Consumers looking to fill up at the pump often look for the gas station with the best prices. They are too busy to notice the possibility of nearby cybercriminals stealing their credit card information, but that’s exactly what is happening at some gas pumps.
Through the magic of wireless technology, thieves can rest in their cars nearby to the scene of the crime and collect unsuspecting consumers’ credit data. Bluetooth, the same wireless standard that delivers music to your portable speakers and earbuds, is being used in close proximity to a gas station where a bluetooth credit card skimmer resides in the pump. But these bluetooth skimmers add up to a lot more than just a tank of gas for customers.
So how do thieves get bluetooth skimmers into the pump without getting caught? These cyber thieves typically pull up late at night, usually with a small truck or trailer to obstruct their view from any security cameras. They might also have accomplices distracting the gas station attendant while they install the skimmer. Older gas pumps use universal locks with master keys easily be obtained on eBay for only $10. And while some gas station managers have been attempting to thwart tampering by covering up door seams allowing access to the pump innards with tamperproof seals, thieves have begun creating counterfeit stickers that fool even the people that originally applied them to the pumps.
Once the pump is unlocked, they can quickly plug their $100 Bluetooth skimmer into the connector on the back of the credit card reader. They then place the skimmer back into in the rat’s nest of ribbon cables that were already there so it blends right in. The process can take all of two minutes for a nimble thief. A more thorough thief will stake out the gas stations along major highways with little to no security cameras, but most thieves tend to favor fast returns on an easy investment.
From there, collecting credit card data from thousands of unsuspecting travelers is a simple matter of connecting to their bluetooth device planted within the pumps. These devices are homemade in appearance because most are assembled by hackers and sold on the dark web. Since the devices are transmitting throughout the day, the only thing they require is a nearby thief to receive the data and possibly an eventual battery change, however, many skimmers tap into the pump’s internal power source for uninterrupted power. Some thieves go one step further and add insult to injury with pump and dump schemes that use the stolen credit card data to purchase hundreds of gallons of gasoline at those same stations. This double whammy hits both consumers and gas stations where it hurts.
Unfortunately, the problem is not likely to go away any time soon, as it is expensive to upgrade to more secure chip-in-pin readers for all the stations pumps. There is also little motivation for gas stations to upgrade since credit card liability laws protect consumers and station owners in the U.S. We all pay in the end but this will eventually begin to shift as credit card companies such as Visa will begin requiring gas station owners to operate using newer chip-in-pin readers installed and in use by October 1, 2020. Failure to upgrade will cause a liability shift back to the gas station owner. This trend will continue to grow for the next few years so is there anything we can do about it now?
Precautions at the pump
You can employ some basic precautions at the pump that can keep you safe from bluetooth skimming cyber thieves.
- When you pull up to the pump, scan your surroundings to see if any suspicious characters are sitting in their car within 100 feet or so, possibly with a laptop.
- Check the pump before inserting your credit card into the reader. If the plastic bezel looks slightly off or discolored, don’t insert your card into that pump.
- If there are any security tamper proof stickers that have been visibly broken or covered up, don’t insert your card.
- Choose a pump that is closer to the attendant. These are less likely to have a skimmer placed inside of them.
- Whenever possible, fill up a trusted gas station so you do not end up at an unfamiliar station with an empty tank
- When in doubt, pay by cash
- Monitor your credit card statement regularly and report any questionable transactions immediately
