Card thieves 'skimming' pay-at-the-pump customers
By David Geer
As if the high cost of gas wasn't enough, credit and debit card users who pay at the pump have to face a new way to be gouged at the pump: skimmers.
Skimmers are inconspicuous electronic devices that thieves install either inside or outside a gas pump. These small and inexpensive devices record card numbers as you pay for your petrol. Free-roaming fraudsters and gas station insiders then help themselves to the card information in the skimming devices, then go out and use the stolen card numbers to make fraudulent purchases.
According to electronic payments expert Richard Crone, of the 1.36 million gas pumps in the United States, an estimated 700,000 gas pumps accept pay-at-the-pump -- and not one of those pumps is secure against skimming.
Some skimmers also incorporate the use of tiny remote cameras to capture PIN numbers of debit card users who enter them at pump-side.
More technologically advanced skimmers are turning to wireless technology, to intercept signals some gas stations use to transmit card data from the pumps to their central computers. Instead of manually installing the equipment on the pumps, they can lurk in their cars nearby while downloading your card information to a laptop, says Jeff Wakefield, a vice president with VeriFone, the largest secure payment terminal vendor.
But the basic technique for getting credit and debit card data from gas pumps is not rocket science: Crooks simply attach card-skimming devices to exposed wiring inside the pump to collect card data before it is secured, according to Wakefield.
Other skimming technology attaches outside the pump. The devices can cost anywhere from $50-$600 and can be as small as a pager. The card swipe is essentially captured twice: once for the gas purchase and then again for the crooks. The devices are then removed from the pump at a later date or time.
'Point of sale' a weak link
Visa first noted a rise in credit and debit card skimming at the pump in its November 2006 data security alert. According to the alert, skimming operations have been targeting gas pumps at increasing rates. At least 60 percent of people buy gas using pay-at-the-pump, says Jeff Lenard, vice president of communications of the National Association of Convenience Stores (NACS).
Gartner, a leading global technology analyst firm, predicts that in 2008, most attacks against retailers will target their point-of-sale hardware, which includes pay-at-pump terminals. Its prediction is based in part on its 2007 study of 160 cases of credit card data being compromised. Of those, 128 took place at a brick-and-mortar retailer's point of sale. Crooks have found a weak spot in point-of-sale terminals and are exploiting it, according to Avivah Litan, a vice president and analyst with Gartner.
Skimming occurs in bursts, says Mike Urban, senior director of fraud solutions at Fair Isaac Corp., the company behind the FICO credit score. "There are periods of time during which criminals try to compromise several terminals, then they start using the card information," says Urban. Skimming operations by insiders (those who contract with or work for the gas stations) compromise as many as 2,000 cards at a time, while outside operations compromise a few hundred cards at a time, he says.
Consider these stories:
• In March 2007, an Orange County man plead guilty to skimming credit and debit cards at pumps at Arco/AM-PM gas stations, according to the U.S. Attorney's office. The man stole information from 90 cards, using it to create phony cards. He then withdrew $186,000 from the victim's accounts at ATMs.
• In August 2007, the Los Angeles County Sheriff's Department reported that someone had installed a skimming device at a USA Gas Station in Agoura Hills. The same gas station had fallen victim to skimming a few months prior, costing victims thousands of dollars.
• In January 2008, crooks skimmed credit and debit card information from at least nine customers at a Newport Beach Exxon station.
Fraud graduates to wireless
Some retail outlets connect their gas pump hardware to their main computers wirelessly, creating a new weak spot. Crooks who can identify such a station can bypass the risk of installing skimming machines. Instead, they hack in via a wireless connection and download credit and debit card information directly from retailer computers, according to Gartner's Litan. Once they're "in," they can simply sit somewhere in signal range, stealing via a wireless-connected a laptop.
According to a Visa USA Inc. Data Security Alert, Visa is addressing this by urging retailers to comply with the Payment Card Industry (PCI) standard, which requires retailers to separate wireless networks from those that carry sensitive cardholder information.
While shoring up weak points with standards is possible, stamping out the crime is a different matter. "It's hard for the credit card companies to mandate to the fuel industry what they need to do when there hasn't been any solution that stops skimming," says Wakefield.
How to protect yourself
To prevent your credit or debit card from being skimmed at a gas station:
• Go in the store to process transactions and sign all credit card receipts, recommends Jean Ann Fox, director of financial services of Consumer Federation of America.
• Check your statement as soon as it arrives or online and report inconsistencies quickly, adds Fox. "This is especially true with debit cards. If you don't report it fast enough, you can lose the opportunity to get your money back," Fox says.
• If you do suspect skimming, call law enforcement immediately. "Let the station attendant know, but don't rely on them to call the police," says IDTheftSecurity.com CEO Robert Siciliano. Until the industry has answers, consumers are their own best protection.
To comment on this story, write Editors@CreditCards.com. See more credit card news.
See related: "Coping with the gas pump."
Published: March 17, 2008