As we start off 2020, there is one important trend that both individuals and businesses alike need to be aware of:  The dawn of just launching digital based attacks (such as that of Phishing, Business Email Compliance, Ransomware, etc.). have reached a peak, IMHO. 

This is not to say that they will not continue into the future, they will, and will be much more malicious in nature with the new types of threat variants that come out from them.  The best example of this is once Phishing. The origins of this go all the way back to the early 1990’s, with AOL becoming the first publicly made victim of it.

But, the Cyberattacker of today is realizing that Corporate America today is directing all of their energies and attention to avoid from becoming a victim of a Cyberattack.  Because of this, they are now going to launch their threat vectors against a much older target:  The Physical Infrastructures of businesses and individuals alike. 

This was best exemplified by the blog post from yesterday, in which I detailed how the Critical Infrastructure of a United States Coast Guard facility was impacted by a rather simple Phishing Email Attack. 

But, many Cybersecurity professionals, including myself, believe that the entire physical, Critical Infrastructure of the United States is at grave risk not from just one kind of Cyberattacker, but more than likely, from many others as well, from different nation state threat actors.

But another form of a Physical Attack that can take place and which has not received too much attention in the headlines as of late is that of Credit Card fraud which occurs at the gas pumps across all of the filling stations.  For the sake of convenience, just 99% of these facilities have payment system in which you can insert card into a credit card reader right at the pump, and within seconds, your payment will be authorized, and you start pumping away.

But the main problem here is that these Credit Card are not secure.  For example, a Cyberattacker, when nobody is watching at late night, can easily take out the fake card reader, and install a fake one, which looks like the real thing.  But what the victim does not realize is that once your credit card is swiped into the reader, your card number and other pertinent information is stored in the magnetic stripes which are located in the reader itself.

From this point onwards, a Cyberattacker could be very well sitting in a hotel room just a few hundred feet away with their laptop covertly collecting all of this credit card information from the fake reader with a network sniffer.  Once this has been done, then fraudulent credit card purchases can be made, or if the Cyberattacker is sophisticated enough, they could even make realistic looking plastic cards with your name on it with the credit card number.

To add even more insult to injury, the pay at the pump transactions are not encrypted by any means what so ever, and in fact, it has even been reported that many of these gas stations do not even comply with the so called Payment Card Industry Data Security Standard (PCI DSS) regulation which was enacted. 

Essentially, this states that once a credit card transaction has been made, the numbers must be encrypted while they are in transit, and they should not be stored in the database of the gas station merchant.

But if it is to be, then the owner of that particular store must endure that all of the credit card numbers that are stored must be encrypted at all times, with the latest safeguards in place.  But back in 2015, when the first of the EMV credit cards came out (this is where the credit cards have a special chip in them, and a unique token is generated for each and every transaction that is made by the card holder), the major credit card companies mandated that that the financial liability for any kind of fraudulent activity resides on the store merchant if they do not have the proper security protocols put into place.

Given the sheer fact that there hundreds of thousands of mom and pop gas stations across the United States, meeting these new compliance standards would have meant taking out old hardware, installing new ones, and putting in new software as well. 

This can be a costly endeavor, and thus, the gas stations were given an extension until 2017 to come into compliance.  For example, this can cost anywhere from $25,000 to $150,000 for just one gas station, depending upon the amount of overhaul that needs to be done to it.

But this did not happen either, and now, gas stations in each of the 50 states now have until October of this year to come into total compliance, with no exceptions being made.  Because of this, it is expected that there will be a huge influx of Cyberattacks at these gas stations up until the October deadline. 

In this regard, one of the most notorious Cyberattack groups is that of the “FIN 8”.  More detailed information about them, as well as some of the threat vectors they have launched can be seen at these links below:

https://malpedia.caad.fkie.fraunhofer.de/actor/fin8

My Thoughts On This

I am actually very happy to see that the gas stations, no matter how large or how small, will have to come into compliance in some shape or another.  After all, what makes them different than any other business that have to be compliant with the GDPR or even the CCPA (this is California’s new Privacy Act which was enacted into law last Wednesday)??? 

In my opinion, there is none.  After all, they store some of the most valuable information of customers, and therefore, must be held responsible.

But this is the perfect word scenario.  The real world one is that many of these mom and pop outfits simply may not be able to afford these upgrades to their systems, and they could even very well be put out of business if they tried to do so. 

So, there may be some middle ground for compromise here, in that some work around solutions might be acceptable for the time being.

For example, this can include installing more sophisticated CCTV cameras that make use of Facial Recognition technology, and also putting on ultra-hardened layers of Encryption onto the databases that store the credit card numbers of their customers. 

But the question still remains unanswered is how these numbers will be protected while they are in transit?  The only answer to this is to simply install brand new credit card readers that make use of the EMV technology, which then makes the store owner to back to the drawing board once again.  But in the meantime, until all of the gas stations come to some degree of compliance, the ultimate responsibility of making sure that your credit card information remains safe is yours.

A few years ago, I was the victim of Credit Card fraud as well, so based from my experiences, here are some of my tips:

*Always pay inside at the register of the gas station.  Yea, this is inconvenient, but it will help you avoid from becoming a victim.  Insist to the cashier that you want to use the card reader with the EMV technology.  If they don’t have it, then ask to speak to the manager on duty and question them as to what safeguards they have in place.  Be very watchful of the cashier as the transaction takes place and insist for a receipt.

*Always be cognizant of your surroundings.  Try to fill up during the daytime, and if you can’t, only go to those gas stations that are will lit (BP is one that comes to mind).

*If you have to use a card reader at the pump, then take close inspection of it.  Try to move the card reader around, and if its loose fitting, don’t use it.  Or if it looks odd in any way or simply something does not seem right to you, find another gas station, if possible.

*The best course of action is always to pay in cash, but in today’s world, who carries that, right???

*Always, always check your credit card transactions online at least 2X a day, or more if you can.  That way, you can catch any fraudulent activity before the financial damages really add up.

Attacks on credit card skimmers at the pump are not the only kinds of threat vectors to Physical Infrastructures that will happen.  The next one in line, IMHO, are the robotic phone calls you get to your Smartphone, known as “Voice Phishing” or “VPhishing” for short.  This is the topic for a future blog, so stay tuned!!!