Posted by: Arian Eigen Heald
ATM Security, Automatic Theft Machines, Hardware & InfoSec, information security
I hadn’t really thought about it, but it made perfect sense the first time I read about it: thieves are capturing credit card and debit card data at the gas pump.
Given that the pump is acting as a big cash register, it makes perfect sense that skimmers could be attached the same way they are attached to an ATM.
Thieves open the pump using a skeleton key and install skimming devices to cables leading to the card reader and PIN pad that pulls data from a card’s magnetic stripe and records the cardholder’s PIN. If the PIN pad encrypts the PIN at the pump, they can attach a miniature camera to record PINS as cardholders enter them.
And this is what is significant: you can’t see the skimmer on the pump because it is inside the pump. There’s no way to know if you’re paying for gas and a little fraud, too.
The skimmers steal credit card numbers, but thieves prefer debit cards because they mean quick cash at automated teller machines. They use the information to make fake cards and hit ATMs – some across the country from the originating theft – for $200 to $800 a pop.
The money is often gone before the debit card holder knows it, and it can take time to correct the problem. One recommendation is to use the Credit rather than Debit feature when filling your tank. Debits allow immediate access to cash and don’t require a signature, two other reasons they are more attractive to criminals.
Skimming has been ramping up starting last year due to the bad economy; thieves need to access cash rather than goods they can resell elsewhere.
Thieves can leave these skimmers attached to pumps for months before removing them—and collecting data from thousands of credit cards. Then, the thieves either sell the credit card information on the internet or they make fraudulent duplicate cards with victim’s account numbers and expiration dates.
In one case, thieves left the same skimmer attached to a single gas pump in Washington for eleven months. (Did no one see this thing???) Then they came back, retrieved the device and drained hundreds of bank accounts in a single weekend.
In May 2008, an investigation was opened into a case in San Jose California in which thieves stole more than $200,000 from 180 victims. Authorities estimate that between $1 million and $3.5 million has been stolen from victims of gas pump identity theft in five states over recent months.
Best advice: If you do want to use a credit or debit card at the gas station, go inside and make the purchase there. Inconvenient, but so is losing all the money in your checking account, or having to close your credit card account.