Pay-at-the-Pump Card Fraud Revs Up
Arizona Is Hot Spot for Latest Skimming SpreeCard fraud linked to pay-at-the-pump gas terminals in Arizona tourist spots such as Tucson is on the rise, as travel season gears up for spring. Last week, Tucson, Ariz., Police Sgt. Michael Garcia told a local TV station that pay-at-the-pump skimming has been on the rise since January, when Tucson police confiscated the city's first gas pump card skimmer.
Local law enforcement quickly responded in mid-January by telling gas station owners to check card readers on fuel pumps more regularly, as well as warn consumers about the dangers of paying with plastic at the pump.
The problem is not new. Last July, Arizona Gov. Jan Brewer directed the state Department of Weights and Measures to increase gas pump inspections, and directed the department to work more closely with gas station owners to explore ways to fight the crime, which was escalating even then.
The challenge with pay-at-the-pump terminals is that they're difficult to inspect. Unlike ATM skimming, which involves placing a skimming device over an ATM's external card reader, a skimming device at a pay-at-the-pump terminal is placed inside the pump's enclosure, where it is visibly undetectable.
Nicole Sturgill, research director at financial consultancy TowerGroup, says pay-at-the-pump gas terminals are more vulnerable to hidden skimming attacks because they are easy to access. The use of universal access keys, which open pump enclosures, remain a mainstay in the petrol market. Anyone with a key to a certain pump's make and model can essentially open any pump of the same make and model. In comparison, ATMs are required to have unique access keys and codes for enclosure access for service and maintenance.
"Anyone who knows the key can get in," Sturgill says.
Once installed, the devices collect card numbers and then transmit card data wirelessly, usually via Bluetooth, to fraudsters who are often nearby.
Easy Targets = Opportunity
Robert Siciliano, CEO of www.IDTheftSecurity.com, says warmer climates make the best environments for skimming. That's because the weather is more conducive for skimmer adhesive. "Colder climates, along with dirt, dust and road salt, prohibit a strong seal of a skimmer," he says.That explains why last summer, tourist destinations in Florida saw a rash of pay-at-the-pump skimming attacks. The skimming problem at gas stations along Interstate 75 in Alachua County, Fla., got so bad that law enforcement recommended consumers start paying with cash only.
John Buzzard, who oversees client relations for FICO's Card Alert Service, which provides decision management and predictive analytics for card issuers, says increased PIN-debit usage at self-service gas pumps, as well as other unattended self-service terminals that take plastic, also has fueled card fraud. "Debit usage is at an all-time high," Buzzard says. "More and more consumers are using PIN debit at the pumps, so this makes for a rich harvest for the criminals."
But Buzzard is quick to point out that while gas pumps may be easy targets, they aren't the only ones fraudsters are targeting with more skill. "The points of interest for criminals to gather cards and PINs are always a little cyclical," he says. "Today we have an influx of gas pump skimming, and tomorrow an organized group could easily decide to target supermarkets or restaurants."
Location, Economy Are Factors
Gartner Analyst Avivah Litan says geographic location plays a role in the skimming dilemma as well."Arizona is notorious for being a top five or 10 state in having the most identity-theft or account takeover-related crime. California has always, similarly, been right up there," she says. "A lot of it has to do with the demographics and high unemployment rates in those states, and the fact that it's easier for the crime bosses to find 'mules' and other 'lackeys' that are willing to do their dirty work," like installing skimming devices on ATMs or inside pay-at-the-pump enclosures, in spite of video surveillance.
Litan says pay-at-the-pump skimming attacks have been increasing over the last 12 to 18 months. "They are so easy to get away with," she says. "These attacks are at least a decade old, but Eastern European hacker masterminds have started cashing in on them over the past two years."
Chuck Groat, a vice president of bankcard risk management at Zions Bank ($50 billion in assets), knows first hand about how pay-at-the-pump skimming hurts banks and consumers.
Last summer, Zions tracked 15 separate gas-pump locations where customers' cards had been compromised, the majority of which were owned and operated by the same gas retailer. Since January 2010, production of counterfeit cards created from skimmed Zions' customers has increased 200 percent, Groat says, and there's nothing Zions can do to stop it. "Someone needs to make them [the retailer] more aware of the problems and responsible for losses," he says.
Zions also got hit by the recent Arizona attacks. "My belief is that it just goes back to these machines are easy targets to capture both PIN and mag details," Groat says. "As long as the merchants continue to see that it is not their problem, they will not be proactive in protecting the pumps from intrusion."