thank you for giving me equal parts terror and fascination for breakfast this morning...
Don't look at it that way. It's an interesting insight into the economics of credit card numbers. I mean, you've probably been hit with one of these at least once. Maybe many times. Li'l story: I stayed at a really shitty hotel in Flagstaff once. And, on my way out of town, my bank called me to verify whether or not I was actually in Flagstaff as I was gassing up. I said "why yes I am, thanks very much" and got on the bike. It wasn't until I was balancing my Quicken a month later that I discovered some choad had bought a thousand dollars worth of shit in Tokyo, Japan over the four days following that phone call. Important take-aways: 1) Once I'd verified my presence in Flagstaff, my bank's credit protection agency had zero fucks to give about what happened next. They washed their hands of the matter. 2) The gas station has no fiduciary responsibility for those thousand dollars worth of chargebacks in Japan. 3) The establishments up and down the island of Hokkaido have no legal recourse against some random-ass gas station in Flagstaff, Arizona. 4) In order for me to not be responsible for that money (which is possible because of Visa), I had to file a police report... in Culver City, CA, with detectives that were not only utterly powerless to do anything, but utterly, drearily acclimated to the tedious mundanity of this quixotic task. 5) Icing on the cake? My bank is in Anchorage. The victims here are the Japanese businesses that got taken to the tune of thousands of dollars but have to eat it because their arrangement with Visa is "you get to eat thousands of dollars because we say so." And, I mean, SparkFun cobbled together an app that scans for these things. If Visa (or Chevron, or Exxon, or Amex, or Experian, or...) gave the first fuck, they could deploy six-month-battery sniffers to every gas station in America that sits there and looks for bluetooth, NFC or cellular transmitters that don't move for more than an hour. You could log this shit with off-the-shelf hardware. This ain't American-Embassy-in-Moscow level shit: I would not be surprised at all to discover that you buy these skimmers the same place you sell the numbers. Purchase a handful, sneak them onto pumps you can get to, harvest the numbers and sell them in bulk. If you can sell credit card numbers for $5 each off a device you bought for $10, you need three of them before you're in the black. On the units we were given we found on average 24 records per device. This seems low. I’m not sure where these devices were located but one would expect at least 24 credit card users per day. This may indicate the perpetrator was regularly visiting the pumps and harvesting the records on a daily basis. This is ID theft as Farmville. And it is made possible by our modern credit ecosystem.Years ago it took someone with knowledge and skills to build a credit card skimmer. Now criminals are buying these off the shelf with very little knowledge and slapping them together. It’s basic user design theory: when your customer is not so smart make it idiot proof so they don’t contact you for support. The designers of this skimmer were smart, it’s better to make these devices easy to connect to than to add a layer of security. What’s the worst that could happen? The device is detected and removed from the pump. Meanwhile, 10 more have been deployed for a total cost of $100.
Note that this record is 113 characters. Let’s say a record is 256 bytes. With 16Mbit of flash storage that’s 2MB or approximately 7,800 credit card records that could be stored on a device. Yikes.
My Mom once got a call at 4 am from Amex asking her if it was possible that my sister's "kiddy card" was being used in Hong Kong for a cash advance of $400. She OKed it. It was her making that transaction.... at knifepoint. And she did the same with her Visa and MC. Then went to a 4th bank and bought gold with the cash. She filed a police report so she got her money back eventually. The police asked for a description and she said he was short, light brown skinned with black hair. That didn't help. Neither did saying he looked like an Asian Gomer Pyle. lol I can't remember the last time I went to a gas station that is not 24 hours so, assuming it is not an inside job, I wonder how the scammers have time to install the skimmers without being seen. And you are very right, even a simple scan once a day by any employee with a smartphone could eliminate the issue at zero cost to the gas company.
You are gravely and fundamentally underestimating the inattention and apathy of the average gas station employee, as well as the contempt a gas station owner has for his attendants. If I put on a suit, walked up to a pump with a master key, fucked around inside it and then reaffixed a seal I can guarantee you I'd get away with it 95% of the time, assuming the employee even knew I was there.I can't remember the last time I went to a gas station that is not 24 hours so, assuming it is not an inside job, I wonder how the scammers have time to install the skimmers without being seen.
You might be right but in Canada I am not aware of any mandatory pay in advance stations so perhaps attendants keep track of who is at what pump a bit more. A very quick google search leads me to believe that "gas and dash" fatalities (attendants being run down chasing a gas thief) are predominantly a Canadian phenomenon. I can't imagine why any attendant would put their life on the line for a tank of gas. Or why someone would run down an attendant and then go on the lam of 3 years for $112 worth of gas.
Hey, man. You know tech. You know entrepreneurs. I say put together a business plan for a monitoring service that third parties with gas stations to provide customer-facing monitoring. Build the hardware, bond it with the credit card companies and roll that shit out.