Pay-at-the-Pump Skimming: New Solution

New Database Will Predict Skimming Trends
Pay-at-the-Pump Skimming: New Solution

Five major oil companies are pooling data about pay-at-the-pump skimming incidents to feed a new database created to help the convenience store and petroleum industries track card fraud trends.

See Also: Ransomware: The Look at Future Trends

The database, managed by the Petroleum Convenience Alliance for Technology Standards, is being augmented with information provided by card issuers. Over time, the database is expected to help identify trends and predict future skimming hits.

"We know there are certain markets that are more prone to skimming than others," says Gray Taylor, executive director of PCATS and vice president of research and technology for the National Association of Convenience Stores. "We know [fraudsters] work the interstate corridors and high-volume sites, and so our hope is that if we can track a trend, we can alert the oil companies so that they can notify their district representatives who will get the word out to stations along those corridors before they get hit."

Tracking and attacking pay-at-the-pump-skimming has been a challenge. Taylor says most gas station and c-store operators don't want to raise flags by reporting incidents. And many don't fully appreciate how financially devastating a skimming strike can be until they are struck.

Oil companies, however, know how great the fraud losses linked can be, and they're pushing station operations to report incidents and use enclosure-tampering tape. "That's why we ask the retailers to report back by checking the tape serial numbers for tampering on a daily basis," Taylor says.

But until retailers accept the responsibility they bear, having banking institutions and oil companies collaborate is the best solution, Taylor says.

John Buzzard, who monitors card fraud for FICO's Card Alert Service - a subscription fraud-tracking service for issuers - says PCATS' initiative sounds promising. "It's the first time I've heard of issuers and retailers joining forces," he says. "I definitely think it's a step in the right direction."

Skimming Epidemic?

Pay-at-the-pump-skimming attacks, like other retail point-of-sale hits, are worrisome for banks. Card issuers can't control the fraud, and they sense retailers are apathetic about the responsibilities they have to address skimming and subsequent losses, Taylor says.

"The banks' biggest beef is when they have repeated skims in a town and they don't see the merchants doing anything to stop it," Taylor says. This is where oil companies have raised the bar, by working with PCATS to document potential points of compromise when suspected attacks are reported by the issuers.

Arrests in pay-at-the-pump-skimming raids are bearing fruit, but it often takes years for law enforcement to connect the dots. In August, Boris Toumasian of Glendale, Calif., was sentenced to five years in prison and three years of supervised release after pleading guilty to charges linked to a 2008 pay-at-the-pump skimming scheme he helped to orchestrate while working for a BP gas station in Alpharetta, Ga. (see Curbing Card Fraud at the Pump).

When authorities searched Toumasian's two Alpharetta residences, they found more than 44 re-encoded American Express gift cards, more than $50,000 cash, skimming devices, a laptop with stolen account information, fake fascias for ATMs and gas pump enclosures, a device used to encode cards, and a pinhole camera used to capture PIN entry. He was ordered to pay nearly $87,000 in restitution for the crime.

A year earlier, in August 2011, NACS issued a statement about skimming trends in Tampa, Fla., saying the theft of debit and credit card numbers at pay-at-the-pump gas terminals had reached near-epidemic proportions (see Pay-at-the-Pump Skimming: 'Epidemic').

But coming up with statistics to determine just how much pay-at-the-pump skimming attacks contribute to the country's total card fraud losses is challenging, Buzzard says. Some attacks only affect cards, while others affect cards and PINs associated with debit accounts.

Taylor says bridging the communication gap between banking institutions and retailers is a first step toward painting a more accurate picture (see Fighting Fraud: Banks, Merchants Must Align).

"We've found disparity between where banks say the skimming is happening and what we know," Taylor says. "We all know skimming is a problem, but we don't want to assume it's all occurring at one particular station or another. Collecting this data from banks and the petroleum companies will definitely help us get a better understanding of what is actually happening and where."

And while all card fraud linked to skimming attacks at ATMs and various retail points-of-sale is a concern, pay-at-the-pump terminals are feared as being particularly vulnerable to future attacks, Buzzard says.

"No one can predict the future," he says. "But issuers are concerned about when we migrate to EMV [the Europay, MasterCard, Visa standard], the fuel-dispenser segment will have the longest road to compliance, so they're expecting an increase in some fraudulent activity there."

The U.S. payments industry's movement away from magnetic-stripe card transactions toward chip-based EMV-compliant transactions can virtually eliminate card-skimming fraud, experts agree. But until all payment terminals have completed the migration, fraud will shift to the point of least resistance.

"Skimming at gas pumps is already a problem, and issuers are just trying to plan for the worst," Buzzard says.

It will take more than a decade for mag-stripes to be completely removed from cards, Taylor says. The purpose of the pay-at-the-pump-skimming database is to assist with filling that 10-year gap. Risk managers at oil companies are taking those growing skimming concerns seriously. "But there is only so much they can do," Taylor adds.

Steps to Stop Pump Skimming

In the meantime, Buzzard and Taylor offer these tips to help detect and prevent pay-at-the-pump incidents:

  • Improve Surveillance - especially in the parking lot and near gas-pumps. "When these pumps are targeted, the bad guys typically pull a big truck or van in and block the view," Buzzard says. "A typical surveillance set-up can't catch that. Financial institutions face a similar challenge, where capturing traffic coming in and out of branch is concerned. There are a lot of things they all could be doing better."
  • Use Tampering Tape Properly - If tampering tape is broken, it should indicate that a pump enclosure has been broken into. When that happens, the pump should be immediately taken offline and the incident reported. "Our policy recommends that you keep a log, and if any piece of tape is broken, check it against your serial-number log," Taylor says. "If the numbers don't match or anything else is suspicious, report it. We have to get buy-in from the operators to make it work."


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network