TORONTO — Hackers attacked the payment systems of some North American gas station pumps and gained access to customers’ credit card data, according to Visa.
The credit card giant has issued multiple warnings to gas station owners over the past month, alerting them that it learned of one successful attack in August and another in September.
Visa describes the summer attacks as “significantly more advanced” than skimming, in which unauthorized devices are attached to debit or credit card readers and record information related to all cards subsequently swiped through the reader.
In these new attacks, hackers are able to get into the gas station’s point-of-sale (POS) systems after first entering their computers through a phishing email or other methods. Once in the POS system, the attackers’ program scrapes credit and debit card information in real-time, as payments are made at the pumps.
Visa says it believes gas stations are being targeted more frequently in these attacks because they have generally been slower to replace swipe-only card readers with the more secure chip-reading devices.
It is not clear if either attack hit a gas station in Canada, where chip readers are far more widespread than they are in the U.S.
The company is advising all businesses that use card readers to switch to chip-accepting machines as soon as possible, saying it will “significantly lower the likelihood of these attacks.” By next October, Visa will be absolving itself of all liability for fraud over non-chip devices, with merchants instead bearing full liability for any losses incurred by Visa card users on those devices.
Visa says it believes the September attack was carried out by FIN8, a group known to attempt to hack businesses in the retail, restaurant and hospitality sectors for financial benefit.
ZDNet reported in June that security researchers were seeing an upswing in FIN8-related activity after the group had been virtually dormant for two years. According to Visa, FIN8 is also believed to be behind an attack that took place this summer on a North American hospitality company and bore many similarities to the September attack on the gas station.
December 15, 2019