Some time ago I was fascinated by the story of how criminals were stealing credit card information from ATM machines in California by creating a fake, intermediate entry point for the credit/debit card. A device which, for all practicle purposes, looked like the slot where the credit card should be inserted, was placed over the slot. However, this device was set up to read the information on the credit card stripe in the same manner that the ATM machine would. So, the card is inserted and passes the first, fake device before continuing on into the machine. The ATM works as expected to the customer, who does not notice the addition of the outer device. Keep in mind, the devices were designed to aesthetically blend in with the surrounding ATM. Of course, the criminals needed the customer’s pin number as well, so a small video camera was mounted in an upper corner of the ATM where it would not be noticed by the victims.
In a rash of similar attacks in Utah, criminals are now placing scamming devices within “Pay-at-the-Pump” gas pumps. You can read the full story here. The way this seems to work is that a device is placed within the gas pup, skimming the credit card numbers as was done with the ATM machines. The data is transmitted via bluetooth to a nearby device to be collected later by the attacker.
How an attacker gains access to the “inside” of a gas pump is beyond me. Some are speculating it is an inside job while others say that these pumps are physically vulnerable. However the method, the fact that these reside within the pump makes it all the more difficult to detect, especially for the victim.
These two types of attacks remind me of similar phishing methods used by online attackers. A victim receives an email from his bank and is told that his account has been compromised. He clicks the link to log in to his account and is greeted by the familiar login page. However, this page does not reside on his bank’s web server. Instead, it resides on the attacker’s server somewhere in Russia. all the other links on the page do as expected and take him to actual links on his bank page. However, the button he clicks to log in sends his credentials to the attacker’s database. The attacker’s page will then redirect him to his actual bank login page. What does the victim think? He must have simply put in the wrong password. He tries again, and he’s in his account. All this transpired without the victim realizing his credentials were stolen. The fake page was designed in the same way as a the fake ATM card slot, and the clever attacker allows the victim’s login to finally achieve what the victim wants–access to his account. The attacker does not want to cause disruption to the process that would direct unwanted attention to himself.
While newsworthy, neither of these skimming attacks are commonplace. Setting them up would involve quite a lot of risk. I would say that you are as equally vulnerable to having your credit card information stolen by your waiter at a restaurant who walks off with it for 15 minutes as you are from a credit card skimmer. However, let us still show a bit more caution whenever we swipe that card. Does the device look tampered with? Perhaps it looks newer than its surrounding encloser? Do you remember that ATM card slot being so big? Are the other ATMs the same in appearance? If the answer to any of these questions cause reasonable suspicion, then we should be discussing our concerns with the owners of the equipment.
David H.