Data Breach , Fraud

New Wave of Pay-at-Pump Skimming Attacks

Organized Crime Steals Millions in Advance of EMV
New Wave of Pay-at-Pump Skimming Attacks

U.S. gas stations should brace for upticks in pay-at-the-pump skimming attacks, experts say. These attacks are expected to surge between now and the end of 2016, as fraudsters shift their attacks away from physical points of sale and more toward unattended self-service terminals, such as self-serve gas pumps and ATMs.

See Also: Achieving Advanced Threat Resilience: Best Practices for Protection, Detection and Correction

Self-serve gas pumps are expected to be criminals' prime targets, as they have historically been much easier to target for skimming devices than ATMs (see Pay-at-the-Pump Fraud Grows).

A recent rash of pay-at-the-pump skimming attacks in Post Falls, Idaho illustrates why this type of offense is becoming a cause for concern.

On Oct. 4, police in Post Falls issued a bulletin, seeking the public's help with the arrest of two individuals they suspect are linked to an organized crime ring responsible for a nationwide pay-at-the-pump skimming spree and fraud scheme that has swindled U.S. banking institutions out of between $8 million and $15 million over the last several months.

"Unattended, and especially older, self-service gas pumps are, and have always been, a very attractive target for criminals," says financial fraud expert Avivah Litan, an analyst at consultancy Gartner. "And they will become increasingly attractive, as these will be some of the last payment acceptance devices to be upgraded to EMV in the U.S." (see EMV: C-Stores Have Long Way to Go).

While the EMV fraud liability shift for physical point-of-sale devices in the U.S. was October 2015, the liability shift for self-service gas pumps does not take effect until October 2016 for MasterCard and October 2017 for Visa. October 2017 also is the date set by both card brands for EMV fraud liability shifts at U.S. ATMs.

Many experts, including Litan, have long warned that the U.S. can expect to see fraud migrate in the wake of EMV adoption, adding that self-service channels, such as pay-at-the-pump and ATMs, are prime targets (see Why ATM Fraud Will Continue to Grow).

Litan says convenience stores and gas stations should, at the very least, require customers to enter ZIP codes for payment authorization to add an additional layer of authentication when paying at the pump.

"According to many large gas pump operators, the addition of a ZIP code dramatically reduces fraud," Litan says. "Otherwise, if they are subject to skimming attacks, they may have to take drastic steps, such as requiring consumers to present their cards physically to personnel inside a protected cage where skimmers can't penetrate."

Litan says card issuers also should tune their fraud-monitoring systems to look for indicators that might suggest a self-serve compromise and subsequent skimming attack, although the petroleum industry shouldn't solely count on that.

Al Pascual, director of fraud and security at consultancy Javelin Strategy & Research, says banking institutions are focusing more attention on detecting common points of compromise linked to pay-at-the-pump skimming attacks. Banks know attacks against self-serve gas terminals are going to increase, and they are bracing for it.

"Gas pumps will be one of the last reliable bastions for mag-stripe card data until at least 2017," Pascual says. "As such, our clients are focusing more of their efforts on self-serve gas pumps when searching for common points of purchase among compromised cards. Until gas stations are in a position to re-terminalize, alarms that indicate a pump has been opened can be effective deterrents to these types of crimes. Though they are only just starting to become popular, we should expect to see more of these systems installed nationwide very soon."

Emerging Trend?

One executive at a leading card-issuing institution on the West Coast, who asked not to be named, says skimming attacks against self-serve gas pumps have progressively increased over the last three months, affecting numerous states where this institution has a footprint. And the executive anticipates these attacks will increase at the pump and ATMs as EMV continues to roll out.

But retailers can take several steps to mitigate their risks. "To place the device on the pump, the fraudster needs access to inside the pump door, so from my perspective, better physical security is needed," the executive says. "From some of the devices we have seen placed, they are on the pumps for several days, if not a few weeks; and in cases of Bluetooth or Wi-Fi enablement, to download the data, the devices may be left on longer, as to not risk capture or removal."

Post Falls, Idaho: A Skimming Case in Point

For the past three months, authorities in Post Falls and surrounding areas have received reports from regional banks about compromised credit card accounts linked to pay-at-the-pump gas terminals at numerous convenience stores and gas stations in the region. The total number of cards compromised has not yet been determined, as reports of ongoing fraudulent activity continue to come in.

One institution, Bank of America, has reported having more than 100 cardholders impacted by the attacks, Post Falls Police Capt. Greg McLean tells Information Security Media Group. Fifty of those accounts are believed to have been compromised by skimming devices at only one gas station in Post Falls.

Post Falls detectives have so far found two skimming devices on self-serve gas pumps at a Jifi Stop station. Other devices have been found in neighboring communities, including Spokane, Wash., and Airway Heights, Wash., McLean says.

Two suspects, Oriam Perez Cerezuela and Alexander Brito, were questioned Oct. 4 at a local Walmart by authorities, after store personnel contacted police about the two men's purchase of an exorbitant number of prepaid Visa cards and gift cards valued at approximately $7,000, McLean says.

After police questioned the two men, they let the suspects go because the department did not have enough evidence to arrest or detain them, McLean says.

Now local and federal law enforcement authorities believe the duo is in Florida, since some of the cards compromised in Post Falls have recently been used in Florida. What's more, both suspects are now believed to be part of a nationwide organized crime ring known as The Cubans, McLean says.

"We believe they were operating in this area for about three months and then went back to Florida," McLean says. "We've since learned from a Secret Service agent in our area, who is helping us with the investigation, that the same type of scam we saw here has been waged in other markets, including Florida. We can't say we are 100 percent sure that they are part of this group, but we don't think the similarities are a coincidence."

Marjorie Meadors, who oversees card fraud prevention for Louisville-based Republic Bank & Trust, a community bank with $3.2 billion in assets, says pay-at-the-pump skimming attacks linked to gangs out of Miami have been a common problem for the last year. "Our fraud losses have greatly increased," she says.  "We identify the gas pumps, and some skimmers have been removed, but by the time the police get there, the skimmer usually has already been moved to another location. It is a major problem."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network