Visa published an alert that says that point of sale (PoS) system of North American Fuel Dispenser Merchants (as in gas stations and the folks that make the systems that allow you to “pay at the pump”) are being targeted in credit card skimming attacks.
The attack is ongoing, increasing and coordinated – by cybercrime groups.
The Visa fraud disruption unit alert described several attacks. While stores were supposed to installed chip readers by 2015 (if they don’t they get to pay for any fraud linked to their lack of chip card readers) but gas stations got an extension and are just now installing chip readers in pumps (they were supposed to do it by October 2019, but now they have until October 2020).
One of the benefits of chip readers is that the card information is encrypted at the pump and not decrypted until it arrives at the gas station’s bank. Since most pumps still have not been upgraded, the data does not get encrypted until it leaves the gas station, if at all.
This means that if the hacker can get malware installed in the gas station they can likely read the credit cards.
Here is the part that affects all businesses:
Individual gas stations are independent from the brands, for the most part, and many are completely independent. That makes them small businesses that don’t have an IT department.
The attacks usually start by infecting the computer in the office – someone is bored and surfs the web. They visit a sketchy web site and click on an infection link.
Because gas station owners are not IT or security experts, everything is on the same network – as is often the case in many (most?) small to medium sized businesses.
What businesses need to do is SEGMENT their networks – separate different parts of their business from each other – the WiFi should be separate from the credit card system from the smart TV, from the gas pumps, etc.
Doing that makes it MUCH harder for hackers in any business to get to where they want. In the Target breach, the hackers compromised a server used by vendors to get projects and submit invoices, but that server, because of a lack of segmentation, could talk to the credit card system.
It takes a little work to design a correctly segmented network that will limit the damage that hackers can do while still letting your employees do what they need to do, but recovering from an attack takes a lot more work than preventing one.
On a separate note, if you are concerned about your credit card getting compromised at a gas pump, you can a couple of things to improve your odds:
- Use a pump closest to the store – it is the least likely to have a skimmer attached. That won’t help if the hacker installs malware on the station’s network though
- Patronize gas stations that have upgraded their pumps (those are the ones that tell you to leave your card in the reader until they ask you to remove it)
- Pay inside – sometimes but not always – that computer gets upgraded before the pumps get upgraded. Watch how they process your card – if they swipe it, it hasn’t been upgraded. If they insert it and wait, it has been
- Last option, if you have to, pay cash
Gas stations are frequent targets because crooks can get to the pump at 3:00 in the morning when no one is there and they have really poor cybersecurity, except, MAYBE, for stations that are owned by the oil companies themselves. Apparently, according to Visa, that is becoming a real problem, but it is a great opportunity for other businesses to get ahead of the attacks.
Source: Bleeping Computer