[Dataloss] Journalist seeking pay at the pump data loss incident info

Al Mac Wheel macwheel99 at wowway.com
Tue Jan 29 04:58:52 UTC 2008 

You might check the list's open source data base of past breaches.  Go to 
http://attrition.org/dataloss & check out the links there.

There have been incidents reported associated with multiple gas station 
chains in different parts of the nation where
* criminals do the ATM skimming trick to capture info on people who stick 
their credit cards into the gas pumps to buy gas.
* the convenience store failed to have wireless security, so that anyone 
with wireless on their PC could download all the info going through that 
convenience store network ... they don't have to be parked in plain sight 
in the parking lot to do this ... and generally when the news comes out 
that there has been such a breach, it is kept secret for a long time what 
kind of stupidity was going on at the store that led to being breached

On another computer security list, not long ago, I saw where some outfit 
had randomly visited millions of e-commerce web sites, determined what 
computer system they were using, and at what patch level.  They found half 
a million without proper computer security, either at an old version, or 
many months behind on applying patches.

Some computer system implementations are more vulnerable to breach than others.
There are places that list problems on different Operating Systems in need 
of some patch to fix some problem someone has uncovered.  Some Operating 
Systems are conspicuous by their absense from these lists.  Through 
research places like Gartner you can get statistics on #s of sites out 
there with various OS, then compare problem lists to see if some OS have 
more than their fair share of security weaknesses.

As a journalist, you might do dumpster diving to check that places that 
sell gas in your neck of the woods do a proper job of shredding receipts 
associated with people who pay for gas with credit card inside the store.

It is not a data loss incident ... I assume you have seen that the price at 
the pumps change daily ... some crooks have figured out how to make 
unauthorized changes to the pump prices, for the purpose of buying gas CHEAP

The credit card industry has a PCI standard associated with what the 
retrailers are supposed to be storing after a sale is 
consumated.  Periodically they release statistics on the numbers of clients 
who have flunked PCI audits.  You might push them to tell you proportions 
by type of company ... restaurant, convenience store, hotel, etc.

Here's an experiment you can try ... buy something from a major chain ... 
Sears, Home Depot, Walmart, etc. paying by credit card.  Then a few weeks 
later, try to return your purchase.  If they know exactly who you are, from 
your receipt, and you do not have to show your credit card to get a credit, 
then they are in violation of the PCI standard.  This means they have 
stored information beyond what they are supposed to.

Al Macintyre

>Hello DataLoss List Members,
>
>I am covering data loss due to credit card skimming and other exploits on 
>credit cards at gas station pay at the pump terminals. I am particularly 
>interested in incidents of skimming as well as incidents where criminals 
>sit in gas station parking lots, hack into gas station networks via their 
>wireless networks and then get credit card data housed on the local server.
>
>If you have any leads to the frequency of these types of incidents, that 
>is also welcome.
>
>Best Regards,
>David Geer
>
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/dataloss
>
>Tenable Network Security offers data leakage and compliance monitoring
>solutions for large and small networks. Scan your network and monitor your
>traffic to find the data needing protection before it leaks out!
>http://www.tenablesecurity.com/products/compliance.shtml

More information about the Dataloss mailing list