More Pay-at-the-Pump SkimmingCalifornia Community Launches Awareness Campaign
West Covina authorities issued the alert after skimming systems were found on three pumps at two separate gas stations. According to a local report, the technology used to collect the PINs did not rely on cameras - the so-called old-fashioned way criminals record PIN details as consumers enter PINs on terminal PIN pads.
Last year, police in Florida issued similar warnings, advising residents to avoid paying at the pump, instead suggesting they pay inside, with cash.
The California incident is just one in a growing line of card-skimming schemes that target pay-at-the-pump gas terminals. In May, authorities in Hawaii arrested three suspects who had been linked to a skimming scheme at gas terminals. One suspect was extradited from California on three counts of first-degree identity theft, after allegedly stealing more than $150,000 from six Hawaii financial institutions using credit and debit card information stolen from 156 consumer accounts.
In the West Covina case, two suspects, Raghi Khajemtourian, 26, and Arman Avanesyan, 31, were arrested May 22 after police discovered counterfeit cards and $6,000 in their possession. The arrests came after police received an anonymous tip, reportedly about two men acting suspiciously near one of the compromised gas pumps.
Like ATMs, all unattended self-service payment terminals are vulnerable to skimming. But what makes pay-at-the-pump terminals such easy targets is the continued and widespread use of universal access keys, which allow fraudsters easy access to gas pump enclosures. [See Pay-at-the-Pump Card Fraud Revs Up and Pay-At-The-Pump Skimming - a Growing Threat.]
The industry is aware of the problem; but until gas terminal manufacturers and retailers address the issue by requiring unique code or key entry for individual devices, card-issuers argue pay-at-the-pump skimming is likely to continue. Bankers also suggest that until liability for card fraud linked to skimming shifts, retailers have little incentive to do much to thwart attacks. [See Michaels Breach: Who's Liable?]
'A Lot of Rhetoric'Jeff Lenard, spokesman for the National Association of Convenience Stores, better known as NACS, says finger-pointing between banks and retailers over debit fraud and liability has been fueled by debates over debit interchange fees. As an amendment proposed by Sen. Jon Tester, D-Mont., which aims to delay passage of debit interchange fee reductions called for in Sen. Dick Durbin's, D-Ill., amendment to the Dodd-Frank Wall Street Reform and Consumer Protection Act, comes up for a vote, Lenard says rhetoric will overpower reason. "You're dealing with a lot of rhetoric surrounding the debit environment right now; that's why there is such heated debate between retailers and banks," he says. "Everyone is trying to find a way to point fingers."
Lenard says a number of parties could be liable when a card breach occurs, from the POS terminal manufacturers and card brands to the banks and retailers. As incidents of POS skimming attacks hit all-time highs at U.S. retail locations in 2010, Lenard says NACS is working to educate the industry about card-fraud threats.
In March, NACS launched its WeCare Decal, tamper-evident labels that aim to help retailers quickly identify potential security breaches if skimming devices are inserted at fuel dispensers or on other unattended PIN-entry devices.
"I think retailers may not be aware of the damage that skimming can do to your business. One skimming incident can take a business and put it out of business," he says.
Pointing to the recent Michaels card breach , during which 20 Michaels locations were hit with a POS PIN pad swap scheme, Lenard says store owners have to be aware of the risks and educate their employees as well. And when it comes to skimming at unattended terminals, such as pay-at-the-pump, retailers must be vigilant about inspections. "Inspections have to be built into your normal routine," he says. "If you open up the dispenser and there are more than two wires connected to the card reader, then that's a flag. You have to know what is normal so you recognize when something has been changed."
NACS' tips for POS security:
- Conduct daily inspections of card readers, PIN pads and unattended terminals. "If you're worried about universal keys, use some sort of tamper-evident stickers that you can put over the door jams, so you know if the terminal has been accessed," Lenard says.
- Be on the lookout for suspicious activity. "If someone is parked at the pump for a long time, then that's a read flag," he says.
- Communicate with police. "If you see a skimming device, your first step should be shut down the pump and then notify authorities," Lenard says. "Don't take it off yourself."