Gas pump and ATM skimmers: How to spot them
Use your eyes, fingers, an app and common sense to cut your fraud risk
Expert on fraud, travel and debt.
Your eyes, fingers and now even your smartphone may be able to help you spot card skimmers at gas pumps and ATMs, but nothing is foolproof.
“Some of the newer skimmers are almost impossible to see, even if you know what you’re looking for,” says David Tente, U.S. executive director of the ATM Industry Association.
Skimmer fraud soaring at ATMs and gas pumps
During the first six months of 2017, the number of compromised ATMs and point-of-sale devices jumped 21 percent, compared to the first six months of 2016, according to data from FICO. Meanwhile, the number of compromised cards soared 39 percent.
That comes on the heels of a 30 percent increase in compromised devices from 2015 to 2016, and a 70 percent increase in compromised cards during that time, according to FICO.
Experts also note an increase in gas pump skimmers. Florida, for example, tracks the number of skimmers found at gas stations. Through July 18, 2017, authorities had found 315 skimmers, nearly triple the number found in the same period in 2016.
The ATM EMV liability shift was in October 2016 for Mastercard and October 2017 for Visa.
Gas pumps received a three-year extension on EMV transition in 2017, meaning fuel pumps will continue to be a fertile field for fraudsters with skimmers until October 2020. EMV chip technology has reduced fraud at the checkout counter since the EMV liability shift in October 2015.
Until fueling pumps read EMV chip cards, gas stations will be “one of the last bastions” for thieves, says Eva Velasquez, president and CEO of the Identity Theft Resource Center.
Magnetic-stripe technology, she says, lacks layers of protection. “If thieves know how to compromise that, that’s where they will go,” she says. “It’s lucrative – people wouldn’t do it if it wasn’t.”
Gas pump skimming: How big a risk is it?
There are no reliable statistics on the extent of skimming, since it is a local crime and not centrally tracked, but experts say it is on the rise.
How big is the risk? According to the National Association for Convenience Stores:
- 37 million Americans refuel every day.
- Of them, 29 million pay for fuel with a credit or debit card.
- When skimming occurs at a gas station, it usually takes place at only one pump.
- A single compromised pump can capture data from 30 to 100 cards per day.
So how can you spot a skimmer and reduce your risk of card fraud during your holiday travels?
1. Use your eyes: Look before you insert your card.
Before you slide your card in a fuel pump or ATM, take a good look at the keyboard and card reader, says Jeremy Hajek, industry associate professor of information technology and management at the Illinois Institute of Technology.
“Does anything look different if this is an ATM you’ve used before?” Tente asks.
Bad guys can use a 3-D printer to create a new keyboard to put on top of the real one. The keyboard might look different than the rest of the ATM, or the keys could look bigger.
With fuel pumps, is the seal broken? To place a skimmer inside a fuel pump, fraudsters must open the fuel dispenser door to insert the skimmer.
Station employees may place serial-numbered security tape across the dispenser door, so check to see if the tape has been broken, according to NACS, the Association for Convenience & Fuel Retailing. If there’s no tape, check to see if the dispenser door looks as though it has been forced open.
Also, look inside the throat of the card reader to see if you can spot anything hidden there, Tente says. A skimmer inside a gas pump or ATM can steal the information off the magnetic stripe of your credit card or debit card.
2. Use your fingers: If something doesn’t feel right, move on.
Wiggle the ATM card reader to see if it’s loose, Tente suggests. The crooks might place a card reader on top of the existing one, he says.
You should also be wary if it’s hard to insert your credit card or debit card.
Some gas station credit card skimming victims have, in hindsight, remembered that the card reader had “a weird feeling, like the slot had been tampered with,” says Lt. John Faine, criminal investigations section commander in Warren County Sheriff’s Office, Lebanon, Ohio.
“It wasn’t noticeable when it happened, but after the fact, they said, ‘You know what, it did feel like something was off when I put my card in.’”
3. Use your phone: Apps now can alert you to possible skimmers.
A free Skimmer Scanner Android app released in September 2017 scans for available Bluetooth connections looking for a device with title HC-05. How does it work? A blog post from SparkFun, the app maker, explains:
“If found, the app will attempt to connect using the default password of 1234. Once connected, the letter ‘P’ will be sent. If a response of ‘M’ then there is a very high likelihood there is a skimmer in the Bluetooth range of your phone (5 to 15 feet).”
If your smartphone detects a skimmer, use a different pump or go to a different gas station.
How does Bluetooth relate to skimmers?
In the past, bad guys had to return to the the fuel pump or ATM to retrieve skimmers. That’s not always the case now.
Thieves have begun to use Bluetooth technology to glean your credit card or debit card information. The crime is called bluesnarfing or blue skimming, and the crooks can sit 100 yards away in their vehicle while credit and debit card information is transmitted to their laptop.
Blue skimming is tough to detect, says Karl Sigler, threat intelligence manager at Trustwave SpiderLabs Research. Sigler has tried to do spot skimmers by checking the Bluetooth on his phone. “It’s hard to decide what’s skimming and what’s a Bluetooth headphone,” he says.
4. Use your common sense: Use fuel pumps and ATMs in safe places.
Avoid gas pumps that are out of sight of the clerk and ATMs in areas with little traffic.
“Criminals attack low-hanging fruit,” says Hayek,
It’s particularly important to be cautious at non-bank ATMs, such as those located at convenience stores or nightclubs, says Michael Betron, senior director of product management at FICO.
Non-bank ATMs accounted for the majority of compromised devices in 2016, he notes. Often with non-bank ATMs, “no one is around for a long time so it’s easier to get a skimmer in there,” he says.
At banks, on the other hand, security is tighter, with cameras recording transactions and more people coming and going. But “bank ATMs are more profitable” for the bad guys, Betron says, as more transactions take place there.
At ATMs, always cover the keyboard when you type your PIN. There might be a new cardboard box containing literature next to the ATM, which crooks set up to conceal a pinhole camera, Tente says. They use the camera to record you as you key in your PIN.
There is no foolproof way to spot skimmers.
The challenge comes from skimmers that are so small that they can be embedded inside the ATM, says Sigler. “It’s becoming harder and harder to physically identify skimmers that are in place.”
These small skimmers can’t be spotted – even if you’re using your eyes, fingers and your common sense – he says, and the criminal needs to use a special retriever to extricate them.
So what else can you do to protect your card information when you’re out shopping, using an ATM or filling your gas tank?
Law officers and gas pump and ATM experts suggest:
Pay inside, with cash or a credit card, rather than at the pump.There is less chance a fraudster placed a card skimmer on the payment terminal in front of the clerk inside the gas station or convenience store. However, it takes just seconds to place a skimmer on a card reader, as this video shows, if a clerk is distracted.
In fact, the sheriff’s office in Austin, Texas, has urged area residents to pay for gas inside because card skimmers were so common at area fuel pumps.
Choose pumps closest to a physical building.Also, for obvious personal safety reasons, do not use fuel pumps or ATMs hidden around the corner of the building. Avoid sketchy ATMs, warns CreditCards.com expert Erica Sandberg. If the ATM seems jimmied, steer clear, she says.
Use a credit card, not a debit card, when you pay.If a credit card number is skimmed, you’re playing with the bank’s money and protected by the card’s zero-liability policy. A stolen debit card number could yield far worse damage.
“If a debit card gets compromised, and they have your PIN, you’ve just given someone access to your cash,” says Velasquez of the Identity Theft Resource Center.
Use your issuer’s fraud alerts and check your card statements.Set up fraud alerts on your credit cards. Nearly every issuer offers these, and many will email and/or text you when your card is used at a gas station. Check your credit card and debit card transactions frequently to make sure no fraudulent activity has occurred.
Consider paying or withdrawing cash with your digital wallet.If you have Apple Pay, Samsung Pay or Android Pay – or your card issuer or bank’s mobile wallet – paying by phone is an incognito way to make a payment or withdraw cash at an ATM offering cardless access. Essentially, your credit card company sends a randomly generated 16-number token or code to your smartphone as a stand-in credit card number.
Some gas stations are even beginning to offer this option, such as if you pay through ExxonMobil‘s Speedpass+ app.
See related: The new card skimming is called 'shimming', 6 ways to reduce your risk of skimmer fraud, How credit cards take a bite out of gas prices, Rack up card rewards on your next road trip, Gas rewards credit cards
- Busted for card theft? What to expect – The penalties you face for using someone else’s credit card without their permission vary by state and how you used the card. ...
- It may soon be safer to type passwords on public Wi-Fi – New privacy protocol, WPA3, will better secure your online browsing activity and Wi-Fi-connected gadgets ...
- Senate bill proposes free credit freezes to fight identify theft – Consumers will get free, fast credit freezes to halt ID theft under a Senate bill, which also cuts protections against unfair and risky lending ...