Visa is sending warnings to anyone who pumps gas that there's a chance their credit card numbers have been stolen by malicious hackers who know how to steal credentials.
In a recently released security warning, the credit card company said that it's discovered a hacking group it's calling Fin8 that's exploiting a weakness in gas station point-of-sale networks that allows the hackers to remotely obtain credit card information from gas pumps.
According to Visa, the breach starts by the hackers finding a way into the gas station's network via phishing scams. Once inside the network, they covertly install scraping software that targets mag-stripe card readers that don't use a chip.
When customers go to the pump and swipe their cards, the scraping software intercepts the credit card information and sends it back to the hackers, unencrypted, so they can use the cards or sell the information on the dark web.
Visa said that it discovered multiple attacks using this technique, but didn't say in the security report how widespread the problem is or where the affected gas stations are located.
Worst of all, customers are powerless to stop the hack. If you go to a gas station that requires you to swipe, you're effectively circumventing newer technologies like the chip that make it harder to hack your credit card information. A simple mag-stripe swipe has little to no security, leaving your credentials at risk.
Visa itself didn't offer any simple protection for you to follow, either. Instead, the company said that the hack isn't possible in gas stations that use the chip reader, and encouraged gas stations to swap out the old and less-secure mag-stripe readers for newer and safer chip-based alternatives.
If nothing else, the hack also highlights how dangerous it is to be a consumer today. Even when you're trying to get some gas, your credit card information can be stolen by a hacking group nowhere near your location. Worse yet, with no protections in place at the gas station itself, you're powerless to stop it. You can only hope that your local gas station hasn't been hacked or try to find another location with newer and safer technology.
Looking ahead, Visa is trying to do something about gas station hacking. The company said that it will require all gas stations to use chip readers by October 2020 or face the possibility of being liable for the fraud themselves.
The problem, however, is that many gas stations don't want to incur the estimated $250,000 cost of deploying the new payment technologies. So, whether a large number of gas stations will actually move to the new version next year is unknown. In the meantime, swipers, beware.