Pump 5 at the Gulf station on Route 3A in Hingham, Massachusetts, had been reported malfunctioning for a few days, and when technicians finally opened it up Wednesday, they discovered hackers had snuck in a "skimmer," a device to steal motorists' credit card numbers as they swipe them to buy gas.
It was just the very latest in a national epidemic of gas station hacking. Just in the last week, according to news reports, skimmer hacker devices have been reported found not just in Hingham but in Goffstown, New Hampshire; Bloomington, Minnesota; Howell, Michigan; Cape Coral, Florida; seven counties in Ohio, and 12 parishes around Baton Rouge, Louisiana.
"Federal law enforcement is calling this a crime wave, an identity-theft crime wave," data security expert John Moynihan of Minuteman Governance said in an interview Friday afternoon.
Hackers are exploiting an obvious vulnerability, Moynihan said.
"I think it is because the gas stations were exempt from the chip and PIN rule that went into effect in October of 2015," requiring retailers to upgrade to a new kind of credit card that use an encrypted computer chip instead of an easily hackable magnetic stripe, he said.
Gasoline retailers, Moynihan said, "because of the expense of replacing a gas pump or changing it can wait until 2017. So the thieves have evolved to this type of identity theft. It’s a very bold kind of identity theft, and I think it’s going to be rampant. You really can’t do anything. The readers are invisible, so you simply can’t see them."
Many of the devices come with a Bluetooth wireless transmission capability, so once they've opened a pump housing once to install the skimmer, hackers can just come back and park their vehicle and use a laptop computer to pull in, by Bluetooth, the card data the skimmer has recorded. The likeliest way hackers would be detected and targeted for arrest would be at the point they attempt to sell or use the card numbers.
Hingham Police said they have still not confirmed whether the device found at the Gulf there was successfully used to steal anyone's card data, or whether it was successfully deployed. They're asking anyone who thinks they may have information about when and how the skimmer was installed to call their detectives at (781) 749-1212.
Motorists we talked to at a service plaza on the Massachusetts Turnpike in Natick said they'd heard about the skimmers but couldn't see how to protect themselves.
"I always check my credit-card statement and balance, so I'm pretty careful," said Pam Wilson of Barrington, Illinois. But in terms of using a gas pump charge card panel: "I'm not really sure what to look for to see if it's happening on the gas pump that you're using."
Ron Searles of Chesapeake, Virginia, up visiting his son at college, said, "I probably don't really look at it hard. I mean, if something looks out of place, I figure I would notice it but for the most part I guess I'm relying on the retailer to be looking out for that."
One thing you can do to protect yourself, possibly, is to avoid the gas pump that's the farthest away from the station cashier, or out of their line of sight, because that's likeliest to be the one the bad guys would pick to install a skimmer in to avoid being detected by the station attendant during the time it would take to open up the pump housing and install the skimmer.
Also, if you use a bank card that can be debit or credit, don't make a debit purchase at a gas station, because that could get your bank account drained.
"If the debit card number and the PIN are captured, that could be catastrophic, so you should definitely, if you can use a credit card instead," which normally has full protection against fraudulent charges, Moynihan said.
With videographer Nik Saragosa