Charles Begian
ABSTRACT
Payment card fraud is a growing problem in the United States. Credit and debit card numbers are harvested from automated devices such as fuel dispensers, Point of Sale (POS) terminals, and Automated Teller Machines (ATMs) in a process known as "skimming". Skimming requires the installation of malicious hardware on (or inside of) the targeted device. As such, it serves as an example of a physical cyber threat. In this paper, we provide an overview of payment card skimming in general, before narrowing our focus to payment card skimming occurring at fuel pumps. We then reverse engineer skimmers which law enforcement has harvested from fuel pumps in Florida. We consider only those skimmers which use Bluetooth to exfiltrate the "skimmed" payment card data. The goals of our research are to analyze the internal operation of the skimmers and determine if they can be disabled wirelessly, without requiring the fuel pump cabinet to be opened.
- Federal Trade Commission. (2019, February). Consumer sentinel network data book 2018. Washington, DC: FTC. https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2018/consumer_sentinel_network_data_book_2018_0.pdfGoogle Scholar
- Lamberger, I., Dobovsek, B., & Slak, B. (2012). Some dilemmas regarding payment card related crimes. Varstvoslovje, 14(2), 191--204. http://www.ezproxy.dsu.edu:2048/login?url=https://www.ezproxy.dsu.edu:2085/docview/1347615860?accountid=27073Google Scholar
- South, M. (2016, May 4). Can't hack a hacker: reverse engineering a discovered ATM skimmer. TrustFoundry Blog. https://trustfoundry.net/reverse-engineering-a-discovered-atm-skimmer/Google Scholar
- National Association of Convenience Stores (NACS). (2018, July 5). Gas pump skimming on the rise. NACS News. https://www.convenience.org/Media/Daily/2018/Jul/5/ND0705181_Gas-Pump-Skimming-on-the-Rise_RiskManageGoogle Scholar
- Federal Trade Commission (FTC). (2018, August 7). Watch out for card skimming at the gas pump. FTC Consumer Information Blog. https://www.consumer.ftc.gov/blog/2018/08/watch-out-card-skimming-gas-pumpGoogle Scholar
- Roustan, W. (2018, April 11). Credit card skimmers at Florida gas pumps are becoming harder to stop. South Florida Sun-Sentinel. https://www.sun-sentinel.com/news/transportation/fl-reg-gas-pump-skimmers-20180411-story.htmlGoogle Scholar
- Katon, J. (2019, October 24). Personal communication of Mr. Begian with Senior Special Agent Jeffrey Katon from Tampa Bay Electronic Crimes Task Force at the US Secret Service.Google Scholar
- Bhaskar, N., Bland, M., Levchenko, K., & Schulman, A. (2019). Please pay inside: evaluating Bluetooth-based detection of gas pump skimmers. Proceedings of the 28th USENIX Conference on Security Symposium (SEC'19), Santa Clara, CA, 373--388. Berkeley, CA: USENIX Association. http://dl.acm.org/citation.cfm?id=3361365Google Scholar
- Scaife, N., Bowers, J., Peeters, C., Hernandez, G., Sherman, I. N., Traynor, P., & Anthony, L. (2019). Kiss from a rogue: evaluating detectability of pay-at -the-pump card skimmers. Proceedings of the 40th IEEE Symposium on Security and Privacy (SP'19), San Francisco, CA, 1000--1014. https://doi.org/10.1109/SP.2019.00077Google ScholarCross Ref
- Cross, D., Hoeckle, J., Lavine, M., Rubin, J., & Snow, K. (2007). Detecting non-discoverable bluetooth devices. Proceedings of the International Conference on Critical Infrastructure Protection (ICCIP 2007), Hanover, NH, 281--293. https://doi.org/10.1007/978-0-387-75462-8_20Google ScholarCross Ref
- US Secret Service (2019). Skimming Device Forensics (2019 Edition). Washington, DC: US Secret Service.Google Scholar
- Meriac, M. (2010). Heart of Darkness -- exploring the uncharted backwaters of HID iCLASS™ security. Proceedings of the 27th Chaos Communication Congress (CCC), Berlin, Germany. Berlin: Chaos Computer Club.Google Scholar
- Microchip. (2006). PIC18F2455/2550/4455/4550 data sheet. Chandler, AZ: Microchip. https://ww1.microchip.com/downloads/en/devicedoc/39632c.pdfGoogle Scholar
- Micron. (2015). Micron M25P16 serial flash embedded memory features. Boise, ID: Micron. https://www.digikey.com/en/datasheets/microntechnologyinc/micron-technology-inc-m25p16Google Scholar
- National Association of Truck Stop Operators (NATSO). (2016, December 2). Dispenser EMV liability shift delayed. NATSO Topics. https://www.natso.com/topics/dispenser-emv-liability-shift-delayedGoogle Scholar
- Guangzhou HC Information Technology (GHCIT). (2011). HC-05 Product Data Sheet, Rev. 1.01. Guangzhou: GHCITGoogle Scholar
- Microchip. (2015). RN42/RN42N Class 2 bluetooth module with EDR support. Chandler, AZ: Microchip http://ww1.microchip.com/downloads/en/DeviceDoc/50002328A.pdfGoogle Scholar
- Tony, J. (2019, July 3) Gas pump skimmer wanted. Carding.ug Forum. http://carding.ug/index.php?/topic/9577-gas-pump-skimmer-wantedGoogle Scholar
Index Terms
- Analysis of Fuel Pump Skimming Devices
Recommendations
Securing credit card transactions with one-time payment scheme
Traditional credit card payment is not secure against credit card frauds because an attacker can easily know a semi-secret credit card number that is repetitively used. Recently one-time transaction number has been proposed by some researchers and ...
Detecting credit card fraud by Modified Fisher Discriminant Analysis
We introduce Fisher Linear Discriminant Analysis (FLDA).We modify it to be sensitive toward profitable instances.We applied them together in credit card fraud detection problem.The results are compared in terms of total obtained profit with three well-...
Location of trusted email for prevention of credit card fraud in soft-products e-commerce
AIC'04: Proceedings of the 4th WSEAS International Conference on Applied Informatics and CommunicationsSoft-products are intangible products that can be consumed without shipment, such as software, music and calling cards (calling time). The demand for soft-products on the Internet has been increasing for the past few years. At the same time, fraudulent ...
Comments