First known US example of a gas-pump skimmer that uses SMS to exfiltrate data

This credit-card skimmer was removed from a New York gas pump; it uses components scavenged from a cellular phone and a T-Mobile SIM to send the credit card details it harvests to its owners, who can retrieve them from anywhere in the world.


The skimmer was probably installed by a gang that sent a confederate into the station's office to distract the clerk while a large van was pulled up in front of the pump, blocking the view. It was wired into the pump's own power-supply so that it could run indefinitely without a battery-change (or for so long as someone kept paying for top-ups on the T-Mobile account).

It's the first known example of a skimmer that used SMS messages to exfiltrate its stolen data. More usually, skimmers store their data, and then dump it over Bluetooth when a crook returns to the scene of the crime — using SMS obviates this step and significantly reduces the criminal's risk.


Investigators say skimming gangs typically gain access to station pumps by using a handful of master keys that still open a great many pumps in use today. In a common scenario, one person will distract the station attendant as fuel thieves pull up alongside the pump in a van with doors that obscure the machine on both sides. For an in-depth look at the work on one fuel-theft gang working out of San Diego, check out this piece.


There are generally no outward signs when a pump has been compromised by a skimmer, but a study KrebsOnSecurity published last year about a surge in pump skimming activity in Arizona suggests that skimmer gangs can spot the signs of a good mark.


Fraud patterns show fuel theft gangs tend to target stations that are close to major highway arteries; those with older pumps; and those without security cameras, and/or a regular schedule for inspecting security tape placed on the pumps.


Many filling stations are upgrading their pumps to include more physical security — such as custom locks and security cameras. In addition, newer pumps can accommodate more secure chip-based payment cards that are already in use by all other G20 nations.


Gas Pump Skimmer Sends Card Data Via Text [Brian Krebs/Krebs on Security]