Fill It Up
In all, thieves targeted 30 gas stations along major highways near the city, Brian Krebs reported July 20 on his "Krebs on Security" website.
The scam was discovered by a regional bank in Colorado that was reissuing an unusually high number of its cards to customers who had all paid for gas in the same area, Krebs wrote. He said the bank asked not to be identified in the story. The Secret Service is investigating the incidents.
The bank said some of its customers reported receiving phone calls directing them to the tampered pumps (the ones that are hardest for gas station clerks to monitor because of their positioning) with incentives such as gift cards. Those calls came from a number in Florida, where a similar skimming plot has also been reported.
The fraudsters used skimming devices to steal card data as it was swiped at the pump. The devices are typically placed on the outside of automated teller machines or gas pumps, and are designed to blend in with the design of the machine. However, the ones used in the Denver area were hidden inside the pumps, making them invisible to motorists, Krebs wrote.
Some skimming devices inside pumps can also transmit data wirelessly to thieves, making it unnecessary for them to risk detection by retrieving the devices, Krebs wrote. He said his bank source was uncertain whether the skimming devices used in the Denver incidents had this capability.
Because the devices are not visible, the best way for consumers to detect them is by monitoring their statements for any signs of fraud after the fact, Krebs wrote.
A Secret Service agent would not comment for Krebs' story except to say that the agency has distributed a bulletin on skimming devices to Denver-area gas stations.
WiFi Weakness
The WPA2 wireless security format that meets the payment card industry's security requirements may be hopelessly broken, the news site StorefrontBacktalk reported July 21.
WPA2 is considered more secure than earlier wireless formats, and meets the requirements of the Payment Card Industry Data Security Standard, which describes how retailers that handle card data must secure their systems, the article said. However, a flaw discovered by researchers at AirTight Networks may make that security ineffective against "a malicious insider."
An authorized user of the protected wireless network would be able to send "spoofed packets" to another user to redirect any data that user sends to the attacker. This method is "difficult to detect and almost impossible to defend against," the article said, and the researchers who uncovered the flaw said they do not know how to fix it.
StorefrontBacktalk suggests layering other security measures, which would be easy for devices such as laptop computers to handle, but a challenge for simpler devices such as card readers.
Unsafe Surfing
Users of Apple Inc.'s Safari browser may be handing over their personal information invisibly to websites they visit.
The security flaw is tied to the browser's AutoFill feature, which populates online forms with the user's name, address and other information a user may commonly provide to websites. This feature typically works by allowing the user to see what information is being filled in before a form is sent to the website's owner, but the security exploit does away with this step, the tech news blog The Unofficial Apple Weblog reported July 22.
