Search for ‘pump skimmer’ using your favorite search engine’s news search feature, and you’ll see local media headlines nearly every day reporting on recently discovered fuel pump skimmers. A recent search showed reports from Dallas; Prescott, Ariz.; Houston; Cape Coral, Fla.; Denver; and Saginaw, Mich. all in a one-week period in early 2019.
In 2018 in Florida, the state Department of Agriculture reported skimming incidents were on track to be up nearly 30% year-over-year, a trend that, based on the number of media reports, appeared to be the case across the nation.
Why does the gas pump remain such an attractive target for crooks?
First and foremost, because they are usually unattended. Second, because pump card-reading equipment is generally older, easier to manipulate, and card reads are largely done via a magnetic stripe swipe.
How is the pump attacked?
Generally, an attacker will only place a skimmer on a single fueling position at a given site. These are typically less-visible fueling positions to the in-store staff. They will use tactics such as opening their vehicle door to block station personnel and other customers from viewing their activity.
Shimming Arrives
How are pump attacks evolving?
‘Shimming,’ is a new technique to steal card data from chip cards. While still relatively uncommon, shimming is now occurring and was discovered at various places in the U.S. in 2018.
Shimming involves capturing the exchange of information that occurs at Europay, Mastercard and Visa (EMV) capable payment terminals when reading an EMV-capable card’s chip. While a chip card can’t practically be cloned to another chip card like a magnetic stripe card can, the data that is exchanged during a chip card payment shimming incident can be used to create a counterfeit magnetic stripe card that can then be used to perpetrate payment card fraud at outlets that do not yet support chip card payments.
As most payment channels complete their conversion to chip acceptance, incidentally the aging fuel dispenser payment terminal is becoming one of the more popular places to perpetrate this fraud. Merchants who have upgraded to EMV fuel dispensers are vulnerable to EMV shimmers that capture payment card data, which is then used to perpetrate payment card fraud and fuel theft at merchants who have not upgraded to EMV fuel dispensers. This helps illustrate why simply converting to EMV doesn’t lessen the need to continue to protect and inspect fuel dispenser payment terminals.
Deterring Threats
How can a gas station operator realistically prevent, deter and detect the placement of skimmers?
Basic security practices are a great first step, such as ensuring forecourts are well lit, surveillance cameras have clear line of sight to each fueling position, and cashier windows are unobstructed and have views of all fueling positions.
Taking it further, each payment position should be inspected daily at a minimum. More optimally, a payment position inspection each shift is becoming a best practice. This can serve purposes other than skimmer detection, such as checking window washer fluid, paper towels, island garbage and pump receipt paper. Serialized stickers should be placed on all
hinges and contact points that allow external access to the internal dispenser card-reading components, and these serial numbers should be verified.
More advanced systems, such as FlintLoc’s tamper alarm and detection system can take tamper detection to the next level, notifying store and corporate staff anytime a dispenser is accessed — and can even cut power to a dispenser automatically if tampering is detected.
Apps such as the Skimmer Scanner Android app allow merchants and customers to attempt to detect the presence of popular Bluetooth skimmers. Most Bluetooth skimmers look and act identical, and once those patterns are known, they are relatively easy to detect wirelessly.
How vulnerable are new and emerging payment technologies?
Most payment innovations today are well-protected against traditional account data compromises like skimming. Near Field Communication (NFC), tap-and-go, Apple Pay and similar use some form of tokenization to abstract sensitive payment account data into a one-time use value that cannot be practically reused or used elsewhere.
Some attacks have been discovered for technologies that attempt to bring tap-and-go to legacy magnetic stripe payment terminals, but even those are difficult to pull off in the field and haven’t been seen widespread outside the lab.
Retailer apps with integrated payment functions continue to gain penetration and acceptance in the c-store industry. Most implementations are immune to any form of attack leveraging the actual dispenser payment terminal itself, as most leverage a cloud-based communication channel that bypasses the dispenser payment terminal entirely.
Do you have a plan for responding to skimmers and suspected skimmers?
You should have a plan in place to facilitate specific actions in the event of a suspected or confirmed skimmer. Your plan should work regardless of the day and time of day. Plans can include having site personnel immediately take suspected terminals out of service and call your preferred on-call petroleum service contractor, who should notify law enforcement.
Skimming incidents are often covered by local media. In the unfortunate event where you are the victim of a skimmer, you should be prepared to address media contacts and customer concerns centering around payment card security.
What other considerations should a retailer keep in mind on this topic?
- As you plan fueling hardware investments, be mindful of the October 2020 EMV liability shift at the pump. When upgrading dispensers, don’t miss the opportunity to also add NFC/contactless capabilities.
- Remember that PCI DSS requirement 9.9 requires a certain degree of regular payment terminal inspection and management.
Jeremie Myhren has been managing IT in the convenience retail industry since 2000. He is the chief information officer for Road Ranger in Rockford, Ill.