The New York gas pumps that steal your credit card

A few years back, we saw a spate of Bluetooth-enabled, banking-data-gobbling skimmers installed at gas stations in the Southern US.

Eventually, 13 alleged thieves were charged with forging bank cards using banking details chirped out via Bluetooth to nearby crooks from devices that were impossible for gasoline-buying customers to detect, given that the skimmers were installed internally.

Of course, it’s much easier to detect thieves’ attempts to get at your credit card when they’ve gone the kludgy, model airplane route. That route entails thieves 1) gluing a card catcher onto the front of an ATM (hopefully in a nice, wiggly fashion—much easier for victims to detect that way!), 2) hoping it doesn’t fall off before it catches some cards, and then 3) hanging around the machine, pretending to look innocent, as they wait to snatch the cards after victims give up on ever getting them back.

True, the Bluetooth skimmer was installed internally, making it tougher to spot than the glued-on kludge of a card catcher. It still presented a problem for the thieves, though: namely, using Bluetooth meant the skimmer still relied on the thieves hanging around nearby, given the limited range of this wireless technology. It also meant that anybody else using Bluetooth in the vicinity could get an eyeful of “Oooo, payment card details up for grabs!”

Now, as security journalist Brian Krebs reports, New York City police have started to see a new sort of skimmer on gas pumps that cuts the Bluetooth tie, instead relying on wireless GSM text messages to get card details to the crooks anywhere in the world.

No more hanging around smelly gas pumps! No more returning to the scene of the original crime – as in, the place where the skimmers were initially installed – to retrieve the booty. Now, the thieves can plug the skimmers in and make themselves scarce, taking off to wherever their counterfeit card making setup is located.

Mind you, wireless transmission of stolen card data is nothing new. There’s a US Secret Service task force in Los Angeles that’s been looking into fuel theft and fuel-pump skimming since 2009, and it’s found that there are distinct crime gangs, working in tandem, that steal the gas and that skim the card data. They use SMS/text messages to exfiltrate card data. And like the GSM skimmers, use of the SMS skimmers likewise means that thieves don’t have to return to the scene of the crime: all they need is mobile phone service to collect card data and PINs.

Krebs quoted Secret Service agent Steve Scarince in a 2015 article:

Generally the way it works is the skimmer will sell the cards to a fuel theft cell or ring. The head of the ring or the number two guy will go purchase the credit cards and bring them back to the drivers. More often than not, the drivers don’t know a whole lot about the business.

They just show up for work, the boss hands them 25 cards and says, ‘Make the most of it, and bring me back the cards that don’t work.’ And the leader of the ring will go back to the card skimmer and say, ‘Okay out of 100 of those you sold me, 50 of them didn’t work.’

But this is apparently the first time that we’ve seen GSM-based pump skimmers show up in gas pumps – at least, in New York – according to a New York police officer. The devices were pulled off of three New York filling stations this month. The officer shared some images of the devices with Krebs.

Krebs identifies that, like other pump skimmers, these GSM skimmers draw power from the pumps they’re attached to, allowing them to operate indefinitely.

Analysis on the T-Mobile SIM cards apparently hasn’t turned up any data on the thieves. All that investigators have found so far are the unique serial numbers—what’s known as the integrated circuit card identifiers, or ICCIDs—of the SIM cards.

It’s common to see skimming devices on ATMs – or gas pumps, or any card processing device – used with some type of remote sensing or telemetry, whether messages are being sent out via GSM or mobile phone. Thieves can take off-the-shelf devices, including the bits and pieces of a mobile phone used in this recently discovered GSM skimmer or, say, a video recorder, and then just jam it behind some believable-looking moldings. It can make it tough for a customer to tell there’s something fishy going on.

What to do?

Don’t use a card machine on a gas pump, an ATM or anything else if you think it may have been tampered with.

In cases like this, where the machine itself seems to have been compromised and there are no external clues to the tampering, there isn’t much you can do beyond deciding if you trust the gas station or not.

As always, it’s smart to regularly check credit card statements and keep an eye out for anything that doesn’t look right.

Keep your bank’s phone number handy on your phone too. If you see anything suspicious, whether it’s on your statement or at an ATM, a restaurant or the filling station, report it to the credit card company.

And don’t forget to call the police: if there’s fraud going on, they’ll want to know.