FOSTER CITY (CBS SF) — Sophisticated hackers have been able to access gas pump point-of-sale systems, possibly compromising the security of personal data and passwords of millions of credit card customers, VISA announced Monday.
The Foster City-based credit card company has issued a security alert, warning consumers to keep on eye on the charges posted on their accounts.
VISA said its security experts have uncovered three “unique attacks targeting merchant point-of-sale systems that were likely carried out by sophisticated cybercrime groups.”
Two of those security breaches included gas pumps and a third was at a hospitality merchant. The company did not identity any of the three victim companies by name.
VISA did, however, identify one of the hackers — FIN8.
“FIN8 is a financially motivated threat group active since at least 2016 and often targets the POS environments of retail, restaurant, and hospitality merchants to harvest payment account data,” Visa said in a statement.
VISA said the FIN8 attacks involved payment systems using just credit card magnetic stripe readers — not systems that read chip-enabled credit cards with a personal identification number.
The credit card company’s security experts said the POS attacks were much more sophisticated than credit card skimmers inserted unsuspectingly into gas pumps.
“This attack … differs significantly from skimming at fuel pumps, as the targeting of POS systems requires the (hackers) to access the merchant’s internal network, and takes more technical prowess than skimming attacks,” VISA said in a statement.
“They’re using phishing schemes or something like that. Gas station person who works at the gas station gets the email, they open up the email, software is installed on their system and next thing you know, they have access to all of that data that’s stored on the local server there,” said KPIX 5 Security Analyst Jeff Harp.
Michael Rodriguez’s card was compromised just last week.
“It ended up being a fraud charge, and they explained it could have been either at a gas station or some convenience store or some place where I may have used my Visa card,” said Michael Rodriguez of Sausalito.
Experts say you may have a better shot at recoup your losses faster if you use a credit card over a debit card.
“It is a good warning for everybody, but it is also hard to avoid the ease of putting your card and filling up,” said Jeremy Cross of Santa Cruz.
VISA didn’t say how many of its accounts may have been affected by the gas-station breaches.
VISA announced that gas stations must use chip readers by October 2020. After that, any stations without the new technology will be liable for any fraud. The cost to replace the entire pump is reportedly up to $250,000.
“The problem is some of these mom and pop gas stations they don’t have the sources and the revenue and the funding to replace pumps, because it’s really expensive to put this modern technology in,” said Harp. “Some places will probably go out of business and they might be those places where you probably get a good deal on gas.”