Credit card skimming attacks on pay-at-the-pump petrol stations

Examples of card skimming attachments to ATMs. According to US media reports, criminals have launched large-scale attacks on petrol pumps with built-in card payment systems to gain access to card data. Similar attacks that involve the attachment of special skimming devices over the legitimate equipment to copy card data, have previously only targeted cash points. Attackers often obtain the PIN with a hidden camera or a secondary PIN pad placed over the machine's original keyboard. More details on this method of attack can be found in The H Open article "Manipulated ATMs - Attack of the card cloners".

In the current cases, skimming devices attached to petrol pump terminals are said to use Bluetooth to transmit the data to criminals operating near by. The attackers then use the skimmed details to forge cards and withdraw money from cash points. Approximately 180 petrol pumps with pay-at-the-pump functionality from Salt Lake to Provo are said to have been manipulated by the currently unknown perpetrators. Local police at one location say the modification to the pump was unnoticeable. The fraud was only detected when several attack victims could be traced back to having used the same petrol pump at a 7-Eleven station.

Petrol stations with pay-at-the-pump functionality are also becoming increasingly popular in Germany and in the UK there are a considerable number of installations. So far there have been no reports of successful skimming attacks on UK or German pumps.

Similar to existing terminals in retail outlets, many systems at petrol stations support EMV and encrypt the communication between the card's chip and the terminal to a certain degree to impede skimming attacks. However, the magnetic stripes, still included on most cards for compatibility reasons, allow the criminals to read out data they are looking for.

Whether the EMV method, or the magnetic stripe was used for making a payment is ultimately inconsequential to customers – they tend to get their money refunded regardless. The difference is only important for establishing liability in cases of misuse. If the card wasn't EMV enabled, liability rests with the card issuer, which is generally the bank. If, on the other hand, the card was EMV enabled but the terminal wasn't, liability rests with the retailer. However, UK researchers demonstrated only recently that the EMV process used with UK cards is also open to attacks.

See also:

• German banking association: German EC cards not vulnerable to manipulation attempts, a report from The H.

(crve)