Pay-At-The-Pump Skimming Saga Grows
Chuck Groat, a vice president of bankcard risk management at Zions, which has $50 billion in assets, says Denver is "definitely the hotspot." Zions tracked 15 separate locations where customers' cards had been compromised, and the majority of those pumps are owned and operated by the same gas retailer.
Zions tracked 15 separate locations where customers' cards had been compromised, and the majority of those pumps are owned and operated by the same gas retailer.
The problem also is getting attention in Arizona, where last week Gov. Jan Brewer directed the state Department of Weights and Measures to increase gas pump inspections, as well as to work with gas station owners to find ways to fight the crime. A political ploy to draw attention from the state's highly contested immigration law, or a directive with teeth? You be the judge.
And then earlier this month, three skimming devices were found at two gas stations near Interstate 75 in Alachua County, Fla. Last week, new reports of stations targeted around Gainesville, part of Alachua County, began to surface. With so many tourists traveling the highway to and from vacation points, the pumps are obviously fruitful targets.
The attacks definitely go in waves and travel in geographical pockets, says Robert Siciliano, founder of IDTheftSecurity.com. Those pockets, in part, explain why disparate parts of the country are simultaneously being hit. In that way, they're similar to ATM ram raid attacks, which have as much to do with opportunity as return on investment.
Criminal networks oftentimes hit gas station chains because the chains use the same pay-at-the-pump equipment. "They find out everything they need to know to duplicate the fascia of the machine or enter the terminal itself," Siciliano says. "And then, because they understand how that design of pump works, they just keep working it and working it and working it."
Encrypting PIN pads, more breach liability placed on merchants, and tighter controls on the terminals themselves - such as the discontinuance of universal access keys and the installation of alarm systems when locks or fascias are tampered with - are the best solutions. "The gas stations have to get into compliance," Siciliano says. "Maybe that means they send their people out every 30 minutes to an hour to make sure there are no skimming devices on the machines."
But that's a short-term solution. Siciliano agrees the merchants must be pushed to invest in more security. "They need technology that will defeat the skimming devices. For a $2,000 to $3,000 investment, they can make these things secure."
Learn from the banking industry, which 10 years ago was caught by surprise when fraudsters capitalized on security vulnerabilities at ATMs. Shame on gas merchants for getting caught by surprise now. But then again, until the merchants are held accountable for these breaches, we can't expect much change.