We have heard of skimmers installed in ATM’s and even some stores have had skimmers replacing their debit machines, but not many people know that fuel pump skimmers exist as well. At one of the gas stations I frequent, they have tamper seal stickers on the pumps which are a quick way of indicating if the pump has been compromised in any sort of fashion, but how do these skimmers work?
Fuel pump skimmers are what is know as a ‘man in the middle attack’. What this means is that the skimmer is connected to the card reader on one end of the device, and the other end of the device is connected to the pump controller. The skimmer sits between these two devices and records all the serial data into external memory on the skimmer board. These devices can be installed in as little as 30 seconds. Master keys to the fuel pump are used to open the cabinets and install the skimmers. When you run your card through the system, your card is charged normally and the skimmer records all the details of the transaction. Because the information by the skimmer is simply recorded, you are none the wiser. How the thieves retrieve the information is either by text, that is, when your card information has been captured, the device will send a text message to the thieves with all the information gathered by the skimmer. The newest way of retrieving this information is by bluetooth. All the thieves need to do is pull up to the pump with a blue tooth equipped laptop, log into the device, and download all the information the skimmer has saved in its memory. There is no need for the thieves to open up the pump once again.
Because the skimmers use Bluetooth, your cell phone, if Bluetooth equipped may actually be able to spot a skimmer before it has a chance to steal information, and if the thieves don’t change the default settings on these devices, they are discoverable. A lot of the skimmers use a Bluetooth chip called the HC-05 which is a very common Bluetooth chip found in many Bluetooth equipped devices. If you place your phone into scanning mode and you see a device called HC-05, (newer boards are HC-06), there maybe a skimmer nearby. Try pairing with this device by using a passcode of ‘1234’, as this is the default programmed into these chips provided by the manufacturer. (www.hc01.com)
A typical Bluetooth board (HC-06)
Credit Card Data
A credit card’s magnetic stripe consists of 3 tracks of information. Normally only track 1 and track 2 are used. Both track 1 and track 2 contain mostly the same data and are paired in case one of the tracks are damaged. If you were to read the serial data from the skimmer itself, or the credit card’s magstripe, you will see something similar to this. (note, not using an actual credit card number – for example purposes only)
% – Indicates start of track 1 information
B – Indicates card type, B is credit/debit card
PAN – Primary account number, from 16 – 19 digits
^ – Field separator
Account Holders Name – 2 – 26 characters
^ – Field separator
ED – Expiry Date, 4 digits, always YYMM
SC – 3 characters, indicates what charges can be made on this card
DD – Discretionary data – could be PINS, etc, different between card providers
ES – End Sentinel (?) – indicates end of Track 1 data
As track 2 is similar, I won’t go into the details.
As you can see, the information contained within the tracks are more than enough for a thief to create a forged card and use this card for purchases. As you still contain the physical card, you have no reason to suspect your data has been stolen and more than likely won’t notice the illegal charges until your next statement, giving the thieves plenty of time to make illicit purchases to your account.
How to protect yourself
Because pump skimmers are a type of ‘man in the middle’ attack, they are very difficult to spot. As the skimmers are actually installed within the pumps themselves, there are usually no physical signs the pump has been tampered with. If the pump has one of those tamper proof stickers installed, examine it to ensure that the sticker has not been damaged in any way. If you are familiar with Bluetooth pairing, you can see if your phone is picking up the HC-06, or HC-05 network, but if the thief has any technical knowledge, the thief can turn network ID broadcasting off, which would make the network indiscoverable. But, the best way to ensure your protection is to use chip and pin. Chip and Pin creates a new signature for every transaction so unlike the magstripe where the data was consistent, with Chip and Pin, every transaction is unique. But, with any system, Chip and Pin can be defeated with devices called ‘Shimmers’, but that’s a different topic all together.
The best way to prevent fraud is to be vigilant. Log into your online banking on a regular basis and check for charges that seem out of place. If you do have a Chip and Pin card, most banks will refund the fraudulent charges for you.