This incident, the latest in a wave of such attacks, highlights two concerns: That skimming isn't limited to ATMs, and that banking institutions and customers have yet another vulnerability to consider regarding payment card transactions.
Unlike ATM skimming devices, which are attached to the exterior of a machine, over the card reader, the Shell skimming device was actually inside the terminal, wired between the card scanner and the computer board.
Nicole Sturgill, research director at financial consultancy TowerGroup, says pay-at-the-pump terminals are more vulnerable to hidden skimming attacks because universal gas pump keys make them easy to access. In comparison, ATMs are required to have unique keys and codes for service and maintenance checks.
"Anyone who knows the key can get in," Sturgill says.
Little ControlWhen it comes to skimming attacks, financial institutions, as card-issuers, have little control.
"Once the terminal is outside the branch, there's not much the bank can do," says Mike Urban, senior director of global fraud solutions at FICO, which provides decision-management and predictive-analytics solutions for financial institutions.
When a card is compromised, however, the card issuer has to reimburse the customer. If incidents of skimming at unattended terminals such as pay-at-the-pump continue to rise, gaps in security may be looked at with more scrutiny.
Universal keys, as an example, pose serious security risks, Urban says, and attacks on pay-at-the-pump terminals are escalating. Pointing to a case in Utah, where 180 pay-at-the-pump terminals were compromised with skimming devices and Bluetooth technology to transmit the card data, Urban illustrates the magnitude of the problem.
"It's certainly a concern and an issue that's been around for a while," he says. "They're easy to get in to. One would think that each specific gas station would have a key," but that's not the case.
Urban says compromises at pay-at-the-pump reflect a larger security concern: the explosion of self-service devices that now accept payments, with little focus paid to card data protection. "It's critical that we have standards that protect any kind of kiosk that takes payment information, like we have in place for the ATM."
Encryption, with PIN pads and standards that resemble what for years have been required of ATMs, is a first step, Urban says.
"Counterfeit card fraud is definitely growing," he says. "It's not going to go away."