Thieves recently attached bank card skimmers to gas pumps at more than 30 service stations along several major highways in and around Denver, Colorado, the latest area to be hit by a scam that allows crooks to siphon credit and debit card account information from motorists filling up their tanks.
Forced to re-issue an unusually high number of bank cards due to fraudulent charges on the accounts, a regional bank serving Colorado and surrounding states recently began searching for commonalities among the victimized accounts. The financial institution, which shared information with KrebsOnSecurity.com on the condition that it not be named, found that virtually all of the compromised cardholders had purchased gas from a string of filling stations along or not far from Interstate 25, a major North-South highway that runs through the heart of Denver.
Several Valero stations along the I-25 corridor reached by phone acknowledged being visited over the past week by local police and U.S. Secret Service agents searching for skimmer devices. The stations declined to comment on the record, but said investigators left a bulletin stating that stations in the area had been targeted and urging them to be on the lookout for suspicious activity around the pumps.
Mark Gallick, a Secret Service agent with the Denver field office, confirmed that a bulletin on skimmers was circulating among gas stations in the area, but refused to comment further.
Similar attacks on gas station pumps recently have hit other parts of the country: Police in Arizona also are dealing with a spike in reports about skimmers showing up at gas pumps, prompting Gov. Janice Brewer this month to urge the Arizona Department of Weights and Measures to increase their inspection efforts in looking for skimmers at gas stations.
Bluetooth based wireless skimmers have been found attached to a slew of gas station pumps throughout the Southeast, particularly in Florida. Wireless skimmers allow thieves to pull up to the compromised station and download stolen card data with a laptop while sitting in their car. Many wireless skimmers run on rechargeable batteries, but skimmers attached to the insides of a gas pump can easily be made to draw on the pump’s power source in order to continue stealing card data indefinitely.
“Our device is not the traditional skimmer but rather a Bluetooth enabled equivalent of a thumb drive programmed to capture the data as it was transmitted from point A to point B inside the gas pump itself,” said Lt. Stephen Maynard, the public information officer for the Alachua County, Fla. Sheriff’s Office, which dealt with skimmer compromised pumps earlier this year.
The gas pumps compromised in the Denver-area attacks showed no outward signs of having been tampered with or altered, according to several sources. My source at the bank said all of the pumps in question contained a device on the inside of the pumps designed to record data stored on the back of cards inserted into the compromised pumps, but he wasn’t sure whether the skimmers were designed to transmit the stolen data wirelessly.
My source said the hacked pumps in Denver tended to be on the outside edges of the gas station, those hardest to see by clerks in the station. In a wrinkle that could be part of an effort to drive customers to the compromised pumps, the source said, customer service representatives at the bank also received complaints from victim account holders who reported getting phone calls promising them gift cards if they purchased gas at specific stations in the Denver area.
“The caller ID on those calls — 727-712-0382 — was a number that probably originated from a Florida provider,” my source said.
Unlike most skimmers affixed to ATMs — which can often be spotted because they rely on fraud devices that are attached to the exterior of the cash machines — gas station skimmers are planted after the thieves have gained access to the interior of the pumps. As result, there are rarely any signs that a gas pump has been compromised. However, consumers can and should keep a close eye on their monthly bank statements and report any unauthorized charges immediately.
The Truth In Lending Act limits consumer liability to $50.00 once a credit card is reported lost or stolen, although many card issuers will waive that amount as well. Fraudulent debit card charges are a different story: The Electronic Fund Transfer Act limits liability for unauthorized charges to $50.00, if you notify your financial institution within two business days of discovering that your debit card was “lost or stolen.” If you wait longer, but notify your bank within 60 days of the date your statement is mailed, you may be responsible for up to $500.00. Wait longer than that and you could lose all the money stolen from your account.
Have you seen:
Fun With ATM Skimmers, Part III…According to the European ATM Security Team (EAST), a not-for-profit payment security organization, ATM crimes in Europe jumped 149 percent form 2007 to 2008, and most of that increase has been linked to a dramatic increase in ATM skimming attacks. During 2008, a total of 10,302 skimming incidents were reported in Europe. Below is a short video authorities in Germany released recently showing two men caught on camera there installing a skimmer and a pinhole camera panel above to record PINs.