These guys are criminals. Someone should be going after them. But the secret service?
This should be handled by the CC industry. US pumps should have chips like they do in most every other developed nation. It's an arms race, but prevention is easier than investigation.
And do not blame "the attendants". I worked as a light mechanic at one of the last truly full service stations. The pump/retail guys are payed minimum wage on flexible shifts to do a job that is actually rather dangerous. Only one of possibly a hundred attendants may know anything about the skimmer install. The guys who own/run the stations should also not be above suspicion. My bosses were some rather shady characters.
One of the two focuses of the secret service is financial crimes:
"Financial Crimes, covering missions such as prevention and investigation of counterfeit U.S. currency, U.S. treasury securities, and investigation of major fraud."
I am well aware of their various duties. That doesn't detract from my point that enforcement by such an agency is a remarkably inefficient means of addressing the problem.
The Secret Service is a federal agency. They are arguably a step up the ladder from the FBI. Their people do not come cheap. In this case they are being deployed against scammers who are filling homemade tankers with gas ... not big fish. (fyi, the Secret Service really really doesn't like the SS acronym. I made that mistake in a memo once. They are the one US agency without cool initials.)
It is almost always better/cheaper to prevent a crime from happening by removing the opportunity. Without bringing in spreadsheets and US federal budget reports, having the CC industry deploy a technological solution is cheaper than investigating, trying, arresting and housing these criminals. Gas pumps are expensive units, require regular service, and each move thousands of dollars worth of gas every day. A few bucks for the chip reader is no great burden.
Thanks! There's not a lot of info on the Secret Service's financial side (at least I didn't see much in Wikipedia) so it's hard to assess what's a normal use of their resources.
I don't know if I would really "blame" the attendants, but underpaid and low morale people in position of security are a risk anyways, being an armed guard, a gas pump attendant, a cashier or a money conveyer. I still don't really know how the people in power think about that, because they are the people perpetuating that.
> I still don't really know how the people in power think about that, because they are the people perpetuating that.
It's a risk-cost tradeoff. Many people desperate enough to work in these areas are happy they actually got even a shit job and don't intentionally defraud their employer (and losses due to customer theft are priced in, anyways). The bet is on those who are crazy/desperate enough to actually exploit the weaknesses in the system to commit bigger fraud - and how much damage is to be expected.
Now, take the expected damage and contrast it with paying your employees more, and I bet that it's cheaper risking one or two 10K thefts a year than paying all employees more which can be, even if you're only running a 10-employee shop and raise salaries by 2-3K/yr, the cheaper option.
Except that the station owners don't even see this as theft. The gas is sold. They get the money. That, or insurance pays for this crime perpetrated upon them. It is the CC issuer who most often takes the real hit.
Are you referring to the penalties or the annual membership fees? Nobody I know ever pays the annual fee; it's rarely worth it, unless they have a very good rewards system.
Although, I'm not sure what's worse, the penalties or the interest if you don't fully pay your balance every month.
The credit card networks charge merchant fees to process transactions. Those fees account for the cost of indemnifying cardholders against fraudulent transactions. The fees are passed along to customers in the form of higher prices, or come out of the merchants’ profits (or some of each). It’s all priced in.
One of the main duties of the secret service is investigating the counterfeiting of U.S. currency and access device fraud (including credit and debit fraud).
> US pumps should have chips like they do in most every other developed nation.
I'm confused: Are you talking about chips in the pumps - or the cards? The article seems to show a deep integration into the pumps to steal not only the magstripe data, but also the PIN. So I guess they already target chip & pin systems?
Plus, depending on the architecture of these systems you can 'degrade' a transaction from 'needs pin' to 'pin not required' (we had a couple of related downgrade articles here on HN and the 32C3 had - specific to Germany, but acc. to the authors probably somewhat applicable elsewhere - a talk about direct attacks against payment terminals to do the same thing).
Credit card companies DO have chips in their cards, but thousands of merchants around the country don't yet support them. Credit card companies are doing their best to pressure merchants to upgrade their systems, but they can't just suddenly cut off those thousands of merchants.
If they did, the headlines would suddenly be "Credit card companies forcing mom and pop shops to spend thousands on new equipment"
----
On Oct. 1, 2015, Visa and MasterCard put in force new rules that can penalize merchants who do not yet have chip-enabled terminals. Under the new rules, merchants that don’t have the technology to accept chip cards will assume full liability for the cost of fraud from purchases in which the customer presented a chip-enabled card.
But those rules don’t apply to fuel stations in the United States until October 2017, and a great many stations won’t meet that deadline, said Verifone’s Turner.
----
According to "Yearbook 2005: British Retail Consortium" [1], by the time of the liability shift (1 January 2005) "retailers accounting for 75% of transactions" had a chip+PIN terminal, with the remainder "well on the way". It goes on to explain that small businesses including petrol stations were consulted as the change was planned, there was no relaxed deadline for them. (If my memory is correct, petrol station pumps were among the first to switch, as they had the highest level of fraud — relatively high-value transactions with no supervision.)
Gas/Petrol stations were, along with restaurants, also the rare places where the CC was physically separated from the customer. By mandating chips+pin, customers no longer handed their cards over to people who might scan/copy them while out of sight.
You just have to transfer full legal liability onto the CC company in the event of fraud. They would build and deploy a sane crypto scheme by COB tomorrow, wherein my plaintext CC number would not be revealed during every transaction.
It's a 6 week turnaround time for Visa and Mastercard. But yeah, they can do it and have done it. Having non-standard procedures is a pain on the IT implementation side, and the US is non-standard.
This should be handled by the CC industry. US pumps should have chips like they do in most every other developed nation. It's an arms race, but prevention is easier than investigation.
And do not blame "the attendants". I worked as a light mechanic at one of the last truly full service stations. The pump/retail guys are payed minimum wage on flexible shifts to do a job that is actually rather dangerous. Only one of possibly a hundred attendants may know anything about the skimmer install. The guys who own/run the stations should also not be above suspicion. My bosses were some rather shady characters.