The Green Sheet Online Edition
August 23, 2010 • Issue 10:08:02
Skimmers shifting from ATMs to gas pumps
A rash of recent incidents in Florida involving card skimmers at gas stations may indicate a shift away from the use of skimmers at ATM sites and toward their use at other automated payment kiosks, analysts have said. Gas stations appear to be particularly vulnerable.
Two skimming devices were found July 23, 2010, at a Gainesville, Fla. gas station. Gainesville is in Alachua County, where several other skimmers had been found earlier in the month. The first one was found at an Aluchua County Shell station on July 6; two more were then discovered at a nearby Sunoco station on July 8.
According to Michael Tyler, Director of Marketing, Integrated Systems for VeriFone Inc., the Florida incidents are part of a growing problem in the United States.
"We've seen an increase in the focus of the data criminals on fuel dispensers targeting areas where you'd typically see crime - New York, Florida, California, Las Vegas," he said. "Candidly, the economic downturn of 2008 and 2009 coupled with $4 a gallon gas prices really hurt this industry."
There appear to be several reasons behind the rise in the use of skimmers at gas stations. One is that banks and ATM providers have ramped up the security around ATMs, prompting criminals to seek other unguarded targets.
Another reason is the relatively lax security at many gas stations and the ease with which criminals can perpetrate large-scale thefts using skimmers at service pumps, according to Tyler, who added that pumps open using a universal key that yields access to the mainframe and circuitry used to route electronic transactions.
"There's a common set of keys that will open almost any fuel dispenser out there, and you can buy them on eBay," Tyler said.
"Bad guys drive up to the fuel stations, pose as a pump technician and open up the terminal, usually from the side of a pump that's opposite the cashier so they can't be seen without a camera," he added. "They'll unplug one cable that connects the key pad to the display and fit in a connector device. It takes two minutes."
Also, many pumps do not use encryption at the immediate POS, instead routing transactions to the station's central terminal (located in the attended kiosk or service station) before they're encrypted. Tyler said criminals thus get readable data; they usually install a Bluetooth or other transmitter with the skimming piece to relay card data to a nearby computer.
Many stations behind the curve on PCI
According to Tyler, the newest Payment Card Industry (PCI) Data Security Standard (DSS) addresses these and other problems - by mandating, among other things, that service pumps contain encryption measures, unique access controls and tamper resistant modules that deactivate upon detection of a foreign presence.
But he added that, although the July 1, 2010, deadline for implementing the new measures has passed, many gas stations lag behind.
That is true of merchants generally, but Tyler said gas station owners are having special difficulty mustering both the initiative and the funding to achieve PCI DSS compliance. He said upgrades that run as high as $3,000 per fuel dispenser combined with the sheer number of dispensers out there can total more money than many franchises are willing to spend.
"The problem with fuel stations is that credit card fees are the biggest cost component of their business," Tyler said. "The margin they make on fuel is all gone with the costs from card transactions, which make up the bulk of their transactions."
However, Dee Karawadra, founder, President and Chief Executive Officer at Impact PaySystem, a merchant service provider that specializes in gas stations and convenience stores, said skimming at service stations has yet to mushroom into a major problem. He said the biggest security concern has long been the practice of using service pumps as a testing ground for stolen cards; gas pumps are favored targets because they are unattended and ubiquitous.
He added that the volume of consumer traffic at gas stations can be its own security check against skimmers.
"An average gas station sees something like 200 or 300 people a day," Karawadra said. "People are constantly coming in and out, where at ATMs it can be easier [to plant a skimmer] because often nobody's around to see you.
"I've heard some stories of skimming going on here and there, but it's not as big a problem as you might think. Criminals are always one step ahead of us but, as of yet, I haven't heard of any major issues."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.