Few schemes for monetizing stolen credit cards are as bold as the fuel theft scam: Crooks embed skimming devices inside fuel station pumps to steal credit card data from customers. Thieves then clone the cards and use them to steal hundreds of gallons of gas at multiple filling stations. The gas is pumped into hollowed-out trucks and vans, which ferry the fuel to a giant tanker truck. The criminals then sell and deliver the gas at cut rate prices to shady and complicit fuel station owners.

Agent Steve Scarince of the U.S. Secret Service heads up a task force in Los Angeles that since 2009 has been combating fuel theft and fuel pump skimming rings. Scarince said the crooks who plant the skimmers and steal the cards from fuel stations usually are separate criminal groups from those who use the cards to steal and resell gas.

“Generally the way it works is the skimmer will sell the cards to a fuel theft cell or ring,” he said. “The head of the ring or the number two guy will go purchase the credit cards and bring them back to the drivers. More often than not, the drivers don’t know a whole lot about the business. They just show up for work, the boss hands them 25 cards and says, ‘Make the most of it, and bring me back the cards that don’t work.’ And the leader of the ring will go back to the card skimmer and say, ‘Okay out of 100 of those you sold me, 50 of them didn’t work.'”

Scarince said the skimmer gangs will gain access to the inside of the fuel pumps either secretly or by bribing station attendants. Once inside the pumps, the thieves hook up their skimmer to the gas pump’s card reader and PIN pad. The devices also are connected to the pump’s electric power — so they don’t need batteries and can operate indefinitely.

Most internal, modern pump skimmers are built to record the card data on a storage device that can transmit the data wirelessly via Bluetooth technology. This way, thieves can drive up with a laptop and fill their tank in the time it takes to suck down the card data that’s been freshly stolen since their last visit.

The Secret Service task force in Los Angels has even found pump skimming devices that send the stolen card data via SMS/text message to the thieves, meaning the crooks don’t ever have to return to the scene of the crime and can receive the stolen cards and PINs anywhere in the world that has mobile phone service.

MOBILE BOMBS

Scarince said the fuel theft gangs use vans and trucks crudely modified and retrofitted with huge metal and/or plastic “bladders” capable of holding between 250 and 500 gallons of fuel.

“The fuel theft groups will drive a bladder truck from gas station to gas station, using counterfeit cards to fill up the bladder,” he said. “Then they’ll drive back to their compound and pump the fuel into a 4,000 or 5,000 [gallon] container truck.”

The fuel will be delivered to gas station owners with whom the fuel theft ring has previously brokered with on the price per gallon. And it’s always a cash transaction.

“The stations know they’re buying stolen gas,” Scarince said. “They’re fully aware the fuel is not coming from a legitimate source. There’s never any paperwork with the fuel driver, and these transactions are missing all the elements of a normal, legitimate transaction between what would be a refinery and a gas station.”

Needless to say, the bladder trucks aren’t exactly road-worthy when they’re filled to the brim with stolen and highly flammable fuel. From time to time, one of the dimmer bladder truck drivers will temporarily forget his cargo and light up a smoke.

“Two or three summers ago we had this one guy who I guess was just jonesing for a cigarette,” Scarince said. “He lit up and that was the last thing he did.”

Other bladder trucks have spontaneously burst into flames at filling stations while thieves pumped stolen gas.

“There have been other fires that took place during the transfer of fuel, where some static sparked and the whole place caught on fire,” Scarince said. “These vehicles are not road-worthy by any means. Some of the bladder tanks are poorly made, they leak. The trucks are often overweight and can’t handle the load. We see things like transmissions giving out, chassis going out. These things are real hazards just waiting to happen.”

How big are the fuel theft operations in and around Los Angeles? Scarince estimates that at any given time there are 20 to 30 of these deadly bladder trucks trundling down L.A. freeways and side streets.

“And that’s a very conservative guess, just based on what the credit card companies report,” he said.

Aaron Turner, vice president of identity service products at Verifone — a major manufacturer of credit card terminals — leads a team that has been studying many of the skimming devices that the Secret Service has retrieved from compromised filling stations. Turner says there is a huge potential for safety-related issues when it comes to skimmers in a gas-pump environment. 

“Every piece of equipment that is installed by gas station owners in the pump area is approved by reviewed and approved according to industry standards, but these skimmers…not so much,” Turner said. “One of the skimmers that we retrieved was sparking and arcing when we powered it up in our lab. I think it’s safe to say that skimmer manufacturers are not getting UL certifications for their gear.”

COUNTERING FUEL FRAUD

With some fuel theft gangs stealing more than $10 million per year, Scarince said financial institutions and credit card issuers have responded with a range of tactics to detect and stop suspicious fuel station transactions.

“A lot more card issuers and merchant processors are really pushing hard on velocity checks,” Scarince said, referring to a fraud detection technique that reviews transactions for repeating patterns within a brief period. “If you buy gas in Washington, D.C. and then 30 minutes gas later gas is being purchased on opposite side of the city in a short period of time. Those are things that are going to start triggering questions about the card. So, more checks like that are being tested and deployed, and banks are getting better at detecting this activity.”

Card issuers also can impose their own artificial spending limits on fuel purchases. Visa, for example, caps fuel purchases at $125.  But thieves often learn to work just under those limits.

“The more intelligent crooks will use only a few cards per station, which keeps them a lower profile,” Scarince said. “They’ll come in a swipe two to three cards and fill up 40-80 gallons and move on down the road to another station. They definitely also have what we determine to be routes. Monday they’ll drive one direction, and Tuesday they’ll go the other way, just to make sure they don’t hit the same stations one day after another.”

Newer credit and debit cards with embedded chip technology should make the cards more costly and difficult to counterfeit. However, the chip cards still have the card data encoded in plain text on the card’s magnetic strip, and most fuel stations won’t have chip-enabled readers for several years to come.

On Oct. 1, 2015, Visa and MasterCard put in force new rules that can penalize merchants who do not yet have chip-enabled terminals. Under the new rules, merchants that don’t have the technology to accept chip cards will assume full liability for the cost of fraud from purchases in which the customer presented a chip-enabled card.

But those rules don’t apply to fuel stations in the United States until October 2017, and a great many stations won’t meet that deadline, said Verifone’s Turner.

“The petroleum stations and the trade organizations that represent them have been fairly public in their statements that they don’t feel they’re going to hit the 2017 dates,” Turner said. “If you look at the cost of replacing these dispensers and the number of systems that have been touched by qualified, licensed technicians…most of the stations are saying that even if they start this process now they’re going to struggle to meet that October 2017 date.”

Turner said that as chip card readers take hold in more retail establishments, card thieves will begin targeting fuel stations more intensively and systematically.

“We’re moving into this really interesting point of time when I think the criminals are going to focus on the approaches that offer them the greatest return on their investment,” Turner said. “In the future, I think there will be a liability shift specifically for petroleum stations [because] the amount of mag-stripe-facilitated fraud that will happen in that market is going to increase significantly along with chip card deployment.”

Part of the reason Los Angeles is such a hotbed of skimming activity may be related to ethnic Armenian organized crime members that have invested heavily in fuel theft schemes. Last month, the Justice Department announced charges against eight such men accused of planting skimmers in pumps throughout Southern California and Nevada.

Scarince and Turner say there is a great deal of room for the geographic spread of fuel theft scams. Although the bulk of fuel theft activity in the United States is centered around Los Angeles, the organized nature of the crime is slowly spreading to other cities.

“We are seeing pump skimming now shoot across the country,” Scarince said. “Los Angeles is still definitely ground zero, but Florida is now getting hit hard, as are Houston and parts of the midwest. Technology we first saw a couple of years ago in LA we’re now seeing show up in other locations across the country. They’re starting to pick on markets that are probably less aware of what’s going on as far as skimming goes and don’t secure their pumps as well as most stations do here.”

WHAT CAN  YOU DO?

Avoid sketchy-looking stations and those that haven’t started using tamper-evident seals on their pumps.

“The fuel theft gangs certainly scout out the stations beforehand, looking for stations that haven’t upgraded their pump locks and haven’t started using tamper seals,” Scarince said. “If some franchised station decided not to spend the money to upgrade their systems with these security precautions, they’re going to be targeted.”

Scarince says he also tends to use pumps that are closest to the attendants.

“Those are less likely to have skimmers in or on them than street-side pumps,” he said.

Consumers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the phony transactions. There is no substitute for keeping a close eye on your card statements. Also, use credit cards instead of debit cards at the pump; having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

LANDESK, a company that sells software to help organizations securely and remotely manage their fleets of desktop computers, servers and mobile devices, alerted employees last week that a data breach may have exposed their personal information. But LANDESK employees contacted by this author say the breach may go far deeper for the company and its customers.

The South Jordan, Utah-based LANDESK makes and markets software that helps organizations manage all users, platforms and devices from a single digital dashboard. The company’s software specializes in automating and integrating IT systems management, endpoint security management, service management, IT asset management, and mobile device management.

On Nov. 18, 2015, LANDESK sent a letter to current and former employees warning of an intrusion, stating that “it is possible that, through this compromise, hackers obtained personal information, including names and Social Security numbers, of some LANDESK employees and former Wavelink employees.”

LANDESK declined to answer questions for this story. But the company did share a written statement that mirrors much of the text in the letter sent to affected employees:

“We recently became aware of some unusual activity on our systems and immediately initiated safeguards as a precaution and began an investigation. As part of our ongoing investigation in partnership with a leading computer forensics firm, we recently learned that a small amount of personally identifiable information for a limited number of our employees may have been accessible during the breach. While no data compromises of personally identifiable information are confirmed at this point, we have reached out with information and security resources to individuals who may have been affected. The security of our networks is our top priority and we are acting accordingly.”

“The few employees who may have been affected were notified promptly, and at this point the impact appears to be quite small.”

According to a LANDESK employee who spoke on condition of anonymity, the breach was discovered quite recently, but system logs show the attackers first broke into LANDESK’s network 17 months ago, in June 2014.

The employee, we’ll call him “John,” said the company only noticed the intrusion when several co-workers started complaining of slow Internet speeds. A LANDESK software developer later found that someone in the IT department had been logging into his build server, so he asked them about it. The IT department said it knew nothing of the issue.

John said further investigation showed that the attackers were able to compromise the passwords of the global IT director in Utah and another domain administrator from China.

“LANDESK has found remnants of text files with lists of source code and build servers that the attackers compiled,” John said. “They know for a fact that the attackers have been slowly [archiving] data from the build and source code servers, uploading it to LANDESK’s web servers, and downloading it.”

The implications are potentially far reaching. This breach happened more than a year and a half ago, during which time several versions and fixes of LANDESK software have been released. LANDESK has thousands of customers in all areas of commerce. By compromising LANDESK and embedding a back door directly in their source code, the attackers could have access to large number of computers and servers worldwide.

The wholesale theft of LANDESK source code also could make it easier for malware and exploit developers to find security vulnerabilities in the company’s software.

A LANDESK spokesperson would neither confirm nor deny the date of the breach or the source code theft, saying only that the investigation into the breach is ongoing and that the company “won’t comment on speculation.”

Two months after KrebsOnSecurity first reported that multiple banks suspected a credit card breach at Hilton Hotel properties across the country, Hilton has acknowledged an intrusion involving malicious software found on some point-of-sale systems.

According to a statement released after markets closed on Tuesday, the breach persisted over a 17-week period from Nov. 18, 2014 to Dec. 5, 2014, or April 21 to July 27, 2015.

“Hilton Worldwide (NYSE: HLT) has identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems,” the company said. “Hilton immediately launched an investigation and has further strengthened its systems.”

Hilton said the data stolen includes cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers (PINs).

The company did not say how many Hilton locations or brands were impacted, or whether the breach was limited to compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties — as previously reported here.

The announcement from Hilton comes just five days after Starwood Hotel & Resorts Worldwide — including some 50 Sheraton and Westin locations — was hit by a similar breach that lasted nearly six months.

Starwood and Hilton join several other major hotel brands in announcing a malware-driven credit card data breach over the past year. In October 2015, The Trump Hotel Collection confirmed a report first published by KrebsOnSecurity in June about a possible card breach at the luxury hotel chain.

In March, upscale hotel chain Mandarin Oriental acknowledged a similar breach. The following month, hotel franchising firm White Lodging allowed that — for the second time in 12 months — card processing systems at several of its locations were breached by hackers.

Readers should remember that they are not liable for unauthorized debit or credit card charges, but with one big caveat: the onus is on the cardholder to spot and report any unauthorized charges. Keep a close eye on your monthly statements and report any bogus activity immediately. Many card issuers now let customers receive text alerts for each card purchase and/or for any account changes. Take a moment to review the notification options available to you from your bank or card issuer.

All new Dell laptops and desktops shipped since August 2015 contain a serious security vulnerability that exposes users to online eavesdropping and malware attacks. Dell says it is prepping a fix for the issue, but experts say the threat may ultimately need to be stomped out by the major Web browser makers.

At issue is a root certificate installed on newer Dell computers that also includes the private cryptographic key for that certificate. Clever attackers can use this key from Dell to sign phony browser security certificates for any HTTPS-protected site.

Translation: A malicious hacker could exploit this flaw on open, public networks (think WiFi hotspots, coffee shops, airports) to impersonate any Web site to a Dell user, and to quietly intercept, read and modify all of a vulnerable Dell system’s Web traffic.

According to Joe Nord, the computer security researcher credited with discovering the problem, the trouble stems from a certificate Dell installed named “eDellRoot.”

Dell says the eDellRoot certificate was installed on all new desktop and laptops shipped from August 2015 to the present day. According to the company, the certificate was intended to make it easier for Dell customer support to assist customers in troubleshooting technical issues with their computers.

“We began loading the current version on our consumer and commercial devices in August to make servicing PC issues faster and easier for customers,” Dell spokesperson David Frink said. “When a PC engages with Dell online support, the certificate provides the system service tag allowing Dell online support to immediately identify the PC model, drivers, OS, hard drive, etc. making it easier and faster to service.”

“Unfortunately, the certificate introduced an unintended security vulnerability,” the company said in a written statement. “To address this, we are providing our customers with instructions to permanently remove the certificate from their systems via direct email, on our support site and Technical Support.”

In the meantime, Dell says it is removing the certificate from all Dell systems going forward.

“Note, commercial customers who image their own systems will not be affected by this issue,” the company’s statement concluded. “Dell does not pre-install any adware or malware. The certificate will not reinstall itself once it is properly removed using the recommended Dell process.”

It’s unclear why nobody at Dell saw this as a potential problem, especially since Dell’s competitor Lenovo suffered a very similar security nightmare earlier this year when it shipped an online ad tracking component called Superfish with all new computers.

Researchers later discovered that Superfish exposed users to having their Web traffic intercepted by anyone else who happened to be on that user’s local network. Lenovo later issued a fix and said it would no longer ship computers with the vulnerable component.

Dell’s Frink said the company would not divulge how many computers it has shipped in the vulnerable state. But according to industry watcher IDC, the third-largest computer maker will ship a little more than 10 million computers worldwide in the third quarter of 2015.

Zakir Durumeric, a Ph.D. student and research fellow in computer science and engineering at the University of Michigan, helped build a tool on his site — https://zmap.io/dell — which should tell Dell users if they’re running a vulnerable system.

Durumeric said the major browser makers will most likely address this flaw in future updates soon.

“My guess is this has to be addressed by the browser makers, and that we’ll seem them blocking” the eDellRoot certificate. “My advice to end users is to make sure their browsers are up-to-date.”

Further reading:

An in-depth discussion of this issue on Reddit.

Dan Goodin‘s coverage over at Ars Technica.

Dell’s blog advisory.

Update, 1:15 a.m. ET: Added link to Dell’s instructions for removing the problem.

Amazon has added multi-factor authentication to help customers better secure their accounts from hackers. With this new feature enabled, thieves would have to know your username, password, and have access to your mobile device or impersonate you to your mobile provider in order to hijack your Amazon account. The security feature allows users to receive a one-time code via text message, automated phone call, or third-party app — such as Google Authenticator.

Multi-factor authentication, also often called “two-step” or “two factor” authentication, is a great way to improve the security of your various online accounts (where available). With multi-factor logins enabled, even if thieves somehow steal your account username and password they’ll still need access to the second factor — your mobile phone — to successfully hijack your account.

Users can instruct Amazon to “remember” each device, which disables future prompts for the second factor on that device going forward. If Amazon later detects a login attempt from a device it does not recognize as associated with that account, it will prompt for the code from the second factor — text message, voice call, or app (whichever you choose).

I’m not sure I succeeded the first time I tried to set up multi-factor authentication on Amazon. I signed in, clicked “Your Account,” and then under “Account Settings” clicked “Change Account Settings.” That page allowed me to add a mobile number by typing in a code that was sent to my mobile. But when I hit “Done” and went back to Amazon’s home page, I decided to revisit the page only to discover that there are two more steps needed to finish setting up multi-factor authentication.

In step two, Amazon asks for a backup phone number where users can receive text messages or voice calls, in case you don’t have access to the mobile device added in Step 1. The backup method also can be Google’s Authenticator App.

Step three just explains how it all works and allows users to skip future one-time codes on personal devices.

If you shop at Amazon, take a few minutes today to turn on multi-factor authentication for your account. While you’re at it, check out twofactorauth.org to see if multi-factor is available for other any online services you may use. Also, consider whether you’re able to beef up the security of the backup email accounts you use for your recovery address.

One final note: Receiving one-time codes by a third-party mobile app that does not require a working connection to the Internet — such as Google Authenticator — allows for fewer chances that your one-time codes could be diverted by attackers: Thieves can still call in to your Internet service provider or mobile provider, pretend to be you, and have your calls and/or texts forwarded to another number that they control.