Pay-at-Pump Skimming Attacks

Hi guys,

According to experts, pay-at-the-pump skimming attacks could increase in U.S gas stations and are expected to surge between now and the end of 2016. Self-serve gas pumps are now becoming prime targets for criminals as these are easier skimming devices than ATMs.

A bulletin was issued On Oct. 4 by the police in Post Falls seeking the public’s help with the arrest of two individuals who are suspected to be linked to an organized crime ring. Over the last few months, this crime ring has swindled  U.S. banking institutions out of between $8 million and $15 million by running a nationwide pay-at-the-pump skimming spree and fraud scheme.

In the wake of EMV adoption, fraud is migrating making self-service channels, such as pay-at-the-pump and ATMs, prime targets.

“Unattended, and especially older, self-service gas pumps are, and have always been, a very attractive target for criminals… and they will become increasingly attractive, as these will be some of the last payment acceptance devices to be upgraded to EMV in the U.S.” says financial fraud expert Avivah Litan, an analyst at consultancy Gartner.

EMV fraud liability shift for physical point-of-sale devices in the U.S. was October 2015 but only in  October 2016 will the liability shift for self-service gas pumps take effect for MasterCard and October 2017 for Visa. October 2017 also is the date set by both card brands for EMV fraud liability shifts at U.S. ATMs.

“According to many large gas pump operators, the addition of a ZIP code dramatically reduces fraud…Otherwise, if they are subject to skimming attacks, they may have to take drastic steps, such as requiring consumers to present their cards physically to personnel inside a protected cage where skimmers can’t penetrate.” Litan added.

Further, fraud-monitoring systems of the card issuers should be also be adjusted to look for signs of  self-serve compromise and subsequent skimming attack, but the petroleum industry shouldn’t solely count on that.

“Gas pumps will be one of the last reliable bastions for mag-stripe card data until at least 2017,…As such, our clients are focusing more of their efforts on self-serve gas pumps when searching for common points of purchase among compromised cards. Until gas stations are in a position to re-terminalize, alarms that indicate a pump has been opened can be effective deterrents to these types of crimes. Though they are only just starting to become popular, we should expect to see more of these systems installed nationwide very soon.” Al Pascual, director of fraud and security at consultancy Javelin Strategy & Research said.

An executive at a leading card-issuing institution on the West Coast who didn’t want to be named mentioned that, skimming attacks against self-serve gas pumps have progressively increased over the last three months, and have affected many states.

He also mentioned steps than can be taken to mitigate these risks. “To place the device on the pump, the fraudster needs access to inside the pump door, so from my perspective, better physical security is needed…From some of the devices we have seen placed, they are on the pumps for several days, if not a few weeks; and in cases of Bluetooth or Wi-Fi enablement, to download the data, the devices may be left on longer, as to not risk capture or removal.”


Post Falls, Idaho: A Skimming Case in Point

Regional banks have reported to the authorities in Post Falls and surrounding areas about compromised credit card accounts linked to pay-at-the-pump gas terminals at many convenience stores and gas stations in the region. There are many reports of ongoing fraudulent activity coming in, so the  total number of cards compromised has not yet been determined.

According to Post Falls Police Capt. Greg McLean, the Bank of America, was one institution which had reported over 100 cardholders impacted by the attacks, where fifty of those accounts are believed to have been compromised by skimming devices at only one gas station in Post Falls.

Two skimming devices on self-serve gas pumps at a Jifi Stop station have been found while other devices have been found in neighbouring communities, including Spokane, Wash., and Airway Heights, Wash, McLean said.

According to the local and federal law enforcement authorities, the two suspects are in Florida because some compromised cards in Post Falls have recently been used in Florida. And these suspects are believed to be part of a nationwide organized crime ring known as The Cubans.

Marjorie Meadors, who oversees card fraud prevention for Louisville-based Republic Bank & Trust, a community bank with $3.2 billion in assets, says pay-at-the-pump skimming attacks linked to gangs out of Miami have been a common problem and have greatly increased their fraud losses for the last year.

download (13)

Stay updated on this rising security concern

Source: Akati

Comments are closed.