Curbing Card Fraud at the PumpWhat are the Key Steps to Controlling Skimming?
Card fraud linked to pay-at-the-pump gas terminals is growing, and that trend will continue until more fraudster convictions are publicized, some security experts say. While they're pleased that another skimming fraudster was sentenced last week, they say the courts need to do a better job of considering the long-term impact of skimming when setting sentences.
See Also: Ransomware: The Look at Future Trends
Meanwhile, in an effort to help prevent fraud, one trade association is testing a system designed to help alert convenience stores and others about potential skimming threats.
Boris Toumasian, 25, of Glendale, Calif., was sentenced Aug. 24 to five years in prison and three years of supervised release after pleading guilty to conspiracy, credit card fraud, and aggravated identity theft stemming from a pay-at-the-pump skimming scheme he helped to orchestrate while working for a BP gas station in Alpharetta, Ga.
As part of the sentence, the U.S. district court in Atlanta also ordered Toumasian to pay nearly $87,000 in restitution. His co-conspirators, Edmond Alexanyan and Karen Khalatya, who, along with Toumasian, were indicted in July 2010, remain at large.
Impact of Convictions
Although a five-year sentence might not seem long enough for someone who masterminded an organized crime ring to target gas pumps or ATMs, it is a strong sentence for fraud linked to one station and financial losses estimated to be less than $90,000, says financial fraud expert Shirley Inscoe of the consulting firm Aite. "More convictions such as this one might begin to make a dent in the number of such criminal rings operating around our country," she says.
The Federal Bureau of Investigation says Toumasian and two co-conspirators in 2008 used stolen credit and debit details, including PINs, to create counterfeit cards they later used for fraudulent cash withdrawals at ATMs and the purchase of electronic equipment at various retailers. Investigators say more than 175 accountholders were affected by the scheme.
When authorities searched Toumasian's two Alpharetta residences in December 2008, they found more than 44 re-encoded American Express gift cards, more than $50,000 cash, skimming devices, a laptop with stolen account information, fake fascias for ATMs and gas pump enclosures, a device used to encode cards, and a pinhole camera used to capture PIN entry.
Breadth of Card Fraud
While the sentence in this case sends a message, it doesn't go far enough, says John Buzzard, who monitors card fraud for FICO's Card Alert Service.
"I doubt that there is any person out there who is satisfied with the paltry five-year sentence for these crimes, especially for those of us who actually work the cases and suffer through the enormous workload they generate," Buzzard says. "I think a proper five-year sentence for any sort of skimming crime should actually be five years of mandatory clerical work to be performed for the institutions that the criminals victimized the most."
When setting sentences, the courts, unfortunately, frequently don't take into account that fraud linked to skimming and hacking can have a ripple effect for years, Inscoe says. Stolen card information can lay dormant for an extended period before fraudulent transactions start showing up, she points out.
"There are organized rings that have compiled huge databases of consumer information and their related cards," Inscoe says. "They may use various methods to accumulate data and/or sell it via a black market. ... This is big business and people underestimate how organized it is."
Though the Alpharetta scheme appears to have been relatively simple, the fraudsters involved could have sold some of the card data they intercepted, she adds. Or they could have purchased additional data to supplement what they stole at the pumps.
Pay-at-the-Pump Skimming Trends
Coming up with statistics to determine just how much pay-at-the-pump skimming attacks contribute to the country's total losses to card fraud is challenging. Buzzard says some attacks only affect cards, while others affect cards and PINs associated with debit accounts.
"As far as card and PIN skimming goes, we have identified less petroleum locations [that have been victimized] this year over last year, but 2012 isn't over yet," he says. "All it takes is one multiple-location case to change the stats, and we have about four months left to see how the year ends."
Buzzard says he does not believe pay-at-the-pump attacks are slowing, despite efforts the retail and petroleum industries have put forth to address the problem. "Skimming prevention is all about building that better mousetrap, and so far the criminals just build them faster than we do and use the technology against us," he says.
Card-issuing institutions have their own theories about the reasons behind increasing losses tied to card fraud, Inscoe says. Many speculate that the increases are linked to crime rings that want to exploit the card data that they have in-hand before the U.S. payments infrastructure migrates to chip-card technology, part of a movement to comply with the global Europay, MasterCard, Visa standard.
"A number of bankers have said they are seeing debit and credit card identity-related fraud increase sharply," Inscoe says. "Some suspect this is due to the upcoming rollout of EMV cards, which will largely invalidate the usefulness of the identity data criminal rings have accumulated through data breaches and other nefarious methods to commit these types of crimes in the card space."
Addressing the Problem
Jeff Lenard, vice president of industry advocacy for the National Association of Convenience Stores, says unattended payment terminals, such as pay-at-the-pumps and ATMs, are, by their nature, easy targets. The industry is taking steps to address security concerns, but thwarting risks is an ongoing challenge.
"The good news is that convenience stores and gas stations are often busy locations, with lots of foot traffic, so installing devices is more challenging than it would be at a drive-up ATM at a bank branch, for instance," Lenard says.
But Gray Taylor, executive director of the Petroleum Convenience Alliance For Technology Standards, says the industry is not taking the skimming trend lightly. PCATS is beta-testing a skimming database that logs reports of pay-at-the-pump skimming incidents. It's working with about 10 retail and petroleum brands to collect data that can be used to identify common targets.
Once regions or certain terminal brands have been identified as being hit by skimming most often, PCATS notifies other convenience stores and gas stations that are likely to be the next victims.
"We know from past experience that thieves target interstate corridors, so we feel that an early warning system tied to the risk management of the major oil companies will get the word out quickly so we can truncate the success of the thieves," Gray says. "Kind of like cockroaches: If you see one, there are probably more in the neighborhood."