Person paying with credit card at gas pump, motion blur

Visa warns that hackers are exploiting lack of security with mag stripes

Several news outlets reported this week that cybercrime groups are actively exploiting a weakness in gas station point-of-sale (POS) networks to steal credit card data, Visa has revealed. The company’s fraud disruption teams are investigating several incidents in which a hacking group known as Fin8 defrauded fuel dispenser merchants. In each case, the attackers gained access to the POS networks via malicious emails and other unknown means. They then installed POS scraping software that exploited the lack of security with old-school mag stripes in card readers that can’t read chips.

The hack does not appear to affect more secure chip cards, but many of the service stations have not replaced card readers at the pumps yet. The data is apparently sent in an unencrypted form to the vendor’s main network, where the thieves have figured out how to intercept it. The other problem is that the POS systems are not firewalled off from other, less critical parts of the network, allowing thieves to gain lateral access once the network is breached.

There is not much cardholders can do to avoid the attacks, but Visa has advised fuel merchants to encrypt data while it is transferred or support chip-equipped cards. “Fuel dispenser merchants should take note of this activity and deploy devices that support chip cards wherever possible, as this will significantly lower the likelihood of these attacks,” it advised in the December security alert. According to Visa the presence of a chip makes cards more secure, not the PIN code.

Earlier this year, Visa announced that fuel merchants must deploy chip readers by October 2020. After that, any service stations without the new tech will be liable for any fraud. The problem is, many such businesses have very old technology and must replace the entire pump at an estimated cost of up to $250,000 per station. Spread across all the convenience stores in the US, the total hit has been estimated at around $22.5 billion on the very high end.

This article originally appeared in LSCU InfoSight Compliance eNewsletter.

Written by
Cara Clark
View all articles

About Us

The League of Southeastern Credit Unions & Affiliates represents 342 credit unions in Alabama, Florida and Georgia, with a combined total of $118.63 billion in assets and more than 10.1 million members. LSCU & Affiliates provides legislative and regulatory advocacy; education and training; cooperative initiatives (including financial education outreach); public messaging; information services; and business solutions.

LSCU Mission Statement

To create an environment that enables credit unions to grow and succeed.

LSCU Vision Statement

To be the trusted advocate and preferred source of information for credit unions.

If you need to reach us, e-mail communications@lscu.coop

Social Channels

Follow us on all major social media platforms.