Don't look at it that way. It's an interesting insight into the economics of credit card numbers. I mean, you've probably been hit with one of these at least once. Maybe many times. Li'l story: I stayed at a really shitty hotel in Flagstaff once. And, on my way out of town, my bank called me to verify whether or not I was actually in Flagstaff as I was gassing up. I said "why yes I am, thanks very much" and got on the bike. It wasn't until I was balancing my Quicken a month later that I discovered some choad had bought a thousand dollars worth of shit in Tokyo, Japan over the four days following that phone call. Important take-aways: 1) Once I'd verified my presence in Flagstaff, my bank's credit protection agency had zero fucks to give about what happened next. They washed their hands of the matter. 2) The gas station has no fiduciary responsibility for those thousand dollars worth of chargebacks in Japan. 3) The establishments up and down the island of Hokkaido have no legal recourse against some random-ass gas station in Flagstaff, Arizona. 4) In order for me to not be responsible for that money (which is possible because of Visa), I had to file a police report... in Culver City, CA, with detectives that were not only utterly powerless to do anything, but utterly, drearily acclimated to the tedious mundanity of this quixotic task. 5) Icing on the cake? My bank is in Anchorage. The victims here are the Japanese businesses that got taken to the tune of thousands of dollars but have to eat it because their arrangement with Visa is "you get to eat thousands of dollars because we say so." And, I mean, SparkFun cobbled together an app that scans for these things. If Visa (or Chevron, or Exxon, or Amex, or Experian, or...) gave the first fuck, they could deploy six-month-battery sniffers to every gas station in America that sits there and looks for bluetooth, NFC or cellular transmitters that don't move for more than an hour. You could log this shit with off-the-shelf hardware. This ain't American-Embassy-in-Moscow level shit: I would not be surprised at all to discover that you buy these skimmers the same place you sell the numbers. Purchase a handful, sneak them onto pumps you can get to, harvest the numbers and sell them in bulk. If you can sell credit card numbers for $5 each off a device you bought for $10, you need three of them before you're in the black. On the units we were given we found on average 24 records per device. This seems low. I’m not sure where these devices were located but one would expect at least 24 credit card users per day. This may indicate the perpetrator was regularly visiting the pumps and harvesting the records on a daily basis. This is ID theft as Farmville. And it is made possible by our modern credit ecosystem.Years ago it took someone with knowledge and skills to build a credit card skimmer. Now criminals are buying these off the shelf with very little knowledge and slapping them together. It’s basic user design theory: when your customer is not so smart make it idiot proof so they don’t contact you for support. The designers of this skimmer were smart, it’s better to make these devices easy to connect to than to add a layer of security. What’s the worst that could happen? The device is detected and removed from the pump. Meanwhile, 10 more have been deployed for a total cost of $100.
Note that this record is 113 characters. Let’s say a record is 256 bytes. With 16Mbit of flash storage that’s 2MB or approximately 7,800 credit card records that could be stored on a device. Yikes.