Fill It Up

Fraudsters are stealing card data by tampering with fuel pumps in the Denver area — and calling drivers to direct them to the compromised pumps.

In all, thieves targeted 30 gas stations along major highways near the city, Brian Krebs reported July 20 on his "Krebs on Security" website.

The scam was discovered by a regional bank in Colorado that was reissuing an unusually high number of its cards to customers who had all paid for gas in the same area, Krebs wrote. He said the bank asked not to be identified in the story. The Secret Service is investigating the incidents.

The bank said some of its customers reported receiving phone calls directing them to the tampered pumps (the ones that are hardest for gas station clerks to monitor because of their positioning) with incentives such as gift cards. Those calls came from a number in Florida, where a similar skimming plot has also been reported.

The fraudsters used skimming devices to steal card data as it was swiped at the pump. The devices are typically placed on the outside of automated teller machines or gas pumps, and are designed to blend in with the design of the machine. However, the ones used in the Denver area were hidden inside the pumps, making them invisible to motorists, Krebs wrote.

Some skimming devices inside pumps can also transmit data wirelessly to thieves, making it unnecessary for them to risk detection by retrieving the devices, Krebs wrote. He said his bank source was uncertain whether the skimming devices used in the Denver incidents had this capability.

Because the devices are not visible, the best way for consumers to detect them is by monitoring their statements for any signs of fraud after the fact, Krebs wrote.

A Secret Service agent would not comment for Krebs' story except to say that the agency has distributed a bulletin on skimming devices to Denver-area gas stations.

WiFi Weakness

The WPA2 wireless security format that meets the payment card industry's security requirements may be hopelessly broken, the news site StorefrontBacktalk reported July 21.

WPA2 is considered more secure than earlier wireless formats, and meets the requirements of the Payment Card Industry Data Security Standard, which describes how retailers that handle card data must secure their systems, the article said. However, a flaw discovered by researchers at AirTight Networks may make that security ineffective against "a malicious insider."

An authorized user of the protected wireless network would be able to send "spoofed packets" to another user to redirect any data that user sends to the attacker. This method is "difficult to detect and almost impossible to defend against," the article said, and the researchers who uncovered the flaw said they do not know how to fix it.

StorefrontBacktalk suggests layering other security measures, which would be easy for devices such as laptop computers to handle, but a challenge for simpler devices such as card readers.

Unsafe Surfing

Users of Apple Inc.'s Safari browser may be handing over their personal information invisibly to websites they visit.

The security flaw is tied to the browser's AutoFill feature, which populates online forms with the user's name, address and other information a user may commonly provide to websites. This feature typically works by allowing the user to see what information is being filled in before a form is sent to the website's owner, but the security exploit does away with this step, the tech news blog The Unofficial Apple Weblog reported July 22.

"The exploit does not require the user to even see the forms, it can all happen automatically without you having any idea that you just gave the site your name, company, city, state, country, e-mail and any other form data you may have," TUAW wrote.

The flaw was disclosed by Jeremiah Grossman, the founder of WhiteHat Security, last week, and applies to versions of Safari that run on Apple's Mac and Microsoft Corp.'s Windows systems.

The Safari browser was also found in a report by the security firm Secunia to have the second-highest number of security vulnerabilities, behind only the Mozilla Foundation's Firefox browser. Apple's operating system and software ranked highest in number of security vulnerabilities, beating Oracle Corp. and Microsoft, the report said.

However, this finding may not be particularly worrisome for Apple customers, TUAW said. "It's worth noting that this report does not weigh the severity of these vulnerabilities, only the overall number of them," the article said.


A company hired by South Shore Hospital of Weymouth, Mass., to dispose of 800,000 patient records has made them disappear — but cannot confirm they were destroyed.

The hospital hired Archive Data Solutions of Phoenixville, Pa., to destroy the patient records, and Archive Data then outsourced that task to another vendor, the Quincy, Mass., Patriot Ledger reported July 27. Archive Data attempted to locate the missing records for more than a month before informing the hospital of the incident on June 17. The hospital disclosed the incident publicly on July 19. The name of the outside vendor that last had the patient records was not disclosed.

The newspaper said that because the hospital announced the incident four weeks after it was informed, it may not have run afoul of a Massachusetts regulation that requires quick disclosure of breaches. The regulation does not specify a time frame, and the four weeks may have been necessary to determine the exact scope of the exposure, a lawyer told the Patriot Ledger.

Guilty Plea

An Australian man has pleaded guilty to crafting a computer virus that can steal bank account and credit card details.

Anthony Scott Harrison pleaded guilty Monday to charges including four counts of modifying computer data to cause harm or inconvenience, the Associated Press reported July 26. The virus Harrison wrote has infected 3,000 computers worldwide.

Harrison was charged last August. Sentencing proceedings will begin in September.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.