Why Skimming Won't Go AwayNew Pay-at-the-Pump Incidents Part of Troubling Trend
After nearly two years of highly-publicized fraud incidents and educational efforts, why do pay-at-the-pump skimming attacks continue unabated?
See Also: Beware the Other Virus
The latest news: Police in West Wendover, Nev., have issued a warning about card skimming at area ATMs and pay-at-the-pump gasoline terminals. The pubic warning was spurred by recent reports from Wendover residents of upticks in fraudulent transactions hitting their credit and debit cards.
A local news report claims two skimming devices have been recovered from area businesses, and investigators expect to find more. They've asked the public to report any suspicious activity or odd-looking equipment to local authorities.
Despite increasing efforts to educate institutions and retailers about skimming fraud, especially at self-service gas pumps, skimming attacks continue to grow. Why? Because fraudsters continually move their targets to regions that are less informed about the perils of card skimming.
John Buzzard, who monitors card fraud for FICO's Card Alert Service, says communities or metropolitan areas, like New York, that get hit often have done better jobs of informing the public and businesses about card-skimming risks. "I get the sense that this community in Nevada is, perhaps, somewhat new to the experience of gas pump skimming," he says. "It's not uncommon for small communities to inherit the problems of larger cities nearby, as fraudsters migrate their scams to areas where consumers are less aware of the possibility of having their payment cards skimmed."
In fact, any community along the I-80 corridor, which feeds Reno, can expect to be a target, as the skimming attacks that hit Wendover hop from station to station, Buzzard says.
At Zions Bank, which has $50 billion in assets, the migration of pay-at-the-pump skimming is a problem known all too well. Chuck Groat, a vice president of bankcard risk management at Zions, says the bank's card fraud department has spent much of the New Year just keeping up with ongoing card compromises. And the attacks reported this week in Wendover are among those compromises.
Card fraud linked to the Wendover skimming cases affected customers at two Zions branches.
"Pay at the Pump skimming is still really easy to perform, and I don't believe the proper incentives or penalties are in place to reduce these types of attacks from a merchant perspective," Groat says.
A year ago, Zions got hit by pay-at-the-pump attacks in Arizona. In summer 2010, the bank tracked 15 separate gas-pump locations where customers' cards had been compromised. The majority of those compromises were linked to the same retailer.
Groat says the production of counterfeit cards created with skimmed Zions' account details has continually increased. In 2011, he estimated card fraud linked to skimming was up 200 percent at the bank, because of retail- and gas station-based breaches.
The expense of upgrading gas terminals for more security has been daunting for convenience store and gas station owners. [See Part 1: Steps to Stop Skimming.]
"Investing in new technology may be higher than the perceived cost of any reputational risk," Groat says. "Or they just have a mind set of, 'It will never happen to me, so why take any proactive measures?'"
But lacking proactive measures cost all players along the payments chain when card fraud occurs.
McAfee consultant and fraud expert Robert Siciliano says the fact that banks continue to struggle with ATM skimming proves gas station and c-store operators have little hope of making significant dents in pay-at-the-pump skimming fraud. "[They] don't stand a chance in fighting this crime unless they collectively make significant changes and upgrades in the security of their existing technologies," he says.
The industry is taking the issue seriously. Visa and MasterCard have both announced mandates for card technology enhancements by 2013 and 2015.
Visa issued expected compliance dates of April 2013 and October 2015 for migration to the Europay, MasterCard, Visa standard for U.S. card issuers and acquirers. MasterCard also has set an April 2013 EMV-compliance deadline for all U.S. ATMs.
The reason for the EMV push, Visa says, is escalating card fraud. The United States' continued reliance on magnetic stripe card technology is perpetuating the fraud.
By 2015, retailers that have not upgraded their POS systems for EMV compliance run the risk of being held accountable for fraud losses. If they have not adopted contact chip technology and it is determined by Visa that EMV could have prevented the fraud, they will be held liable.
That liability shift may be just what the industry needs to move forward, Groat says. "If the compromised entities, to include ATM owners, shared in at least some of the overall loss exposure that their skimmed self-service terminals caused, then you would see more investment to prevent these types of activities," he says. "But, admittedly, this also creates many new challenges for both sides."
In the meantime, banks, credit unions and retailers can expect card skimming to remain. Nicole Sturgill, an ATM and financial fraud analyst at TowerGroup, says skimming will continue until the industry ensures it no longer works. "As long as it's possible to skim the info from the mag-stripe and view the PIN (or zip code), people will continue to try it," she says. "There have been increased calls for EMV in the U.S., but even if it became a directive, it would be years before it took effect. In the meantime, consumers have to be vigilant and card issuers have to continue to extend financial protections."