Pay-at-the-Pump Skimming


This is peculiar. If true, it indicates some surprisingly careless security engineering.

Decades ago I worked with Unisys EFTPOS terminals (the type you see at supermarket checkouts). These were of a type which had the PIN-entry keypad on the end of a cable, while the card slot was in the main body of the unit. A perceived risk was that someone could tamper with the unit and install sniffing hardware/software to learn the user’s PIN. To thwart this, the keypads included a DES key stored in supercap-backed-SRAM for encrypting the PIN before it ever left the keypad (the main body of the unit did not have this key; the computer inside it never had access to the plaintext PIN) and a tamper switch in the keypad which would short out the SRAM’s power pins the instant the keypad’s case was opened, thereby destroying its copy of the DES key and rendering the keypad permanently useless if opened.

It would seem that the same approach could readily be applied to terminals embedded in gasoline/petrol pumps; the card-scanner and/or PIN keypad should be in sealed units which are rendered permanently inoperative (by instantly losing/destroying a stored key) if opened.

Naturally, this is just one of dozens of vulnerabilities that such a device has; decisions about which counter-measures to employ are always about trade-offs. Nonetheless, this seems an odd choice.


2 Responses to “Pay-at-the-Pump Skimming”

  1. j2 Says:

    The Java iButton had antitampering and it was a device that sold for what, a buck?

    I think the US should panic; enact new laws that curtail existing rights, e.g. declare a constitution-free zone 2 miles around every gas station; and provide more funding to the DHS; oh and build a 2 mile high wall around the US, ignoring historical, ecological, common-sensical(*) objections.

    (There must be a security theatre troupe out there somewhere. Besides the TSA, I mean).

    * yes firefox, I know that’s not a word. How come it can be nonsensical but not sensical?

  2. Roland Turner Says:

    Well, it’s proven to be an …effective solution so far :-)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: