26
Jun 18

How to Avoid Card Skimmers at the Pump

Previous stories here on the proliferation of card-skimming devices hidden inside fuel pumps have offered a multitude of security tips for readers looking to minimize their chances of becoming the next victim, such as favoring filling stations that use security cameras and tamper-evident tape on their pumps. But according to police in San Antonio, Texas, there are far more reliable ways to avoid getting skimmed at a fuel station.

San Antonio, like most major U.S. cities, is grappling with a surge in pump skimming scams. So far in 2018, the San Antonio Police Department (SAPD) has found more than 100 skimming devices in area fuel pumps, and that figure already eclipses the total number of skimmers found in the area in 2017. The skimmers are hidden inside of the pumps, and there are often few if any outward signs that a pump has been compromised.

In virtually all cases investigated by the SAPD, the incidents occurred at filling stations using older-model pumps that have not yet been upgraded with physical and digital security features which make it far more difficult for skimmer thieves to tamper with fuel pumps and siphon customer card data (and PINs from debit card users).

Lt. Marcus Booth is the financial crimes unit director for the SAPD. Booth said most filling stations in San Antonio and elsewhere use legacy pumps that have a vertical card reader and a flat, membrane-based keypad. In addition, access to the insides of these older pumps frequently is secured via a master key that opens not only all pumps at a given station, but in many cases all pumps of a given model made by the same manufacturer.

Older model fuel pumps like this one feature a flat, membrane-based keypad and vertical card reader. Image: SAPD.

In contrast, Booth said, newer and more secure pumps typically feature a horizontal card acceptance slot along with a raised metallic keypad — much like a traditional payphone keypad and referred to in the fuel industry as a “full travel” keypad:

Newer, more tamper-resistant fuel pumps include raised metallic keypads (known in the industry as “full travel” keypads), horizontal card readers and custom locks for each pump.

Booth said the SAPD has yet to see a skimming incident involving newer pump models like the one pictured directly above.

“Here in San Antonio, many of these stations with these older keypads and card slots were getting hit all the time, sometimes weekly,” he said. “But as soon as those went over to newer gear, we’ve seen zero problems.”

According to Booth, the newer pumps include not only custom keys for each pump, but also tamper protections that physically shut down a pump if the machine is improperly accessed. What’s more, these more advanced pumps do a better job of compartmentalizing individual components, very often enclosing the electronics that serve the card reader and keypad in separately secured metal cages.

“Pretty much all these full travel metallic keypads are encrypted, and if you disconnect them they disable themselves and can only be re-enabled by technician,” Booth told KrebsOnSecurity. “Also, if the pump is opened improperly, it disables itself. These two specific items: The card reader or the pad, if you pull power to them they’re dead, and then they can only be re-enabled by an authorized technician.”

Newer pumps may also include more modern mobile payment options — such as Apple Pay — although many stations with pumps that advertise this capability have not yet enabled it, which allows customers to pay for fuel without ever sharing their credit or debit card account details with the fuel station.

One reason that pump skimmers seem to be more pervasive is that authorities across the country are doing a better job of working with banks and federal investigators to determine fuel stations that appear to be compromised. The flip side is that thieves are generally opportunistic, and tend to focus on targeting systems that offer the least resistance and lowest hanging fruit.

Unfortunately, there is still a ton of low-hanging fruit, and these newer and more secure pump systems remain the exception rather than the rule, Booth said. In December 2016, Visa delayed by three years a deadline for fuel station owners to install payment terminals at the pump that are capable of handling more secure chip-based cards. The chip card technology standard, also known as EMV (short for Europay, MasterCard and Visa) makes credit and debit cards far more expensive and difficult for thieves to clone.

Under previous credit card association rules, station owners that didn’t have chip-ready readers in place by Oct. 2017 would have been on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip (currently, card-issuing banks eat most of the fraud costs from fuel skimming). Currently, fuel stations have until Oct. 1, 2020 to meet the liability shift deadline.

Some pump skimming devices are capable of stealing debit card PINs as wellso it’s a good idea to avoid paying with a debit card at the pump. Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

This advice often runs counter to the messaging pushed by fuel station owners themselves, many of whom offer lower prices for cash or debit card transactions. That’s because credit card transactions typically are more expensive to process.

In summary, if you have the choice, look for fuel pumps with raised keypads and horizontal card slots. And keep in mind that it may not be the best idea to frequent a particular filling station simply because it offers the lowest prices: Doing so could leave you with hidden costs down the road.

If you enjoyed this story, check out my series on all things skimmer-related: All About Skimmers. Looking for more information on fuel pump skimming? Have a look at some of these stories.

Tags: , , , , , , , , , ,

117 comments

  1. The Sunshine State

    Great informative article

  2. Unfortunately, the Horizontal versus Vertical card reader positioning is not entirely true. While the latest version of Gilbarco’s (Dispenser Manufacturer that is featured in this article) Card Reader is mounted in the horizontal position, they have previously versions of encrypted, tamper proof and secure readers that are mounted in the vertical position. Some of the ones mounted in the vertical position are even capable of a EMV (Chip) transaction.

    • You are correct. Some pumps that have vertical readers have been updated with additional security measures. However, this story was meant to give readers reliable information about which pumps are far less likely to be compromised. Unfortunately for station owners using older pumps that have been upgraded for encryption or other security measures, it’s almost impossible for customers to tell that these older pumps have those added security measures.

  3. Alan Waggoner

    You can’t get your card stolen if you pay cash. Plus, some stations offer lower prices when paying with cash over credit cards.
    If not cash, pay with your credit card inside, not at the pump.

    This is a risk vs convenience comparison. Personally, I prefer the lower risk. Plus, it doesn’t hurt to have a few extra steps.

    • Alan,

      Millions of us are beholden to cards in order to receive corporate reimbursement for our gas, or forced to used company issued cards outright.

      You also can’t pay cash at 3AM.

      The world is a large place, and what works for one individual may not work for others – and that’s OK.

      • @Justin, Have you never seen a 24 hour gas station? I live in the Midwest and there are plenty. Keep in mind fraud also happens at truck stops which are always 24 hours.

      • Why does anyone need to get gas at 3am?

        Even if you HAVE to use a corp card or PREFER to use your rewards card, you still have the option of going inside to pay. It’s really not that big a deal

        Nobody has to pay at the pump, that’s a preferance

        • Incorrect both in statement and spelling. I have purchased gas in many of places that do not staff the booth 24/7 and pay at the pump is your only choice.

        • “Why does anyone need to get gas at 3am?”

          Well, you see, some people actually drive cars at 3 am. Also, some people wait until they’re running out of gas before they refill. And a few people do both. And once in a great while, for those few people, both things happen to them at once.

          It must be often enough though, because lots of gas stations provide a way to buy gas at 3 am, even if you can’t go inside to pay at 3 am.

        • You know what’s worse than having your card information stolen?

          Paying cash everywhere.

      • A corporate card doesn’t pose the same risk to you as using a personal debit card. If compromised, it won’t drain your bank account like your personal debit card would, and if a problem happens, your company’s finance dept would deal with resolving the matter with the bank. Still wise to use common sense regardless whose card it is.

    • david winston

      Some stations are starting to take Apple/Google Pay.
      There’s one near my house and they have all of my business since they provided that option.

    • Those cash discounts aren’t even much incentive. The discount around here is only half the cash-back bonus I get from my credit card.

    • Paying inside the gas station is no protection if the device inside has a skimmer. It’s happened here in Cincinnati.

  4. Larry J Seltzer

    “The card reader or the pad, if you pull power to them they’re dead, and then they can only be re-enabled by an authorized technician.”

    So if there’s a power outage, no gas gets dispensed until a technician comes around? That’s gonna suck.

    • It can detect a power outage vs. disconnect.

      The system I’m familiar with runs a trickle current across some or a number of the pins. Remove the trickle current and the attached device scrambles itself. Trickle current is provided via a battery, which is why it survives power outages. A single battery will run the device for 5 or more years because the current draw is miniscule.

      These probably use similar keypad setups to ATM and retail terminals, which is why overlays are so common in those spaces. Even when they get inside the device they don’t muck with the keypad, they always exploit a weakness further up the chain.

      The place where I get gas from replaced their pumps for the 2nd time in 2 years about a month ago, completely new model. Don’t think they support Apple Pay and certainly not EMV but with each upgrade there’s been obvious changes for tamper resistance.

  5. Justin, all of the updated pumps we’ve seen here in San Antonio have been horizontal insert, both on Gilbarco and Wayne Dresser. If you see any of the vertical encrypted and can send me a photo that would be great. I’ll try to post up pics (if that’s possible or maybe Brian can add them) when I find a vertical/encrypted/chip capable card reader. Thanks for the correction. MB

  6. Up here in the frozen (not so much) North, I usually just tap my card. Pumps that can’t do Tap, will take chip cards and use a PIN. Can’t remember how many years it has been since we used a credit card with a stripe reader up here (seriously, ten years? !!)

  7. What the gas bars/gas stations need to keep in mind is that December 2019 is very close from a planning perspective. Most regular retailers underestimated the complexity of upgrading their systems to become EMV compliant. Pumps are harder to upgrade than cash registers. Charge backs can become very high very quickly.

    The other factor in the US is lack of contactless cards. In Canada many pumps take contactless, and do not required PIN entry up to $100. So you don’t need to expose your PIN at all, but neither the merchant nor the card holder are not liable. These are of course on-line transactions only.

    I agree that using your debit or ATM card at the pump is probably not a good idea. I only use mine in trusted environments, like grocery stores. Again, we have CTLS/no CVM for small amounts, so no need to expose your PIN.

    • Such a thing exists in the US too but the limit is $25 (or $20?). I’m always surprised when I encounter it.

    • Also, as the deadline approaches, technicians will get very busy, increasing the cost/bribes of getting the work done and decreasing availability of replacement card terminals.

      Wait too long to get started is a bad business move.

  8. I wonder if the statistics for compromised pumps are different foe New Jersey. While I find it very annoying that NJ legislators don’t think people should be able to pump their own gas, the fact that all pumps are attended might reduce the opportunities the bad guys have to install and maintain skimmers.

  9. “The chip card technology standard, also known as EMV (short for Europay, MasterCard and Visa) makes credit and debit cards far more expensive and difficult for thieves to clone.”

    Just to confirm, this doesn’t mean the CHIP can be copied, just the magnetic stripe on the back, correct?

    • It means:

      1) even the most secure things ever invented can never be for absolute sure 100% forever unhackable…
      2) thieves will always concentrate on the lowest hanging fruit.

      These general principles are like laws of nature. So chip/EMV raises the bar a lot, while thieves concentrate on older less secure tech still in use.

    • A chip card can be used to make a counterfeit magnetic stripe card.

    • Correct. The chip can’t be copied (and thanks to its overall security design it would be a waste of time to try).

      The mag stripe can still be copied, but in the case of chip cards the track data includes a flag that specifies that the card is chipped. For a counterfeit to even stand a chance of working it has to be made using a chipped blank, and even then the payout success of cards will be lower as some terminals (or issuers) will not allow the required mag stripe fallback. Mag stripe tracks created using shimmed information are also not reliable, since these lack the correct CVV1 (and transactions will fail if this is checked). These factors render the entire enterprise more difficult and more expensive.

      • “Chip malfunctions” are becoming increasingly common here in Silicon Valley. I suspect that there was such a rush to install chip-capable terminals than nobody thought they might need regular maintenance to function properly and that they are full of cruft in the chip-reading area.

  10. I have a gas rewards card with a low limit ($500) that I *only* use for fuel – at least this way if I do slip up and get hit by a skimmer, the most I’m out is $500 and I can prove via transaction history that I don’t shop online or anywhere else with the card.

    • If that “gas rewards card” is a credit card, not a debit card linked to a checking account, then you will never be “out” any money at all… When money is stolen from credit cards, you are not required to pay the stolen amount on the bill while they investigate the fraud. The worst that can happen is your charge may get declined and/or you may be unable to use that card at all for a few weeks while they sort it out.

  11. I stopped using ‘Pay at the Pump’ the year my card was compromised twice in one year. The second time was definitely during the Target data breach.

    I’ve become concerned lately as I’ve noticed cars idling near drive thru Bank ATM’s. I even called my bank this last week to report one.

    The driver in the car ahead of me appeared to be doing nothing so when the lane next to him opened I used that. I always cover the keypad with my hand as I enter my pin but I noticed he must have rolled back to be in line with me. I saw him pulling forward as I was pulling out and it wasn’t to leave either.

    I set up all the alerts available thru my Bank to monitor my card but should we be concerned about Bank ATM’s? I’ve decided from now on to go inside and use that ATM. Maybe I just watch too much Mr. Robot 🙁

    • Well, I can’t say for sure what the drivers at your bank were doing that day. But where I bank, I see a lot of that, and it’s usually because people are preparing and signing checks/deposit slips, counting cash after an ATM withdrawal, etc. Most folks are very careful with their money, so you could be seeing some of that behavior, versus something nefarious.

    • @Rox – so you stopped paying at the pump because your card was compromised at Target? Wouldn’t it make more sense to stop shopping at Target (not that either option will really protect you)?

  12. Now days very hard to find good dumps suppliers, since dumos plus pins suppliers are all rippers, many carding forums are run by rippers !

  13. I’ve switched to the GasBuddy card program. They offer a fleet card that can only be used to pay for fuel, so the risk is minimized when you pay at the pump. As a bonus, they also give you a discount on fuel for using the program because they do an ACH transfer in the backend instead of processing a credit or debit card.

  14. I wonder if this lack of safety features is having a disproportionate impact on independent stations or stations in economically challenged zones. Or maybe not because customers in those neighborhoods use cash.

  15. You dont ever have to give your pin using your debit card. You simply tell the machine that its a credit card & the security layer is putting in your zipcode.

  16. What I don’t see here is mention of the more generally-applicable risk advice vis-a-vis credit and ATM/debit cards: the consumer bears far more of the risk with ATM/debit cards than with credit cards. That alone is why I always use credit and not debit.

    In addition to liability limits being far lower on credit cards, I’d much rather dispute a charge than discover that my bank account is empty and argue for the return of my money.

  17. Rich Williams

    My debit card can also be used as a charge card, like many others debit cards (AFAIK). Does this mean, if I use my debit card as a charge card, by tapping “No” to the question, “is this a debit card?”, I am using a charge card for all intents and purposes?

    • Rich, no, your “Visa” or “Mastercard” branded debit card is still a debit card, so it does not offer the same protections as an actual credit card. It just allows you to use at places that accept Visa and MC but processes the transaction from your account as a debit card.

  18. Exactly the point I was going to make but you beat me to it, Yorgan. I always use the credit feature with my debit card at gas pumps for precisely that reason. Good luck to any skimmer gang using my debit card data and my ZIP code as a PIN at an ATM.

  19. Pablo Gallegos

    I sat on a grand jury case that detailed how these thieves did this kind of work.
    – “Tamper proof” tape and the keys to the pumps area available for cheap on internet sites.
    – Bluetooth skimmers can be installed in 5 minutes and credit card numbers can be lifted daily for weeks with any cell phone with Bluetooth enabled and the right script.
    -Never pay at the pump if you must use your card go inside the gas station and use the machine there.

  20. Dmitry Volodin

    I have been already using several contactless pumps here in Northern Virginia. It’s Google Pay in my case, but I’m pretty sure Apple Pay and contactless cards/fobs will also work.

  21. Still waiting for any sort of contactless/tap/ApplePay to be enabled on the pumps here in MN.

    Seems the station owners prioritized having a TV screen and loudspeaker on every pump over basic security.

    Most of the pumps have an NFC tap pad on them, and likely an EMV capable reader and Apple/Google pay receiver, but I have to see anyone (are you listening, @Costco?) enable those functions.

  22. No matter how you use a debit card, it is tied to your debit account which is usually a primary checking account. The next most prevalent debit card is a prepaid checkless checking account. There are other types.

    Once a fraudster has magstripe data from a card, they can use it in any way your bank and merchants allow you to, whether you do or not. If a merchant doesn’t require a pin or zip code, the stolen card data works just fine for the fraudster. They know where they can do this, it’s their profession.

    The problem with a debit card is the money stolen when the card is compromised is your money. With a credit card it is the bank’s money/your credit line. When your account is drained (debit card) or maxed out to the limit (credit card) the consequences are vastly different. Most people pay their bills with their checking account, checks begin bouncing on a drained account along with fees from your bank, the payees’ banks on them and fees from payees themselves.

    Fraud protection has been around a lot longer for credit cards and is codified in US law with certain limits but banks have generally been more generous on the limits (i.e. zero liability).

  23. “Zero problems” with the newer payment card systems? That’s good.

    But it may tempt police, banks, and fuel sellers to drop their guard. Defense in depth is always needed. All secrets eventually leak.

    The nice thing about EMV chip and pin, and applepay etc, is this:
    secrets that must travel over the wire have very short useful lifetimes, and so pose less threat if they leak.

    In the meantime, I learned the hard way always to use a credit card without any debit feature to pay at pumps. Visa and MC are responsible for delaying EMV at fuel sellers. So they should eat the cost.

    • Don’t let the “zero problems” with the newer payment card systems fool anyone into thinking that the newer systems are all 100% forever unhackable though… just they’re much harder to hack (or the older ones are crazy stupid easy to hack, depending on how you look at it)… Thieves will always concentrate on the lowest hanging fruit for as long as it remains the most lucrative thing to do…

  24. I’m more concerned with the “Contains Ethanol” sticker on those gas pumps. I’ve never been hit with a card skimmer but I’ve definitely been skimmed of gas mileage by being forced to buy ethanol in my regular gas.

  25. S. Vermillion

    I cannot resist pointing out two concepts likely to be somewhat mysterious to younger readers:

    1. Traditional payphone keypads.
    2. Bounced checks.

    • In the US the most common type of account you can put money into and pay all your bills with is still called a “checking account” even if nobody uses old fashioned dead tree paper checks with it anymore. But electronic transfers or payments can still be declined or overdraw due to non sufficient funds (though that’s a bit longer wording than “bouncing”). 🙂

      I can’t help with the payphone analogy though, sorry. Some other modern devices have “full travel” keypads, but I can’t think of where it’s ubiquitous nowadays… 🙂

  26. A few years ago here in LA, the crooks migrated to exterior skimming devices as the stations locked down their dispensers. Shimmers are not far behind.

  27. I was under impression that each microchip card has a unique private key embedded, not accessible to any software. Such a card should be impossible to duplicate, right?

    • You can take a chip card and make a counterfeit card with a magnetic stripe that works. Somebody obviously goofed with the chip protocol to allow this to happen.

      • Not really a goof – mag stripes still exist and are still accepted because not all terminals are EMV-capable but cards still need to work. Once all terminals worldwide can be assumed to be EMV-capable the mag stripes can go and chip security can function as intended.

        The day is coming though – I work for a card issuer, and implemented a software block on most of our mag stripe transactions with very few side effects and total success against counterfeit fraud.

  28. Obligatory Skimmer Scanner reference for Android.

  29. By an electric car

  30. Easiest way to avoid it is walk into the station and pay. After the first time it happened to me I started paying inside. Haven’t had it happen in three years now.