Parasite devices skim card data

KPD warns of skimmers' new tech after discovery at local gas pump

Posted

Law enforcement’s well-aware of the devices skimmers use to steal victim’s card data, and the authorities have to continually up their game as criminal methods evolve.

Case in point: on Monday, Kilgore police discovered a late-generation card skimmer bugging a local gas station’s pump, hidden within the bowels of the machine itself.

According to Kilgore Police Chief Todd Hunter, there was no outward sign the payment terminal had been tampered with – routine maintenance revealed the suspect tech at the Exxon station on the corner of State Hwy. 259 and Hwy. 31.

“It was discovered by a technician working on the pump,” Hunter confirmed. “It has been recovered and it’s being sent off to be analyzed.”

It’s part of a “plague” of the devices sweeping East Texas and others area, he noted, as skimmers attach parasitic readers to gas pumps, ATMs and similar terminals to clone the information they receive from customers’ cards. Some fit over the actual card reader, reading data as the card is swiped; the internal bug at Exxon intercepted the signal between the reader and the receiver.

There’s a common security flaw at many gas stations.

“Those pumps are typically made by just a few vendors in the United States,” Hunter noted Tuesday. If skimmers get their hands on a vendor’s universal key, the thieves can open the pumps without difficulty. “Because of the universal keys, they’re able to manipulate that locking mechanism and place (the skimmer) inside, typically going undetected for days on end.”

It wasn’t that long ago, he added, law enforcement learned the skimmers had moved inside the machines.

With that setup, a person using a card to pay for gas at the pump wouldn’t have any sign something nefarious was going on: no discolored plastic, no loose fitting suggesting a deceitful add-on.

“Your purchase goes through without interruption, so you’re unaware of it,” Hunter said. “It downloads all the information off the magnetic strip.

“All the data that was captured is later downloaded, typically via a Bluetooth device as the suspects drive through the area. Then they can clone that data with your information.”

Typically, Hunter said, a card user’s financial institution will call to report the account has been compromised. The crime regularly comes at the expense of a victim’s bank.

“In time this may come back to the retailers, which is passed on to us,” the consumers.

The crime becomes more and more difficult to detect as skimmers continuously alter their strategies.

“People will try to prevent it in one manner, and they’ll go and change their MO and evolve to a different method of obtaining information.”

The gas pump in question has long been under surveillance, Hunter confirmed, but with no indication of when the skimming device was installed there’s no good way to track down the suspect within, possibly, hundreds of hours of recorded footage.

KPD Det. John Rowe took a picture of the modified wiring and flagged the suspicious connections. The department posted the how-to-detect guide to social media Tuesday with a call for payment terminal operators to stay vigilant against such sabotage.

With the latest incident, Hunter hopes vendors in the area will take a close look at their machines and keep a regular eye on their innards. KPD is launching an information campaign for gas station owners, including inviting local operators to a sit-down meeting on the threat.

Meanwhile, “The vendors can help us by going out and changing the locking mechanism to one that is specific to that store itself,” Hunter added, foregoing universal keys. Consumers must be vigilant too: “I knew about the external device, and I looked at them several times. I thought I was being pretty proactive.”

There’s an effective defense, he says.

In recent years, legislation required gas stations install chip readers at the pump, but the deadline was pushed back from October 2017 to October 2020 – or later.

It solves a lot of problems, according to Hunter. Fortunately, some new pumps already utilize the technology.

“If that device uses a chip reader, you will be in good shape,” he said, “but most devices at this time do not incorporate that type of technology.

“Until everyone moves to a chip-based system, this is going to be something we may be faced with.”

Hunter recommends putting in the extra effort to walk into the gas station and pre-pay at the register.

“Most stores have a chip-reader inside and your information is not going to be compromised.”

Comments