A new report from Visa warns that unsuspecting travelers who pay at the pump with an old magstripe card risk having their account details stolen by a group of hackers. Cybercrime groups are actively exploiting a weakness in gas station point-of-sale (POS) networks to steal credit card data. Visa’s fraud disruption teams are investigating several incidents in which a hacking group known as Fin8 defrauded fuel dispenser merchants. In each case, the attackers gained access to the POS networks via malicious emails and other unknown means. They then installed POS scraping software that exploited the lack of security with old-school mag stripe cards that lack a chip.
The hack doesn’t appear to affect more secure chip cards, but not all consumers have those, so service stations often work with mag stripe readers, too. The data is apparently sent in an unencrypted form to the vendor’s main network, where the thieves have figured out how to intercept it. The other problem is that the POS systems aren’t firewalled off from other, less critical parts of the network, allowing thieves to gain lateral access once the network is breached.
There’s not much cardholders can do to avoid the attacks, but Visa has advised fuel merchants to encrypt data while it’s transferred or use a chip-and-PIN policy. “Fuel dispenser merchants should take note of this activity and deploy devices that support chip cards wherever possible, as this will significantly lower the likelihood of these attacks,” it advised in the December security alert.
Data theft via old magstripe cards has become such a problem, Visa is mandating that all gas stations in America install chip-and-pin readers at the pump by October of next year. If the gas stations do not, they will be liable for cybercrime that happens at their pumps.