Pay-At-The-Pump Skimming on the Rise

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

At a Shell station in Alachua, FL, last week, a service technician found a skimming device on a pay-at-the-pump terminal when he opened the machine for a routine maintenance check.

This incident, the latest in a wave of such attacks, highlights two concerns: That skimming isn't limited to ATMs, and that banking institutions and customers have yet another vulnerability to consider regarding payment card transactions.

Unlike ATM skimming devices, which are attached to the exterior of a machine, over the card reader, the Shell skimming device was actually inside the terminal, wired between the card scanner and the computer board.

Nicole Sturgill, research director at financial consultancy TowerGroup, says pay-at-the-pump terminals are more vulnerable to hidden skimming attacks because universal gas pump keys make them easy to access. In comparison, ATMs are required to have unique keys and codes for service and maintenance checks.

"Anyone who knows the key can get in," Sturgill says.

Little Control

"Once the terminal is outside the branch, there's not much the bank can do," says Mike Urban, senior director of global fraud solutions at FICO, which provides decision-management and predictive-analytics solutions for financial institutions.

When a card is compromised, however, the card issuer has to reimburse the customer. If incidents of skimming at unattended terminals such as pay-at-the-pump continue to rise, gaps in security may be looked at with more scrutiny.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Universal keys, as an example, pose serious security risks, Urban says, and attacks on pay-at-the-pump terminals are escalating. Pointing to a case in Utah, where 180 pay-at-the-pump terminals were compromised with skimming devices and Bluetooth technology to transmit the card data, Urban illustrates the magnitude of the problem.

"It's certainly a concern and an issue that's been around for a while," he says. "They're easy to get in to. One would think that each specific gas station would have a key," but that's not the case.

Urban says compromises at pay-at-the-pump reflect a larger security concern: the explosion of self-service devices that now accept payments, with little focus paid to card data protection. "It's critical that we have standards that protect any kind of kiosk that takes payment information, like we have in place for the ATM."

Encryption, with PIN pads and standards that resemble what for years have been required of ATMs, is a first step, Urban says.

"Counterfeit card fraud is definitely growing," he says. "It's not going to go away."