim the scum so it doesn't ruin your car.
Why do I care if someone hacks that, can they blow up the gas station?
Also, I wonder if there would be a way to enclose virtually all of the pump in metal so that the card reader would be RF shielded and removing the shielding would cause a noticeable change in appearance.