Visa has sent out a security alert about hackers who have breached gas pumps in North America, potentially leading to a customer’s credit card information being stolen. This is different from the credit card skimmers that consumers have been warned about for years because, this time, there is no physical device placed on the pump. It’s all in the software.
Visa says cybercrime groups used point-of-sale (POS) malware to infect pumps at two North American gas stations in August and September 2019 to harvest card data
In one of the two cases, the hackers gained access using a phishing email that contained a malware attachment. That merchant was still using magnetic stripe readers to collect card information. Visa said they had not yet switched to the more secure chip technology.
The second gas station incident involved the hackers gaining access to the merchant’s network, but it’s not clear how. Visa said the merchant had chip-enabled card readers in the store, but the pumps accepted the magnetic stripe.
Visa is warning gas station owners who haven’t made the switch to chip acceptance to do soon because these attacks will continue and have the potential to compromise multiple accounts. Visa also says that starting in October 2020, merchants will be responsible for any customer fraud related to not having chip-enabled readers at their pumps.
“As long as the magnetic stripe readers are in place, fuel dispenser merchants are becoming an increasingly attractive target for advanced threat actors with an interest in compromising merchant networks to obtain this payment card data,” Visa said in its alert.
A third incident over the summer involved a “hospitality merchant” that was infected with a new kind of malware that hadn’t been widely used.
The names and locations of the merchants were not mentioned in the alerts.
Two of the attacks have been traced back to FIN8, a cybercrime group that Visa says targets point-of-sale at retailers, restaurants and hotels.
How do you protect yourself and your money?
- Never use a debit card that’s linked to your bank account. You are generally protected from fraudulent transactions with a credit card, limiting how much you will be responsible for. But if a hacker drains your bank account by stealing your debit card information, you may never get that money back.
- If you currently don’t have a chip-enabled card, contact your credit card company and ask them to send you a replacement card with the chip right away.
- When possible, avoid using card readers that only accept the magnetic stripe. Use the chip readers if they are available, usually found inside the store. It may take a little more time, but it is more secure.
- Regularly check your credit card and bank account online for any signs of transactions you didn’t make. Immediately report any fraudulent charges you do find. You may need to have your card suspended and have the company send you a new one.
- Sign up for fraud alerts with your bank or credit card company. Some will let you receive an alert if a transaction exceeds a certain dollar amount.