Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Someone is using this? PoS: Compressor SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Someone is using this? PoS: Compressor

Hello Dear Readers,

This diary comes to you by way of 'the real world' and was taken very recently. Has anyone seen anything like this before? This handler was stunned into silence before the years of cynicism took over and I started breathing again. I was about to leave the convenience store, as I had passengers and they were in a hurry, but instead got out and took this picture. There were no cameras monitoring it, the position as you can tell, was around the side of the store, the placement in the area was convenient for drivers to use but terrible for monitoring. I could see someone driving up to use this, and then perhaps making a modification to it for say 'skimming' or repeat after me boys and girls? Can we say 'pivot' ???

Something Interesting

Quick poll for the comments: I would never use this (Agree/Disagree) This is risky (Agree/Disagree)

 

===

Richard Porter

@packetalien

rporter at isc dot sans dot edu

 

Richard

168 Posts
ISC Handler
Nov 24th 2014
Very funny. You know, if you wanted to capture card data, all you would have to do is set up these all over the place and never even process transactions. Simple logic to capture the mag stripe and then just turn on the compressor would be very easy. I'd like to use an expired card to see if that is what is happening!
Anonymous
That is one I would not use. I would think that if there is no monitoring on that site, wouldn't it violate PCI-DSS?

Btw, who pays for air to put in your tires? Pleanty of places that have free air pumps.
netsec-nyc

1 Posts
I did not stay long enough to really take a hard look. I did not notice any cameras monitoring it. As to PCI compliance and monitoring, I would hope they would have system and intrusion monitoring etc... Just looked like a bad plan to me.

~Richard
@packetlien
Richard

168 Posts
ISC Handler
I've seen them around the San Diego area. Which is kind of funny as gas stations in this area are legally required to give free air to anyone who purchases fuel.

There's no PCI requirement for video monitoring of end-user terminals. Only datacenters, server rooms, etc. are required to have video monitoring.

At least from the outside, the machines appear to be fairly robustly built to discourage coin thieves.

People want convenience. Not sure how this is any different from the swipe terminal at self-service car washes, ATM machines outside gas stations, etc.

The small white blip on the top of the unit is a wireless antennae, so the machine is obviously processing in real time and not storing sensitive data.
Joey

18 Posts
These devices are very convenient and the fact someone makes money on them means they work. Enough of the bitching. How do you all cost effectively and securely allow folks to use credit cards?
Dean

135 Posts
This would be the same as paying to use the drinking fountain with your credit card in a back alley.... Natural selection maybe?
Alex

6 Posts
"This would be the same as paying to use the drinking fountain with your credit card in a back alley.... Natural selection maybe?"

Interesting. I've been filling up bike and car tires all my life and the free air machines are horrendously maintained. So you are saying there's absolutely no business requirement for these units then? Another case of the security tech just saying "No."
Dean

135 Posts
These things are all over the place, in DIY car wash stalls, air inflation stations, etc. Any place where you have a timed service or metered amount. Just slide your card and go!
Dean
57 Posts
This installation is called unattended terminal.

It is supposed to use a terminal device that has been certified for such installations, unless the merchant has bypassed those business rules....

Theoretically, the risk is managed, in practice, it can be fake or defect after being tampered with.
Mr.Prontissimo

14 Posts
Why people would pay for air I do not know.

But apart from that, it does not look too different from the hundreds of unmanned gas stations we have here in Denmark, Europe. We have had our share of eastern europeans with card skimmers. But it seems to have vanished over the last few years. Not sure why.

We use chip&pin, but still has the magstripe. And abuse was always done as large withdrawals from ATMs in Eastern Europe, 1000 km away from Denmark. Pin was recorded with camera. Maybe the banks security systems were improved for magstripe withdrawals ? That alone should raise a first flag. I have colleagues who got phone calls from the bank when doing larger purchases online, to validate that it was not fraud.

Chip&pin is the way to go. Chip cloning is difficult. And magstipe could trigger warnings at bank. And here in Denmark, the guaranteed amount on magstripe transaction is way lower than chip. I think it is $300 for magstripe.
Povl H.

74 Posts

Sign Up for Free or Log In to start participating in the conversation!