The Potential of Mobil Speedpass
by A.M.
My first Speedpass Key Tag arrived, unsolicited, in a glossy cardboard box (about the size used to mail videotapes) on a cold November morning. Eagerly, I opened the box to find a small plastic Key Tag, measuring approximately 3-3/4 cm x 3/4 cm, with a metal key ring through one end and three plastic ribs at the other.
The tip of the ribbed end touts "MADE IN MALAYSIA". One side has a hot-stamped MOBIL imprint, the flip side has "your" personal eight-character transponder ID number.
Also inside was a letter from Mr. M.L. Eason; Manager, Card Business, describing the real and imagined benefits of using this new marketing tool, activation instructions, and the fact that I received it because I was one of Mobil's "Most Valued Customers"!!!
Before I activated the Key Tag, I decided to attempt a purchase with it. This was fueled by Mr. Eason's claim that there was "No more waiting for credit authorization." Following the directions in the six-page brochure included with my new toy, I held the Key Tag up to the square "Place Speedpass Here" area on the credit card-accepting pump.
Within one second the Mobil logo, a round flying red horse emblem, lit, indicating that I was cleared to begin pumping! My stomach tightened, much the same way it does when you have two 7's on a slot machine, and you're waiting for a third!
But alas, by the time I got my act together and started with the nozzle towards my tank, the horsie light went dark.... Damn. Oh, and then, the LCD on the pump read: PLEASE SEE CASHIER
Uh oh. I tried the tag on the next pump, but got the same cashier message immediately. Walking into the station, I handed the lovely attendant my antique plastic charge device (Mobil Credit Card), nervously said "Fill-up," and bought myself $15 worth of gas - no questions asked... whew.
Later on, I followed M.L.'s advice and called 800-459-2266 to activate my Key Tag. Lisa thanked me for calling, and asked me for my Key Tag number (no problem). My "Bill to Credit Card" number (any valid credit card that Mobil accepts, ATM/debit cards not accepted at this time). Is a receipt desired at each Key Tag purchase? (Nah.) And, um, for security reasons, my date of birth and Social Security number...
Red Flag! Now I've been an avid 2600 reader for many years, and I know better than to share this privileged information with anyone, even the lovely-voiced Lisa, but alas, she wouldn't budge on this issue, so, in the name of Electronic Petroleum Purchasing, as well as to advance the hacking sciences, I provided the necessary data and soon returned to the pumps for my first transponder transaction.
Traveling to a different Mobil station, I slowly approached the pump's P.S.H. square, and, when I got to within an inch of the sign, I smiled at the illuminated equine, and quickly began pumping my gas, possible since the emblem remained lit (by the way, you do have the option of canceling the Key Tag purchase before you vend product, and paying via a different method, or just leaving).
Well, I got my gas and no receipt (as requested), and considered the fact that before activated, I may have been able to vend a few cents of recycled dinosaurs before my simultaneous pumping and authorization was denied (the only way that M.L. Eason's statement about "No more waiting for credit authorization" makes any sense. That is, if indeed, it is true at all.)
A few days later I called the 800 number and requested a second Key Tag (free) for my "wife" and a battery-operated Car Tag (also free) for my "girlfriend" (really now). No problem sir, they're on their way. When my duplicate (or, more correctly, linked) Car Tag arrived, it was time for dissection class...
Welcome to BIO 149.9
The plastic tag, developed in conjunction with the Wayne Division of Dresser Industries and Texas Instruments, opened easily when my 40-watt soldering iron, equipped with a sharp X-Acto blade, melted along the flashing line on the casing. I quickly uncovered a ribbed silicone rubber sleeve inside, measuring 2-1/2 cm x 1/4 cm. Slicing open this shock absorber, I unearthed, to my surprise, a tiny sealed glass ampule (3/4 cm x 1/4 cm).
I was working carefully to keep the patient alive. Close (and I do mean close) observation revealed a tiny coil assembly at one end, and an even smaller printed circuit board at the other. I cracked open one end of the vial and watched as a fluid (assumed to be liquid silicone for shock-absorbing and moisture retarding purposes) drained out onto the operating table.
(Hey! Schooltime Prank - insert the unopened glass ampule into a drilled-out pencil, and shock/amaze your friends when you "Beat the System" and get "free unleaded gasoline" from your "lead-free pencil.")
Anyway, after drying off the miniature transponder board, I realized that it held a multiple-winding coil around a ferrite core, as well as a two-sided PC board which had a few surface-mounted components on one side (assumed to be a diode, resistor, and a capacitor), as well as a black epoxy-covered microprocessor on the other side. The extreme tip of the board had four copper pads exposed, presumably to power/program the logic during assembly.
By the way, the patient survived the operation, as I was able to activate the pump with the transponder outside of its glass "body."
Now, utilizing deductive reasoning as taught in BIO 151.9 (yea, yea, gas prices are always rising), we may assume the following series of events:
- Holding the Key Tag up to the P.S.H. sign brings the coil's windings close enough to allow the gas pump's internally-mounted coil to inductively couple with the Key Tag's coil, effectively forming two halves of a transformer.
- This AC voltage is now rectified via the PCB mounted diode.
- DC voltage is directed to the epoxy-doped microprocessor/emitter, which then begins outputting my transponder's unique ID code.
- The resultant flea-powered transmission, made possible by using the resistor/capacitor array, along with the transmission winding of the coil, is directed back into the pump.
- A (very) temporary "local" go-ahead is issued, illuminating Pegasus, and allowing you to pump gas while an authorization is sought via conventional (landline or satellite) means.
- If you pass the test (your activated Key Tag number, valid credit card account number, and station information all check out), the pump controller receives an "O.K. to continue vending" signal, allowing you to finish your $1.59.9 a gallon purchase. The pump also is told whether or not to issue you a paper receipt (you may, at any time, call the 800 number to toggle this status).
As far as the security aspects of my go-juice gadgets (both the Key Tag and the Car Tag) are concerned, Mobil assures us that the transponders do not transmit your credit card number, just your unique transponder number, which is linked up to the chosen credit card number at the authorization center. You also have the option of canceling before you vend. In the case of the Car Tag, an errant authorization request is, indeed, possible.
Since the use of these devices does not require a PIN of any type, your account is only as secure as the devices' current owner. Anyone breaking into your car and taking the Car Tag, or finding your keys with the Key Tag attached, can have a field day with their free gas device. We can only assume that Mobil's crack software developers included a built-in daily "Vend up to $XX.XX and then issue an inquiry" (remember my "PLEASE SEE CASHIER" message) or fraudulent-use limit. I assume that, like with gasoline charge cards, the maximum limit to your responsibility for fraudulent use of your missing device varies from state to state.
It is interesting to note here that all stations equipped with the self-service Smart Pumps also have a decent amount of CCTV cameras trained on the users, vehicles, and license plates. While waiting for Part 2 ("Mobil Speedpass Car Tag") of this article, why not visit their website for more information at: www.mobil.com/speedpass
Perhaps you'll be able to answer the question "What are those flimsy dipole antennae doing over all of the Smart Pumps???"