On Gas Pump Skimmers and Protecting Yourself

Earlier this year I got a call from my credit card company asking if I made a $1.00 purchase at a gas station in a town about 50 miles north of us, and another purchase at a Best Buy. I immediately realized my card was compromised and the credit card issuer sent me a new card. Fortunately, credit card companies protect us. Unfortunately, it costs them money, and it's a pain for everyone. In my case, after thinking back along my recent activity, I found that my card information was captured by a skimmer in a gas station pump at a station I'd visited the week prior. So being the curious type, and a tech nerd, I decided to make it a case study and dig into how these things work to see how we can avoid being victims.

Skimmers are simple devices that criminals place inside of gas pumps. Opening most gas pumps is easy--the same keys work for most pumps in the country, and you can buy them online. Getting inside the pump is not difficult, and installing the skimmer is a simple matter of unplugging one of the pump's control boards, plugging it into the skimmer, and then plugging the skimmer back into the pump circuitry. Think "man in the middle." The skimmer simply sits in the middle between the pump's card interface and the pump's circuitry. So when you insert your credit card, the reader sends your card data to the skimmer, which stores it in memory before passing it along to the pump. Your transaction goes through without issue, but your credit card information has just been stolen.

According to my research, the vast majority of skimmers are made by crooks who are very good at assembling these things. Most of the component circuitry can be purchased cheaply. A bluetooth module, for example, might cost $4. A complete skimmer with bluetooth capability can be assembled for about $10. Pretty cheap.

Here's a couple samples of a bluetooth skimmer (credit: Sparkfun.com).

The circuitry itself looks very professional, except for the somewhat more sloppy, amateurish cabling connection. I used to build radios and lots of other electronic gizmos from scratch, and soldering connections is an art form. Screw it up and you'll short the circuit. So this tells me that the criminals bought the skimmers from someone who was a pro at making them, and then they soldered on their own cables to fit whatever pumps they were targeting.

Early skimmers were devices that just stored the credit card data. The criminal had to come back and retrieve the device from the pump. That's obviously not ideal for the bad guys, because of the risk inherent in someone seeing you opening a gas pump and mucking around inside it. Newer, and most current, models of skimmers are bluetooth-capable. All the crook has to do is pull up to the pump and use an app to connect to the the skimmer via Bluetooth and download the credit card data from it.

There are also even newer, cellular-capable skimmers, like the ones below (credit: Krebsonsecurity.com).

These skimmers use the guts from cheap "burner" phones and prepaid SIM cards, usually bought with cash or with a stolen credit card. Cellular capability means that the criminals don't need to return to the gas pumps to retrieve the stolen card data with these skimmers--the skimmers simply use SMS--text messaging--to send the stolen card data in real time to the criminals.

Any skimmer can be installed in less than a few minutes, with the most experienced able to do the job in about a minute, sometimes less. Typically, the job involves multiple people because one person often watches the gas station clerk and for other trouble, while another opens the pump and installs the skimmer. According to some police chiefs that spoke about this crime, most often the pumps that are farthest from the store are targeted, along with pumps that may be obstructed from direct view by the store clerk. Criminals will also try to leave doors open, park larger vehicles in the line of sight, or use their bodies to obscure the view of the store clerk while the skimmer is installed. Also, gas stations closer to major arteries like interstate highways, stations with few or no cameras, and stations with older pumps are more often targeted.

So what can you do to better protect yourself? I have some tips (in no particular order):

1. Use pumps that are closest to the store and/or in plain view of the store or attendant.

2. Use your cell phone to try to detect the presence of a Bluetooth-enabled skimmer. Bluetooth has a maximum range of 11 meters (about 33 feet), and most skimmers broadcast the device ID of the skimmer's bluetooth circuitry. A common ID of a skimmer is HC-05. Take out your phone at the pump, make sure Bluetooth is enabled, and see if you notice any suspicious device names showing up...like "HC-05". If you notice it, the pump has been compromised. Report it to the attendant. (Note: There are apps for Android, like Skim Plus and others, that you can use to detect Bluetooth skimmers, but you don't need an app; you can just as easily look at the list of Bluetooth devices around you in Bluetooth settings and check for suspicious devices.)

3. Look at the tamper-resistant tape on the pump. If it's been tampered with or looks worn, report it to the attendant.

4. Pay inside the store.

5. Never use a debit card in a gas pump. You may not have the same protections as with a credit card, and could be placing your bank accounts in jeopardy.

Hope this was helpful!