Credit Card Thieves Targeting Gas Pumps

POS terminal with credit card
Is Buying A Used POS Terminal Worth It?
April 7, 2020
Man holding head on computer
Why Facebook’s Lack Of Security Will Lead to More E-Commerce Theft
April 21, 2020
POS terminal with credit card
Is Buying A Used POS Terminal Worth It?
April 7, 2020
Man holding head on computer
Why Facebook’s Lack Of Security Will Lead to More E-Commerce Theft
April 21, 2020
Show all
Charging Gasoline at the Fuel Pump

The EMV liability shift has yet to be completed for gas pumps and thieves are targeting them

There is one last bridge to cross before the United States fully adopts EMV credit card technology and that is at the pumps. Gas stations have until October 1, 2020 to make the switch so they can avoid the liability shift and if this is you and you haven’t started you should get moving. While this will help with your security and PCI Compliance there is another reason that needs to be done as a warning that was issued last December illustrates.

New Problems At The Pumps

Visa issued a warning to anyone who uses gas pumps that there was a chance that their credit card information might have been stolen. A group called Fin8 were able to find a weakness in gas station POS networks that allowed them to remotely obtain the information from the pumps. They were able to use a phishing scam and once in they install software that targets the magnetic strip reader.

When a customer is at the pumps this will then intercept the credit card information and send it back to the criminals who will then use it themselves or sell the information. There is nothing a customer can do to stop this either as the thieves never personally visit the station and never install anything like you would see with a conventional skimmer. Visa said that multiple attacks were discovered using this technique but would not elaborate on how widespread the issue was. 

There is also nothing that a gas station owner can do either once the phishing attack is successful other than install EMV card readers on their pumps. The magnetic stripe readers that are still found bypass the chip and the security benefits that it offers and Visa said that the attack was useless with pumps that utilize an EMV reader.

How Can You Avoid This?

Two things can be done to avoid an attack like this if you own or operate a gas station. The first is to be able to know what to look for when it comes to a phishing attack so that you can spot it and not fall for it. In this case if the phishing attack never materializes the attack cannot proceed. The second is to upgrade your pumps to EMV readers if you haven’t already. 

Of course the latter option is not a cheap option and this is partly why the liability shift has been pushed back a couple of times. It can cost as much as $250,000 to replace a pump and that does not include the lost revenue from the pump being out of service for what could be weeks at a time. It has been something that many gas station owners are loathe to do but will need to. 

Upgrade Time

Many consumers of course live in blissful ignorance so they may not care one way or another but over time this kind of attack will become more ingrained into the public conscience. Consumers will do what it takes to protect themselves and may avoid your station if you have not upgraded. They have no idea whether you have fallen victim to the attack and if you don’t know what to look for with a phishing scheme you might not as well.