Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mitigation Fail for Gas Pump Skimmers

Published: 2014-03-05
Last Updated: 2014-03-05 14:49:22 UTC
by Rob VandenBrink (Version: 1)
7 comment(s)

In late January we all heard about bluetooth enabled credit card skimmers on gas pumps.  Since that story broke, I've been seeing some attempts at reassuring the public on this issue - I'm seeing pumps at multiple chains having their card readers taped and initialed.

I suppose they figure crooks don't have red tape, or pens.  This really is more to reassure consumers, to say "yes, we do check these once in a while to make sure that your card isn't being skimmed".  Though that assumes the person checking can tell a reader cover from a skimmer.

I was surprised also to find that this "breaking story" on skimmers which hit the news in January 2014 was first posted by Brian Krebbs way back in 2010 -

... but by the time my brain caught up with who's page I found this on, I wasn't surprised at all.

The main protection we have against skimmers is the moral fortitude of the attendant working at the station.  We're depending on that person doing the right thing when faced with a choice between a potentially very large bribe.  Skimmer operations can easily net tens of thousands per week, or millions in this recent case  So the risk / reward proposition is a large bribe, often in the tens-of-thousands range, against being aprehended and charged/convicted if the operation is caught and apprehended before they shut down and move on to the next set of target gas stations.

Please, weigh in using our comment form.  I'd be really interested if our readers might have solutions or preventitive measures that will work better than the red tape I described in this story!

Rob VandenBrink

7 comment(s)
Diary Archives