Gas stations will become liable for card-skimming at their pay-at-the-pump mechanisms starting in October.
Gas stations are gearing up for a major change in credit-card fraud liability in October, when they will find themselves on the hook for card-skimming attacks at the pump. In the meantime though, cybercriminals will be targeting pay-at-the-pump point-of-sale mechanisms with a vengeance, researchers say.
Fuel pumps represent a last bastion of non-encrypted transactions. Unlike when customers pay inside, the pump mechanism doesn’t require a chip-and-PIN or chip-and-signature scheme, which have built-in encryption and can thwart most amateur card-skimming efforts. Instead, swiping one’s card and using the magnetic strip is the norm.
Adding insult to injury, most of these transactions also don’t conform to the Payment Card Industry Data Security Standard (PCI DSS) regulation, according to Venafi’s Katrina Dobieski, writing in a Thursday posting. The PCI DSS requires that data exchanged in all old-school magnetic strip transactions should be encrypted in transit; and the data shouldn’t be stored either, but if it is, the numbers should be encrypted. Gas pumps typically violate both tenets, she noted.
“This double-unsafe method of the magnetic strip info not being encrypted, then sent to a back-end computer (where it should not be stored at all), then stored (unencrypted) is unsafe at best, egregious at worst,” Dobieski wrote. She added, “It seems an unnecessary game of Russian roulette to keep swiping unencrypted cards at unencrypted pumps, where our sensitive card numbers will be stored in unencrypted gas station back-room databases.”
Payment methods that use chip-and-PIN (a.k.a. EMV) are more secure as they use single-use encrypted digital signatures and can also require customers to input an additional level of authorization. In Oct. 2015, a major shift in policy by card issuers meant that liability for card fraud falls upon the party that doesn’t enforce chip-based transactions. This usually means the merchants, who have largely replaced the old default of the banks themselves being responsible for reimbursing consumers for fraudulent transactions.
However, gas stations were exempted from that change for their pumps, with an extension to 2017 and then a further extension to 2020 to come into compliance. That’s because installing new pumps is a costly endeavor that is likely prohibitively expensive for many, Dobieski pointed out. According to compliance organization Conexxus, upgrade costs start at $25,000 and easily run north of $150,000 per gas station. But there are other costs too.
“The problems fuel retailers have is that gas pumps may require a complete rip and replace of hardware, which could require environmental reviews and approvals,” Travis Smith, principal security researcher at Tripwire, told Threatpost. “These approvals can take quite a bit of time to acquire, which was one of the reasons that the deadline was pushed back from 2017 to 2020.”
Thomas Hatch, CTO and co-founder at SaltStack, told Threatpost that deadline or no deadline, all of this means that only motivator for change will be companies’ bottom lines. For large chains and mom-and-pop gas stations alike, seeing a threat from the liability change and an economic value in enhanced security are prerequisites for investing in upgrades.
“An industry is not motivated to change unless it makes them money,” he said. “That’s why they have not made these changes, it is simple economics. This is why we have regulations. Card skimmers are an emerging threat, and they need to be managed. However, without a threat, and often without regulation, companies will not make the investment. This is a critical component to economics, security is enforced in line with consumer perception, if consumers perceive a threat, real or imagined, then companies and politics respond.”
Dobieski however believes that with the shift in liability for attacks on card data looming, gas stations will indeed spend the next 10 months either finally upgrading their fuel pumps to chip-and-PIN, or, finding a workaround, such as implementing tokenization or point-to-point encryption.
On the latter front, one solution “is to just update the software backend so that it encrypts the cache of magnetic strip data, prior to being sent to the banks,” Dobieski explained.
Smith added that there are also more mundane ways to thwart scammers.
“I suspect for many of the smaller local retailers, having other compensating controls in place to mitigate the risk of fraud at their pumps will be more cost-effective in the near-term over upgrading to chip-and-PIN equipment,” he told Threatpost. “Installing cameras, reducing the total charge amount, or requiring customers to pay inside the gas station are all options which can reduce the likelihood of a fraudster taking advantage of their shop. Like other information security practices, part of the game for defenders is making your infrastructure seem less juicier than everyone else’s. If I’m a credit card fraudster, I will skip the gas station with cameras in favor the station down the street with no security.”
In the meantime, cybercrooks are going to fill up their tanks with card data, targeting non-compliant machines with gusto, researchers say.
“The magnetic stripe of a payment card stores valuable financial information that, when intercepted, can result in the theft of consumer information like card numbers, cardholder names, expiry dates, and verification codes,” Alex Guirakhoo, strategy and research analyst at Digital Shadows, told Threatpost. “These are attractive targets for cybercriminals, who can use the data to create fraudulent cloned cards; Track 1 and Track 2 data is commonly sold for relatively little amounts of money on cybercriminal forums and marketplaces.”
The threat isn’t just hypothetical. In December for instance, North American gas stations were targeted by coordinated cyberattacks according to Visa, in an effort to scrape payment-card data. The culprit was the notorious FIN8 cybercrime gang.
“The targeting of fuel dispenser merchants by hackers comes as no surprise,” said Paul Hampton, payment security expert with Thales, in an emailed statement. “Cybercriminals are masterminds at exploiting vulnerabilities and finding unencrypted data. Merchants accepting credit-card payments are obligated to protect the confidentiality and integrity of transactions, but unfortunately best practices aren’t being followed, leaving sensitive data vulnerable.”