2016: The year of the gas station skimmer

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.creditcards.com/credit-card-news/year-of-gas-station-skimmer-1282.php

Gas prices are low, but consumers are finding a different kind of pain at
the pump: Having credit card information stolen via skimmers installed in
gas pumps. It's happening more and more, and experts say skimming is likely
to continue to rise in 2016 due to two factors.

One is skimming technology, which is becoming more sophisticated. Skimmers
once were large-ish devices set atop machines and recognizable as out of
place to the discerning machine-user. Nowadays, they're as small as a thumb
drive and much more difficult to detect.

Second, along with most ATMs, fueling stations have until October 2017 to
update pumps with EMV technology, which accommodates credit cards with
electronic chips. Why? Time and money. Gas pumps are highly regulated
objects. After the new technology is installed, local authorities must
inspect and re-certify every single pump. The industry will spend $3.9
billion retooling the country's 800,000 fuel pumps, according to Gray
Taylor, executive director of Alexandria, Virginia-based Conexxus. Conexxus
is the technology-and-standards arm of the National Association of
Convenience Stores, a trade association for convenience stores and fueling
stations.

*'Last bastion' for thieves*
Until fueling pumps are outfitted with EMV technology, they will read
credit card magnetic stripes, "one of the last bastions" for thieves, says
Eva Velasquez, president and CEO of the Identity Theft Resource Center, a
San Diego-based nonprofit that assists victims of identity theft.
Magnetic-stripe technology, she says, lacks layers of protection. "If
thieves know how to compromise that, that's where they will go," she says.
"It's lucrative -- people wouldn't do it if it wasn't."

It's a serious enough problem that Conexxus held a webinar on the topic in
December 2015. Its title: "Defending the Island."

"The devices are being found at small merchants, large merchants, urban,
rural, new and old convenience stores, so nobody is exempt," says Kara
Gunderson, point-of-sale manager for Citgo Petrolum Corp., who moderated
the webinar.

Gas pumps, especially those in remote locations, are attractive targets, as
their remoteness gives thieves time and privacy to install skimming
devices. The pumps most likely to get a skimmer: those off interstate
highways, farthest from the cash register, says Taylor of Conexxus.

Law enforcement officials agree that skimming is an issue at fuel pumps.
"Criminals stay up on things just like the rest of us," says Lt. John
Faine, criminal investigations section commander in Warren County Sheriff's
Office, Lebanon, Ohio; one of several Ohio municipalities where skimmers
have been found. "They see this as an opportunity."


According to Faine, consumers are vulnerable at gas stations because
fueling up has become a habit that doesn't require much attention. "It's
such a matter-of-fact thing," he says. "People have so many things on their
mind -- they don't notice" if the credit card reader seems weird. Some
skimming victims have, in hindsight, remembered that the card reader had "a
weird feeling, like the slot had been tampered with," Faine says. "It
wasn't noticeable when it happened, but after the fact, they said, 'You
know what, it did feel like something was off when I put my card in.'"

*Problem widespread*
While there are no national statistics about the crime, it's clearly
ratcheted higher. For example:

   - Warren County has called the Federal Bureau of Investigation to help
   find the forces behind a recent rash of skimming. To date, Faine's office
   has seized skimming devices, but no thieves. Elsewhere in Ohio, officials
   are asking gas station owners to improve locks on pumps to deter skimmer
   installers.
   - In Florida, after a 2015 sweep by Department of Agriculture officials
   turned up 150 gas station skimmers, legislation
   <http://www.myfloridahouse.gov/Sections/Bills/billsdetail.aspx?BillId=55694>
   was proposed in November stiffening requirements placed on gas station
   owners and penalties for skimming. The bill passed its first legislative
   hurdle in January.
   - In California, the Ventura County Sherrif's Office launched "Operation
   Take Back the Pumps <http://www.vcsd.org/press-release.php?id=1352>" to
   inspect all 1,500 gas pumps in the county in August. Three devices were
   found.
   - New York's Gov. Andrew Cuomo in November announced
   
<https://www.governor.ny.gov/news/governor-cuomo-announces-new-statewide-effort-crack-down-illegal-credit-and-debit-card-skimmers>
   a statewide crackdown that includes new training for inspectors to spot
   skimmers. An initial sweep of gas pumps uncovered six devices.

*Tips for consumers*
Given the near-invisibility of the devices, it might not be possible to
totally avoid a skimming scam. Still, consumers can take several steps to
protect their cards at fueling stations. Among the options:

   - Pay inside, with cash or a credit card, rather than at the pump.
   Chances are good that thieves have not entered the physical building to
   tamper with the pump.
   - Be suspicious if the gas pump has a broken security seal, or the word
   "void" appears on it. These are part of a voluntary program by the industry
   to thwart gas pump tampering.
   - Choose pumps closest to the physical building, not the ones hidden
   around the corner.
   - Use a credit card, not debit card, when you pay. If a credit card
   number is skimmed, you're playing with the bank's money and protected by the
   card's zero-liability policy
   <http://www.creditcards.com/credit-card-news/4-keys-zero-liability-policies-debit-credit-1282.php>.
   A stolen debit card number could yield far worse damage. "If a debit card
   gets compromised, and they have your PIN, you've just given someone access
   to your cash," says Velasquez of the Identity Theft Resource Center.
   - Pay attention when fueling and if it feels weird, don't do it.
   Sometimes, thieves also swap out the card readers attached to the skimmers.
   In those cases, they can deliver an unusual feeling to the inserted card --
   it may stick or otherwise feel not quite right. If that happens, cancel the
   transaction and pay inside.

*Tips for retailers*
The National Association of Convenience Stores and Conexxus are also
issuing precautions for retailers. NACS's website contains a skimming
resource guide
<http://www.nacsonline.com/Solutions/Store-Security-Signage/Pages/Skimming-and-Payments-Security.aspx>.
In 2012, Conexxus set up a database available to members for retailers to
report and track skimming incidents.
Last year, Conexxus updated its skimmer-resource package for gas station
operators, advising them to take the following precautions:

   - Change the locks on gas pumps.
   - Use and track pump security seals. These large labels are adhered to
   the pump, near the credit card reader. If the pump is opened, the label
   will read "void," which means the machine has been tampered with.
   - Shut down and bag suspect pumps, and have the machine checked for
   skimmers.
   - Make pump inspection part of the daily routine for employees. "You'll
   see stories out there where the employee found the skimmer because they
   were doing exactly what we said," says Taylor. He adds that thieves can
   have counterfeited security stickers, which is why, during daily
   inspection, employees should make sure serial numbers on the stickers match
   the station's master list.

Following those precautions should stop thieves from installing skimmers,
and protect the innocent roadster who's just trying to gas up. "There's no
excuse for a merchant to get skimmed," says Taylor. "Our theory is, if we
have one skimmer in the industry, it's too much."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.