Gas pumps are scammers’ new big target – and drivers are helpless

Brittany A. Roston - Dec 17, 2019, 6:13pm CST
Gas pumps are scammers’ new big target – and drivers are helpless

Visa has issued a new security alert warning that scammers are targeting gas stations throughout North America in order to steal payment card information. Though gas station pumps have historically been a popular target for scammers seeking credit card information, this latest attack is different and there’s little customers can do to protect themselves: the attackers are installing malware on the point-of-sale systems used by these gas stations.

The majority of financial attacks that take place at gas stations involve ‘skimmer’ devices installed directly on the fuel pumps. These skimmers are designed to harvest bank card information when it is entered into the skimmer, which itself is disguised as part of the payment machine. These same skimmers are also often used on ATMs.

According to Visa, this latest threat is far more sophisticated and difficult to detect; it involves malware installed on the gas station’s network rather than skimming devices on the gas pump. Customers have no way of knowing whether they’re about to use their payment card at a gas station that uses a compromised network, leaving them vulnerable to scammers.

Visa explains that its Payment Fraud Disruption (PFD) team identified three attacks targeting gas station POS systems this past summer. In two of the three cases, the company believes a ‘sophisticated cybercrime group’ called FIN8 may be responsible.

One of the three cyberattacks involved using a phishing email to trick a gas station employee into downloading a Remote Access Trojan on the company’s network. This trojan gave the attackers access to the network, which contained security issues that enabled the hackers to access to the POS environment. Payment card information was pulled from the system’s RAM.

Visa only describes the targets as North American fuel dispenser merchants; no specific companies were named as part of the security alert. The company did say that some of these attacks are facilitated by failure to use more secure payment methods like the chip featured on the latest bank cards. In some cases, information could only be acquired if the payment was processed using the mag strip on the card.

Though consumers don’t have many options for protecting themselves in this case, they can reduce their risk by paying with cash if their nearest gas station doesn’t accept the chip and instead requires customers to swipe their cards.


Must Read Bits & Bytes