PROJET AUTOBLOG


Krebs on Security

Site original : Krebs on Security

⇐ retour index

Mise à jour

Mise à jour de la base de données, veuillez patienter...

‘Operation Tarpit’ Targets Customers of Online Attack-for-Hire Services

mardi 13 décembre 2016 à 18:51

Federal investigators in the United States and Europe last week arrested nearly three-dozen people suspected of patronizing so-called “booter” services that can be hired to knock targeted Web sites offline. The global crackdown is part of an effort by authorities to weaken demand for these services by impressing upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail.

On Dec. 9, 2016, the U.S. Federal Bureau of Investigation (FBI) arrested Sean Sharma, a 26-year-old student at the University of California accused of using a booter service to knock a San Francisco chat service company’s Web site offline.

Sharma was one of almost three dozen others across 13 countries who were arrested on suspicion of paying for cyberattacks. As part of a coordinated law enforcement effort dubbed “Operation Tarpit,” investigators here and abroad also executed more than 100 so-called “knock-and-talk” interviews with booter buyers who were quizzed about their involvement but not formally charged with crimes.

Netspoof's DDoS-for-hire packages. Image: Samsclass.info.

Netspoof’s DDoS-for-hire packages. Image: Samsclass.info.

Stresser and booter services leverage commercial hosting services and security weaknesses in Internet-connected devices to hurl huge volleys of junk traffic at targeted Web sites. These attacks, known as “distributed denial-of-service” (DDoS) assaults, are digital sieges aimed at causing a site to crash or at least to remain unreachable by legitimate Web visitors.

“DDoS tools are among the many specialized cyber crime services available for hire that may be used by professional criminals and novices alike,” said Steve Kelly, FBI unit chief of the International Cyber Crime Coordination Cell, a task force created earlier this year by the FBI whose stated mission is to ‘defeat the most significant cyber criminals and enablers of the cyber underground.’ “While the FBI is working with our international partners to apprehend and prosecute sophisticated cyber criminals, we also want to deter the young from starting down this path.”

According to Europol, the European Union’s law enforcement agency, the operation involved arrests and interviews of suspected DDoS-for-hire customers in Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom, and the U.S. Europol said investigators are only warning one-time users, but aggressively pursuing repeat offenders who frequented the booter services.

“This successful operation marks the kick-off of a prevention campaign in all participating countries in order to raise awareness of the risk of young adults getting involved in cybercrime,” reads a statement released Monday by Europol. “Many do it for fun without realizing the consequences of their actions – but the penalties can be severe and have a negative impact on their future prospects.”

The arrests stemmed at least in part from successes that investigators had infiltrating a booter service operating under the name “Netspoof.” According to the U.K.’s National Crime Agency, Netspoof offered subscription packages ranging from £4 (~USD $5) to £380 (~USD $482) – with some customers paying more than £8,000 (> USD $10,000) to launch hundreds of attacks. The NCA said twelve people were arrested in connection with the Netspoof investigation, and that victims included gaming providers, government departments, internet hosting companies, schools and colleges.

The Netspoof portion of last week’s operation was fueled by the arrest of Netspoof’s founder — 20-year-old U.K. resident Grant Manser. As Bleeping Computer reports, Manser’s business had 12,800 registered users, of which 400 bought his tools, launching 603,499 DDoS attacks on 224,548 targets.

Manser was sentenced in April 2016 to two years youth detention suspended for 18 months, as well as 100 hours of community service. According to BC’s Catalin Cimpanu, the judge in Manser’s case went easy on him because he built safeguards in his tools that prevented customers from attacking police, hospitals and government institutions.

ANALYSIS

As a journalist who has long sought to expose the booter and stresser industry and those behind it, this action has been a long time coming. The past three to four years have witnessed a dramatic increase in the number and sophistication of booter services.

In September 2016, this site was the recipient of a record-sized DDoS attack that knocked this site offline for several days. The attack came hours after a story I wrote about the now-defunct booter service vDOS was punctuated by the arrest of two 18-year-old Israeli men allegedly tied to the business. I was able to track them down because vDOS had been massively hacked, and huge troves of data from the service’s servers were shared with KrebsOnSecurity.

vDOS had been in business for four years, but records about how much the business made were incomplete; only two years’ worth of DDoS customer data was available (the rest had apparently been wiped from the server). But in that two years, the records showed that more than 150,000 customer paid in excess of $600,000 to launch DDoS attacks on targeted sites.

The vDos home page.

The vDos home page.

The demise of vDOS exposed a worrying trend in DDoS-for-hire attack services: The rise of hyper-powered booter services capable of launching attacks that can disrupt operations at even the largest of Web sites and hosting providers.

Hours after the Septemeber attack swept KrebsOnSecurity offline, the same attackers hit French hosting giant OVH with an even larger DDoS-for-hire attack. On Oct. 21, 2016, Internet infrastructure provider Dyn was hit by a very similar attack. All three attacks involved collections of hacked computers powered by DDoS-based malware called “Mirai.” This malware doesn’t infect Windows computers, but instead worms its way into Linux-based systems that run on many consumer hardware products like wireless routers, security cameras and digital video recorders that are left operating in factory-default (insecure) settings.

Security experts say the crime machine that caused problems for Dyn was not the same one that was used to knock my site offline in September. That’s because at the beginning of October the miscreant responsible for creating Mirai leaked the source code for the malware online. Since then, dozens of new Mirai robot networks or “botnets” have been spotted being used to launch cyberattacks — including the one used to attack Dyn. And in some cases, the criminals at the helm of these weapons of mass disruption are renting out “slices” or shares of the botnet to other crooks, typically at the rate of several thousand dollars per week.

I applaud last week’s actions here in the United States and abroad, as I believe many booter service customers patronize them out of some rationalization that doing so isn’t a serious crime. The typical booter service customer is a teenage male who is into online gaming and is seeking a way to knock a rival team or server offline — sometimes to settle a score or even to win a game. One of the co-proprietors of vDos, for example, was famous for DDoSsing the game server offline if his own team was about to lose — thereby preserving the team’s freakishly high ‘win’ ratios.

But this is a stereotype that glosses over a serious, costly and metastasizing problem that needs urgent attention. More critically, early law enforcement intervention for youths involved in launching or patronizing these services may be key to turning otherwise bright kids away from the dark side and toward more constructive uses of their time and talents before they wind up in jail. I’m afraid that absent some sort of “road to Damascus” moment or law enforcement intervention, a great many individuals who initially only pay for such attacks end up getting sucked into an alluring criminal vortex of digital extortion, easy money and online hooliganism.

‘Avalanche’ Crime Ring Leader Eludes Justice

jeudi 8 décembre 2016 à 23:38

The accused ringleader of a cyber fraud gang that allegedly rented out access to a criminal cloud hosting service known as “Avalanche” is now a fugitive from justice following a bizarre series of events in which he shot at Ukrainian police, was arrested on cybercrime charges and then released from custody.

Gennady Kapkanov. Source: NPU.gov

Gennady Kapkanov. Source: NPU.gov

On Nov. 30, authorities across Europe coordinated the arrest of five individuals thought to be tied to the Avalanche crime gang, in an operation that the FBI and its partners abroad described as an unprecedented global law enforcement response to cybercrime.

According to Ukrainian news outlets, the alleged leader of the gang — 33-year-old Russian Gennady Kapkanov — did not go quietly. Kapkanov allegedly shot at officers with a Kalashnikov assault rifle through the front door as they prepared to raid his home, and then attempted to escape off of his 4th floor apartment balcony.

Ukrainian police arrested Kapkanov and booked him on cybercrime charges. But a judge in the city of Poltava, Ukraine later ordered Kapkanov released, saying the prosecution had failed to file the proper charges (including charges of shooting at police officers), charges which could have allowed authorities to hold him much longer. Ukrainian media reports that police have since lost track of Kapkanov.

Ukraine’s Prosecutor General Yuri Lutsenko is now calling for the ouster of the prosecutor in charge of the case. Meanwhile, the Ukranian authorities are now asking the public for help in re-arresting Kapkanov.

kapkanovguns

Weapons police say they seized from Kapkanov’s apartment. Source: npu.gov.ua

Built as a criminal cloud-hosting environment that was rented out to scammers, spammers other ne’er-do-wells, Avalanche has been a major source of cybercrime for years. In 2009, when investigators say the fraud network first opened for business, Avalanche was responsible for funneling roughly two-thirds of all phishing attacks aimed at stealing usernames and passwords for bank and e-commerce sites.  By 2011, Avalanche was being heavily used by crooks to deploy banking Trojans.

The U.K.’s National Crime Agency (NCA), says the more recent Avalanche fraud network comprised up to 600 servers worldwide and was used to host as many as 800,000 web domains at a time.

Kapkanov, in blue with his hands over his head, standing on his 4th-floor balcony. Image: npu.gov.ua

Kapkanov, in blue with his hands over his head, standing on his 4th-floor balcony. Image: npu.gov.ua

Kapkanov's drivers license. Source: npu.gov.ua.

Kapkanov’s drivers license lists an address in the United Kingdom. Source: npu.gov.ua.

Researchers Find Fresh Fodder for IoT Attack Cannons

mardi 6 décembre 2016 à 16:22

New research published this week could provide plenty of fresh fodder for Mirai, a malware strain that enslaves poorly-secured Internet of Things (IoT) devices for use in powerful online attacks. Researchers in Austria have unearthed a pair of backdoor accounts in more than 80 different IP camera models made by Sony Corp. Separately, Israeli security experts have discovered trivially exploitable weaknesses in nearly a half-million white-labeled IP camera models that are not currently sought out by Mirai.

A Sony IPELA camera. Image: Sony.

A Sony IPELA camera. Image: Sony.

In a blog post published today, Austrian security firm SEC Consult said it found two apparent backdoor accounts in Sony IPELA Engine IP Cameras  devices mainly used by enterprises and authorities. According to SEC Consult, the two previously undocumented user accounts — named “primana” and “debug” — could be used by remote attackers to commandeer the Web server built into these devices, and then to enable “telnet” on them.

Telnet — a protocol that allows remote logons over the Internet — is the very same communications method abused by Mirai, which constantly scours the Web for IoT devices with telnet enabled and protected by factory-default passwords.

“We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an ‘unauthorized third party’ like in other cases (e.g. the Juniper ScreenOS Backdoor, CVE-2015-7755),” SEC Consult wrote.

It’s unclear precisely how many Sony IP cameras may be vulnerable, but a scan of the Web using Censys.io indicates there are at least 4,250 that are currently reachable over the Internet.

“Those Sony IPELA ENGINE IP camera devices are definitely reachable on the Internet and a potential target for Mirai-like botnets, but of course it depends on the network/firewall configuration,” said Johannes Greil, head of SEC Consult Vulnerability Lab. “From our point of view, this is only the tip of the iceberg because it’s only one search string from the device we have.”

Greil said there are other undocumented functionalities in the Sony IP cameras that could be maliciously used by malware or miscreants, such as commands that can be invoked to distort images and/or video recorded by the cameras, or a camera heating feature that could be abused to overheat the devices.

Sony did not respond to multiple requests for comment. But the researchers said Sony has quietly made available to its users an update that disables the backdoor accounts on the affected devices. However, users still need to manually update the firmware using a program called SNC Toolbox.

Greil said it seems likely that the backdoor accounts have been present in Sony cameras for at least four years, as there are signs that someone may have discovered the hidden accounts back in 2012 and attempted to crack the passwords then. SEC Consult’s writeup on their findings is available here.

In other news, researchers at security firm Cybereason say they’ve found at least two previously unknown security flaws in dozens of IP camera families that are white-labeled under a number of different brands (and some without brands at all) that are available for purchase via places like eBay and Amazon. The devices are all administered with the password “888888,” and may be remotely accessible over the Internet if they are not protected behind a firewall. KrebsOnSecurity has confirmed that while the Mirai botnet currently includes this password in the combinations it tries, the username for this password is not part of Mirai’s current configuration.

But Cybereason’s team found that they could easily exploit these devices even if they were set up behind a firewall. That’s because all of these cameras ship with a factory-default peer-to-peer (P2P) communications capability that enables remote “cloud” access to the devices via the manufacturer’s Web site — provided a customer visits the site and provides the unique camera ID stamped on the bottom of the devices.

Although it may seem that attackers would need physical access to the vulnerable devices in order to derive those unique camera IDs, Cybereason’s principal security researcher Amit Serper said the company figured out a simple way to enumerate all possible camera IDs using the manufacturer’s Web site.

“We reverse engineered these cameras so that we can use the manufacturer’s own infrastructure to access them and do whatever we want,” Serper said. “We can use the company’s own cloud network and from there jump onto the customer’s network.”

Lior Div, co-founder and CEO at Cybereason, said a review of the code built into these devices shows the manufacturer does not appear to have made security a priority, and that people using these devices should simply toss them in the trash.

“There is no firmware update mechanism built into these cameras, so there’s no way to patch them,” Div said. “The version of Linux running on these devices was in some cases 14 years old, and the other code libraries on the devices are just as ancient. These devices are so hopelessly broken from a security perspective that it’s hard to really understand what’s going on in the minds of people putting them together.”

Cybereason said it is not disclosing full technical details of the flaws because it would enable any attacker to compromise them for use in online attacks. But it has published a few tips that should help customers determine whether they have a vulnerable device. For example, the camera’s password (888888) is printed on a sticker on the bottom of the devices, and the UID — also printed on the sticker — starts with one of these text strings:

textstrings

The sticker on the bottom of the camera will tell you if the device is affected by the vulnerability. Image: Cybereason.

The sticker on the bottom of the camera will tell you if the device is affected by the vulnerability. Image: Cybereason.

“People tend to look down on IoT research and call it junk hacking,” Cybereason’s Yoav Orot wrote in a blog post about its findings. “But that isn’t the right approach if researchers hope to prevent future Mirai botnet attacks. A smart (insert device here) is still a computer, regardless of its size. It has a processor, software and hardware and is vulnerable to malware just like a laptop or desktop. Whether the device records The Walking Dead or lets you watch your cat while you’re at work, attackers can still own it. Researchers should work on junk hacking because these efforts can improve device security (and consumer security in the process), keep consumer products out of the garbage heap and prevent them from being used to carry out DDoS attacks.”

The discoveries by SEC Consult and Cybereason come as policymakers in Washington, D.C. are grappling with what to do about the existing and dawning surge in poorly-secured IoT devices. A blue-ribbon panel commissioned by President Obama issued a 90-page report last week full of cybersecurity policy recommendations for the 45th President of the United States, and IoT concerns and addressing distributed denial-of-service (DDoS) attacks emerged as top action items in that report.

Meanwhile, Morning Consult reports that U.S. Federal Communications Commission Chairman Tom Wheeler has laid out an unexpected roadmap through which the agency could regulate the security of IoT devices. The proposed certification process was laid out in a response to a letter sent by Sen. Mark Warner (D-Va.) shortly after the IoT-based attacks in October that targeted Internet infrastructure company Dyn and knocked offline a number of the Web’s top destinations for the better part of a day.

Morning Consult’s Brendan Bordelon notes that while Wheeler is set to step down as chairman on Jan. 20, “the new framework could be used to support legislation enhancing the FCC’s ability to regulate IoT devices.”

DDoS, IoT Top Cybersecurity Priorities for 45th President

mardi 6 décembre 2016 à 00:27

Addressing distributed denial-of-service (DDoS) attacks designed to knock Web services offline and security concerns introduced by the so-called “Internet of Things” (IoT) should be top cybersecurity priorities for the 45th President of the United States, according to a newly released blue-ribbon report commissioned by President Obama.

commish“The private sector and the Administration should collaborate on a roadmap for improving the security of digital networks, in particular by achieving robustness against denial-of-service, spoofing, and other attacks on users and the nation’s network infrastructure,” reads the first and foremost cybersecurity recommendation for President-elect Donald Trump. “The urgency of the situation demands that the next Administration move forward promptly on our recommendations, working closely with Congress and the private sector.”

The 12-person, non-partisan commission produced a 90-page report (PDF) and recommended as their very first action item that the incoming President “should direct senior federal executives to launch a private–public initiative, including provisions to undertake, monitor, track, and report on measurable progress in enabling agile, coordinated responses and mitigation of attacks on the users and the nation’s network infrastructure.”

The panel said this effort should build on previous initiatives, such as a 2011 program by the U.S. Department of Commerce called the Industry Botnet Group.

“Specifically, this effort would identify the actions that can be taken by organizations responsible for the Internet and communications ecosystem to define, identify, report, reduce, and respond to attacks on users and the nation’s network infrastructure,” the report urged. “This initiative should include regular reporting on the actions that these organizations are already taking and any changes in technology, law, regulation, policy, financial reimbursement, or other incentives that may be necessary to support further action—while ensuring that no participating entity obstructs lawful content, applications, services, or nonharmful devices, subject to reasonable network management.”

The report spans some six major imperatives, including 16 recommendations and 63 associated action items. The second major imperative focuses on IoT security concerns, and urges the federal government and private industry to embark upon a number of initiatives to “rapidly and purposefully to improve the security of the Internet of Things.”

“The Department of Justice should lead an interagency study with the Departments of Commerce and Homeland Security and work with the Federal Trade Commission, the Consumer Product Safety Commission, and interested private sector parties to assess the current state of the law with regard to liability for harm caused by faulty IoT devices and provide recommendations within 180 days,” the panel recommended. “To the extent that the law does not provide appropriate incentives for companies to design security into their products, and does not offer protections for those that do, the President should draw on these recommendations to present Congress with a legislative proposal to address identified gaps, as well as explore actions that could be accomplished through executive order.”

Meanwhile, Morning Consult reports that U.S. Federal Communications Commission Chairman Tom Wheeler has laid out an unexpected roadmap through which the agency could regulate the security of IoT devices. The proposed certification process was laid out in a response to a letter sent by Sen. Mark Warner (D-Va.) shortly after the IoT-based attacks in October that targeted Internet infrastructure company Dyn and knocked offline a number of the Web’s top destinations for the better part of a day.

Morning Consult’s Brendan Bordelon notes that while Wheeler is set to step down as chairman on Jan. 20, “the new framework could be used to support legislation enhancing the FCC’s ability to regulate IoT devices.”

ANALYSIS

It’s nice that this presidential commission placed a special emphasis on IoT and denial-of-service attacks, as these two threats alone are clear and present dangers to the stability of e-commerce and free expression online. However, this report overall reads very much like other blue-ribbon commission reports of years past: The recommendations eschew new requirements in favor of the usual calls for best practices, voluntary guidelines, increasing industry-government information sharing, public/private partnerships, and public awareness campaigns.

One recommendation I would like to have seen in this report is a call for federal legislation that requires U.S.-based hosting providers to block spoofed traffic from leaving their networks.

As I noted in a November 2015 story, The Lingering Mess from Default Insecurity, one major contributor to the massive spike in denial-of-service attacks over the past few years is that far too many ISPs and hosting providers allow traffic to leave their networks that did not originate there. Using well-known attack techniques known as traffic amplification and reflection, an attacker can “reflect” his traffic from one or more third-party machines toward the intended target.

In this type of assault, the attacker sends a message to a third party, while spoofing the Internet address of the victim. When the third party replies to the message, the reply is sent to the victim — and the reply is much larger than the original message, thereby amplifying the size of the attack. According to the latest DDoS report from Akamai, more than half of all denial-of-service attacks in the third quarter of 2016 involved reflection and spoofing.

One basic step that many ISPs and hosting providers can but apparently are not taking to blunt these spoofing attacks involves a network security standard that was developed and released more than a dozen years ago. Known as BCP38, its use prevents abusable resources on an ISP’s network from being leveraged in denial-of-service. BCP38 is designed to filter such spoofed traffic, so that the reflected traffic from the third party never even traverses the network of an ISP that’s adopted the anti-spoofing measures.

However, there are non-trivial economic reasons that many ISPs fail to adopt this best practice. This blog post from the Internet Society does a good job of explaining why many ISPs decide not to implement BCP38. Ultimately, it comes down to cost and to a fear that adoption of this best practice will increase costs and prompt some customers to seek out providers that do not enforce this requirement. In some cases, U.S.-based hosting providers that allow spoofing/reflection have been sought out and recommended among miscreants involved in selling DDoS-for-hire services.

In its Q3 2016 State of the Internet report, Akamai notes that while Chinese ISPs occupy the top two sources of spoofed traffic, several large U.S.-based providers make a showing here as well:

Image: Akamai.

Image: Akamai.

It is true that requiring U.S. hosting providers to block spoofing would not solve the spoofing problem globally. But I believe it’s high time that the United States led by example in this arena, if only because we probably have the most to lose by continued inaction. According to Akamai, more than 21 percent of all denial-of-service attacks originate from the United States. And that number has increased from 17 percent a year ago, Akamai found. What’s more, the U.S. is the most frequent target of these attacks, according to DDoS stats released this year by Arbor Networks.

Visa Delays Chip Deadline for Pumps To 2020

vendredi 2 décembre 2016 à 18:06

Visa this week delayed by three years a deadline for fuel station owners to install payment terminals at the pump that are capable of handling more secure chip-based cards. Experts say the new deadline — extended from 2017 — comes amid a huge spike in fuel pump skimming, and means fraudsters will have another three years to fleece banks and their customers by installing card-skimming devices at the pump.

Until this week, fuel station owners in the United States had until October 1, 2017 to install chip-capable readers at their pumps. Under previous Visa rules, station owners that didn’t have chip-ready readers in place by then would have been on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip (currently, card-issuing banks eat most of the fraud costs from fuel skimming). The chip card technology standard, also known as EMV (short for Europay, MasterCard and Visa) makes credit and debit cards far more expensive and difficult for thieves to clone.

This week, however, Visa said fuel station owners would have until October 1, 2020 to meet the liability shift deadline.

A Bluetooth-based pump card skimmer found inside of a Food N Things pump in Arizona in April 2016.

A Bluetooth-based pump card skimmer found inside of a Food N Things pump in Arizona in April 2016.

“The fuel segment has its own unique challenges, which we recognized when we first set the chip activation date for automated fuel dispensers/pumps (AFDs) two years after regular in-store locations,” Visa said in a statement explaining its decision. “We knew that the AFD segment would need more time to upgrade to chip because of the complicated infrastructure and specialized technology required for fuel pumps. For instance, in some cases, older pumps may need to be replaced before adding chip readers, requiring specialized vendors and breaking into concrete. Furthermore, five years after announcing our liability shift, there are still issues with a sufficient supply of regulatory-compliant EMV hardware and software to enable most upgrades by 2017.”

Visa said fuel pump skimming accounts for just 1.3 percent of total U.S. payment card fraud.

“During this interim period, Visa will monitor AFD fraud trends closely and work with merchants, acquirers and issuers to help mitigate any potential counterfeit fraud exposure at AFDs,” Visa said.

Avivah Litan, a fraud analyst with Gartner Inc., said the deadline shift wasn’t unexpected given how many U.S. fuel stations are behind on costly updates, noting that in some cases it can cost more than $10,000 per pump to accommodate chip card readers. The National Association of Convenience Stores estimates that station operators will spend approximately $30,000 per store to accommodate chip readers, and that the total cost to the fuel industry could exceed $4 billion.

“Some of them you can just replace the payment module inside the pump, but the older pumps will need to be completely removed and replaced,” Litan said. “Gas stations and their unattended pumps have always been an easy target for thieves. The fraud usually migrates to the point of least resistance, and we’re seeing now the fraudsters really moving to targeting unattended stations that haven’t been upgraded.”

The delay comes as some states — particularly in the southern United States — are grappling with major increases in fuel station skimming attacks. In September, KrebsOnSecurity published a detailed look at nine months’ worth of fuel pump skimming incident reports filed by police and regulators in Arizona, which said it saw more fuel station skimming attacks in the month of August 2016 than in all of 2015 combined.

That report about Arizona’s skimmer scourge found that thieves tend to target pumps that are furthest from the pump station and closest to the street. They also favored stations that did not employ basic security measures such as tamper-evident security tape and security cameras.

Crooks involved in fuel pump skimming generally are tied to organized crime gangs, as evidenced by this Nov. 2015 investigation into fuel theft gangs operating in Southern California . The thieves most often use stolen master keys or bribery to gain access to the pumps. Once inside the pumps, the thieves hook up their skimmer to the pump’s card reader and PIN pad. The devices also are connected to the pump’s electric power — so they don’t need batteries and can operate indefinitely. Increasingly, these thieves are installing Bluetooth-based skimmers that can transmit stolen data wirelessly, allowing thieves to avoid taking the risky step of retrieving their skimmer gear.

Some pump skimming devices are capable of stealing debit card PINs as well, so it’s good idea to avoid paying with a debit card at the pump. Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

“That’s exactly the sort of advice fuel station owners don’t want given to consumers,” Litan said. “For filling stations, credit is their least favorite form of payment because it’s the most expensive for them, which is why some stations offer lower prices for debit card transactions. But consumers should never use a debit card at a gas station.”

Want to learn more about skimming devices? Check out my series, All About Skimmers.

Error happened! 0 - SQLite3::exec(): database disk image is malformed In: /home/cochisebee/www/autoblog/autoblogs/autoblog.php:285 http://autoblog.cochi.se/autoblogs/krebsonsecuritycom_4eab703a256df265f3abda6134d777218e00ffe9/?44 #0 [internal function]: exception_error_handler(2, 'SQLite3::exec()...', '/home/cochisebe...', 285, Array) #1 /home/cochisebee/www/autoblog/autoblogs/autoblog.php(285): SQLite3->exec('INSERT INTO art...') #2 /home/cochisebee/www/autoblog/autoblogs/autoblog.php(418): VroumVroum_Blog->insertOrUpdateArticle('https://krebson...', 'Chinese Antivir...', 'https://krebson...', 1600380201, '

The ...') #3 /home/cochisebee/www/autoblog/autoblogs/autoblog.php(932): VroumVroum_Blog->update() #4 /home/cochisebee/www/autoblog/autoblogs/krebsonsecuritycom_4eab703a256df265f3abda6134d777218e00ffe9/index.php(1): require_once('/home/cochisebe...') #5 {main}