Pay-At-The-Pump Skimming on the Rise Institutions, Customers Paying for Lack of Security on Gas Terminals
At a Shell station in Alachua, FL, last week, a service technician found a skimming device on a pay-at-the-pump terminal when he opened the machine for a routine maintenance check.

This incident, the latest in a wave of such attacks, highlights two concerns: That skimming isn't limited to ATMs, and that banking institutions and customers have yet another vulnerability to consider regarding payment card transactions.

Unlike ATM skimming devices, which are attached to the exterior of a machine, over the card reader, the Shell skimming device was actually inside the terminal, wired between the card scanner and the computer board.

Nicole Sturgill, research director at financial consultancy TowerGroup, says pay-at-the-pump terminals are more vulnerable to hidden skimming attacks because universal gas pump keys make them easy to access. In comparison, ATMs are required to have unique keys and codes for service and maintenance checks.

"Anyone who knows the key can get in," Sturgill says.

Little Control

When it comes to skimming attacks, financial institutions, as card-issuers, have little control.

"Once the terminal is outside the branch, there's not much the bank can do," says Mike Urban, senior director of global fraud solutions at FICO, which provides decision-management and predictive-analytics solutions for financial institutions.

When a card is compromised, however, the card issuer has to reimburse the customer. If incidents of skimming at unattended terminals such as pay-at-the-pump continue to rise, gaps in security may be looked at with more scrutiny.

Universal keys, as an example, pose serious security risks, Urban says, and attacks on pay-at-the-pump terminals are escalating. Pointing to a case in Utah, where 180 pay-at-the-pump terminals were compromised with skimming devices and Bluetooth technology to transmit the card data, Urban illustrates the magnitude of the problem.

"It's certainly a concern and an issue that's been around for a while," he says. "They're easy to get in to. One would think that each specific gas station would have a key," but that's not the case.

Urban says compromises at pay-at-the-pump reflect a larger security concern: the explosion of self-service devices that now accept payments, with little focus paid to card data protection. "It's critical that we have standards that protect any kind of kiosk that takes payment information, like we have in place for the ATM."

Encryption, with PIN pads and standards that resemble what for years have been required of ATMs, is a first step, Urban says.

"Counterfeit card fraud is definitely growing," he says. "It's not going to go away."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.





Around the Network