The Fraud Blog with Tracy Kitten

Pay-At-The-Pump Skimming Saga Grows

Pay-At-The-Pump Skimming Saga Grows

Earlier this year, software analytics helped Zions Bank track customer card compromises back to 180 pay-at-the-pump gas terminals in Utah that had been hit by Bluetooth-enabled skimming devices.

Chuck Groat, a vice president of bankcard risk management at Zions, which has $50 billion in assets, says Denver is "definitely the hotspot." Zions tracked 15 separate locations where customers' cards had been compromised, and the majority of those pumps are owned and operated by the same gas retailer.

Zions tracked 15 separate locations where customers' cards had been compromised, and the majority of those pumps are owned and operated by the same gas retailer. 

The problem also is getting attention in Arizona, where last week Gov. Jan Brewer directed the state Department of Weights and Measures to increase gas pump inspections, as well as to work with gas station owners to find ways to fight the crime. A political ploy to draw attention from the state's highly contested immigration law, or a directive with teeth? You be the judge.

And then earlier this month, three skimming devices were found at two gas stations near Interstate 75 in Alachua County, Fla. Last week, new reports of stations targeted around Gainesville, part of Alachua County, began to surface. With so many tourists traveling the highway to and from vacation points, the pumps are obviously fruitful targets.

The attacks definitely go in waves and travel in geographical pockets, says Robert Siciliano, founder of Those pockets, in part, explain why disparate parts of the country are simultaneously being hit. In that way, they're similar to ATM ram raid attacks, which have as much to do with opportunity as return on investment.

Criminal networks oftentimes hit gas station chains because the chains use the same pay-at-the-pump equipment. "They find out everything they need to know to duplicate the fascia of the machine or enter the terminal itself," Siciliano says. "And then, because they understand how that design of pump works, they just keep working it and working it and working it."

Encrypting PIN pads, more breach liability placed on merchants, and tighter controls on the terminals themselves - such as the discontinuance of universal access keys and the installation of alarm systems when locks or fascias are tampered with - are the best solutions. "The gas stations have to get into compliance," Siciliano says. "Maybe that means they send their people out every 30 minutes to an hour to make sure there are no skimming devices on the machines."

But that's a short-term solution. Siciliano agrees the merchants must be pushed to invest in more security. "They need technology that will defeat the skimming devices. For a $2,000 to $3,000 investment, they can make these things secure."

Learn from the banking industry, which 10 years ago was caught by surprise when fraudsters capitalized on security vulnerabilities at ATMs. Shame on gas merchants for getting caught by surprise now. But then again, until the merchants are held accountable for these breaches, we can't expect much change.

About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years' experience, she covered the financial sector for 10+ years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.