http://securityratty.com/tag/pumps Thu, 27 Dec 2007 10:58:30 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/969df5ce69bf4b4dae8480b66d2150a0 http://securityratty.com/article/969df5ce69bf4b4dae8480b66d2150a0 Security Breach

Date Reported:
12/12/07

Organization:
ARCO

Contractor/Consultant/Branch:
Station located at 4378 N. Santa Anita Avenue, El Monte, California*

*There are 135 ARCO gas stations within a 10 mile radius

Victims:
ARCO Customers

Number Affected:
As many as 100

Types of Data:
Debit card magnetic stripe data and PINs (Personal Identification Numbers).

Breach Description:
It appears as though a group of thieves has installed an unknown electronic data capture device on one or more gas pumps at one or more ARCO gas stations for the purpose of stealing customers' money.  Monetary losses have already surpassed $30,000, with unauthorized withdrawls taking place all across the U.S.

Reference URL:
KNBC-TV News Story
KCAL 9 News Story
Whittier Daily News Story

Report Credit:
KNBC-TV

Response:
From the online sources cited above:

Law enforcement authorities are searching for whoever skimmed debit card information from at least 45 customers at an Arco station in El Monte

The suspects made off with thousands of dollars from unsuspecting customers. A computerized device apparently was used to lift key information, including debit card identification numbers, concealed in the card's magnetic strip
[Evan] It never ceases to amaze me how clever thieves are.  I would love to see the device that was used, how they installed it, how they concealed it, and how they stored the information that they captured.  This isn't just some "run-of-the-mill" street thug.

Fraudulent withdrawals, ranging from $400 to $1,500 per customer, were made in Las Vegas, Palms Springs and New York, police said. Investigator Victor Hernandez told the San Gabriel Valley Tribune there could be as many as 100 victims.

The reported monetary losses had also jumped from $10,000 to $30,000 - and Glick said that number could reach $100,000 once all of the cases are investigated.

No illegal devices have been found at the gas station, but authorities say the fact that all the victims have used their cards there is more than a "coincidence."

investigators believe an advanced computer device was used to capture information from cards' electronic strips and personal identification numbers (PIN).

a group of people are likely behind this debit-card scam because withdrawals are being made simultaneously in locations hundreds, sometimes thousands, of miles away from one another.
[Evan] Maybe.  I wouldn't base this assumption solely on where the information was used, per se.  There is a thriving market in fresh stolen credit/debit card data.  The compromised information could have been stolen months ago, then recently sold on one of many "carders" forums.

"There seems to be more ARCO gas stations than other gas stations targeted," Glick said. "It's possible a specific group or groups are working these pumps."
[Evan] Incidents like this breach could/should force gas stations and other unattended payment merchants to rethink how they secure their terminals.  The convenience is great, but security of the information is more important.

ARCO officials said the company only accepts debit cards because banks impose higher fees for credit transactions.

"ARCO considers the safety and security of every customer a top priority," said Todd Spitler, a spokesman for the company. "But there are other businesses throughout California, not only us, that only accept debit cards."

The company often updates its technology to thwart criminal activity, and any time their pumps are compromised, ARCO officials work with law enforcement agencies, Spitler said. But identity theft is a global issue, he said.
[Evan] This isn't identity theft, this is credit card fraud.

Victim Response:
From El Monte resident Douglas Trujillo, a victim of $1,100:
"I do online banking and I looked at my account and I noticed my checking account at zero dollars," he said. "That set alarms off for me."

"I'm actually going to change my whole process," Trujillo said. "Now that I've seen how easy (thieves) can do this, I'm just going to stick to using cash and secure ATMs."

Commentary:
This is a very unfortunate, but at the same time interesting breach.  I would love to know more about how the ARCO gas pumps are secured and how they transmit data.  I would also love to know more about how the data was actually compromised.  I have to admit, this breach makes me think more about paying at the pump.  I expect to read about similar breaches in the future.  Sad but true.

Past Breaches:
Unknown


]]> Thu, 27 Dec 2007 10:58:30 +0000 arco gas pumps pumps gas pumps arco gas stations arco gas stations card debit card identification creditdebit card data ARCO gas pumps targeted by fraudsters