When people banking in the United States lose money because their payment card got skimmed at an ATM, gas pump or grocery store checkout terminal, they may face hassles or delays in recovering any lost funds, but they are almost always made whole by their financial institution. Yet, one class of Americans — those receiving food assistance benefits via state-issued prepaid debit cards — are particularly exposed to losses from skimming scams, and usually have little recourse to do anything about it.
Over the past several months, authorities in multiple U.S. states have reported rapid increases in skimming losses tied to people who receive assistance via Electronic Benefits Transfer (EBT), which allows a Supplemental Nutrition Assistance Program (SNAP) participant to pay for food using SNAP benefits.
When a participant uses a SNAP payment card at an authorized retail store, their SNAP EBT account is debited to reimburse the store for food that was purchased. EBT is used in all 50 states, the District of Columbia, Puerto Rico, the Virgin Islands, and Guam.
EBT cards work just like regular debit cards, in that they can be used along with a personal identification number (PIN) to pay for goods at participating stores, and to withdraw cash from an ATM.
However, EBT cards differ from debit cards issued to most Americans in two important ways. First, most states do not equip EBT cards with smart chip technology, which can make payment cards much more difficult and expensive for skimming thieves to clone.
Alas, it is no accident that all of the states reporting recent spikes in fraud tied to EBT accounts — including California, Connecticut, Maryland, Pennsylvania, Tennessee, and Virginia appear to currently issue chip-less cards to their EBT recipients.
In September, authorities in California arrested three men thought to be part of a skimming crew that specifically targeted EBT cards and balances. The men allegedly installed deep insert skimmers, and stole PINs using tiny hidden cameras.
“The arrests were the result of a joint investigation by the Sheriff’s Office and Bank of America corporate security,” reads a September 2022 story from The Sacramento Bee. “The investigation focused on illegal skimming, particularly the high-volume cash-out sequence at ATMs near the start of each month when Electronic Benefits Transfer accounts are funded by California.”
Armed with a victim’s PIN along with stolen card data, thieves can clone the card onto anything with a magnetic stripe and use it at ATMs to withdraw cash, or as a payment instrument at any establishment that accepts EBT cards.
Although it may be shocking that California — one of America’s wealthiest states — still treats EBT recipients as second-class citizens by issuing them chip-less debit cards, California behaves like most other states in this regard.
More critical, however, is the second way SNAP cards differ from regular debit cards: Recipients of SNAP benefits have little to no hope of recovering their funds when their EBT cards are copied by card-skimming devices and used for fraud.
That’s because in the SNAP program, federal law bars the states from replacing SNAP benefits using federal funds. And while some of these EBT cards have Visa or MasterCard logos on them, it is not up to those companies to replace funds in the event of fraud.
Victims are encouraged to report the theft to both their state agency and the local police, but many victims say they rarely receive updates on their cases from police, and, if they hear from the state, it’s usually the agency telling them it found no evidence of fraud.
That’s according to Brenna Smith, a reporter at The Baltimore Banner who recently wrote about the case of a Maryland mother of three who lost nearly $3,000 in SNAP benefits thanks to a skimmer installed at a local 7-Eleven. Maryland [Department of Human Services] spokesperson Katherine Morris told the Banner there was evidence of “a nationwide EBT card cloning scheme.”
The woman profiled in Smith’s story contacted all of the retailers where her EBT card was used to buy thousands of dollars worth of baby formula. Two of those retailers agreed to share video surveillance footage of the people making the purchases at the exact timestamps specified in her EBT account history: The videos clearly showed it was the same fraudster making both purchases with a cloned copy of her EBT card.
Even after the police officer assigned to the victim’s case confirmed they found a skimmer installed at the 7-Eleven store she frequented, her claim — which was denied — is still languishing in appeals months later.
The Center for Law and Social Policy (CLASP) recently published Five Ways State Agencies Can Support EBT Users at Risk of Skimming. CLASP says while it is true states can’t use federal funds to replace benefits unless the loss was due to a “system error,” states could use their own funds.
“Doing so will ensure families don’t have to go without food, gas money, or their rent for the month,” CLASP wrote.
That would help address the symptoms of card skimming, but not a root cause. Hardly anyone is suggesting the obvious, which is to equip EBT cards with the same security technology afforded to practically everyone else participating in the U.S. banking system.
There are several reasons most state-issued EBT cards do not include chips. For starters, nobody says they have to. Also, it’s a fair bit more expensive to produce chip cards versus plain old magnetic stripe cards, and many state assistance programs are chronically under-funded. Finally, there is no vocal (or at least well-heeled) constituency advocating for change.
“or at least well-heeled” – says the very vocal Krebs!
Do you know what “well-heeled” means?
It’s an expression that means a person of with some money. A person with money to spend can choose to keep his/her shoes in good condition, meaning the heels (and the toes and sides) wouldn’t be scuffed or worn down.
Right. BK isn’t a shoe factory is the point. We need leather in the field.
I’m glad you wrote about this as the EBT Snap cards business seem to be up for grabs. Most people do not know there’s a company, Solutran, wholly owned subsidiary of Optum Financial, United Healthcare that provides these transaction services, and yet they do try to roll it into the customer’s healthcare plan too so they can see what they buy.
Nothing will happen here until the cabal of the health insurance business United Healthcare takes it all over, and I expect this eventually to integrate with the Optum Bank that UNH owns as well. HHS/CMS use the Optum Bank to send relief payments to hospitals and doctors..their preferred bank.
They are also coming after the WIC business, so monitoring what you buy, when and how is on the minds of corporate America.
https://www.inetco.com/resources/case-studies/solutran-electronic-payment-processing/
https://www.solutran.com/category/government-ewic/
“Albertsons has partnered with technology payments platforms, including Solutran S3, to enable eligible cardholders to use their health plan funds to shop for hundreds of eligible fresh produce and over-the-counter products in its stores. Customers can use their pre-paid cards in stores to easily shop for eligible items and make healthier choices.”
“Solutran announced it has successfully processed over 1 billion dollars in Electronic Benefits Transfer (EBT) transactions across eWIC, Smart Card WIC, and SNAP/TANF programs. This accomplishment was achieved through Solutran’s cutting-edge S3™ EBT technology and customer-focused staff who together have over 200 years of EBT experience.”
https://www.solutran.com/solutran-reaches-one-billion-in-transaction-processing-ebt/
Solutran, LLC, a part of Optum, is a FinTech benefit payments company providing directed spend health solutions with its proprietary S3® technology.
Long and short of all of this is that it appears Solutran and United Healthcare are moving to a new technology that will allow they to even gather more purchasing data which can be used for risk assessing and underwriting insurance plans.
https://www.globenewswire.com/en/news-release/2022/02/09/2382341/0/en/Solutran-Launches-First-of-its-Kind-Cardless-Solution-for-Maine-WIC-Program.html
https://www.solutran.com/sponsor-programs/healthcare/otc-benefits/
Solutran joins Optum and is now a part of the UnitedHealth Group family of companies.
https://www.solutran.com/cool_timeline/solutran-joins-optum-unitedhealth-group-family-of-companies/
This is where all those state contracts are going, although they do have competition, private equity owned Incomm for EBT, WIC, and Snap state contracts.
to sum up your post, it sounds like huge profits in keeping people poor enough to be dependent on assistance, that they can profit on processing their financials. Having worked at Oxford Health when United took it over, I know firsthand the only goal of UHG is profit. There is no crazy conspiracy, other than just business models that abuse people (the most vulnerable) for profit. SNAFU.
Excellent post!
So,california is going to be giving out $9.4 BILLION in EXTRA payments to lower income families etc in the next year,on top of Lord knows how much in other payments to its population,california is one of the richest states in USA,making it one of the wealthiest places on the entire planet,but they can’t afford the few cents extra between price of a mag stripe card and chipped card ?
Seeing as how the states is slowly catching up with the rest of us in using chopped cards etc ,d not be suprised that they are either using up billions of existing,obsolete mag stripes cards or being charged premium prices to have mag stripe cards made cos nobody else is using them now.
It still amazes many of us just how un-joined up many systems and states are,the rest of are living and using almost magic 22nd century tech everyday ,yet the allegedly richest country on the planet is struggling along with 19th century techniques and 20th century hardware.
And then just to prove to us just how backward and f**ked up the states really is,your still talking about Donald Chump running for a 2nd term,when in most other countries,he and his family and lots of cronies would be languishing in the worst nightmare hole of a prison that is available.
And you think the rest of us should listen to you as leaders of the western world !!!
Found the Communist Russian hacker
Found the MAGAt who thinks Putin is our friend.
This is basic new deal progressivism that helped us out of the great depression. You 1950’s Red Scare McCarthists need to go away.
@royalbladeworks on Instagram. Bada$$ !
I worked with mag stripe cards, also known as CR-80 cards, back in 1999-2001 for security doors in a facility. Back then each blank card cost $3 bucks. And yes, we bought them in “bulk”, a 100-pack cost $300 back then. I am sure it is orders of magnitude less now. But I now work in a job now that has a requirement for chip cards to access certain things, and I asked the security guy what that costs. He said that he didn’t know the actual cost of the card itself, but he extrapolated that it would be around $300 (yes, three hundred smackers) when you count for all the management time, card creation, maintaining accounts, etc. Now that for is his security-type job working with those cards, and I am sure the banks or whoever card issuer for the states can get the price down in volume, but still I don’t see it costing a “few cents extra” than CR-80 mag stripe cards.
the security IC in the card, including embedding, costs between 0.30 and 0.60US$. Yes of course there is some setup cost for the machinery and IT to write the data, but assuming you issue millions of cards, that is amortized fairly quickly.
Sorry about the garbled earlier post ,but thats what happens when your forced to use American software etc on hardware from that other totally f**ked up,mafia run dump,south Korea,poxy usless samsung still can’t design/build a decent phone that doesn’t have at least one major failing in every single device they make and then having to use products from those 2 wonderful examples of pure greed,alphabet/google/android and bloody idiot Microsoft.
I too hate Micro$hit. So much money. Could hire the best talent in the world. Could make the best products ever. Yet they keep shipping out 50-100 exploits with 0-6 Zero Days a month.
I think the problem is * hyper * capitalism, quality and integrity are dead in the face of profits. Using things like Scrum and Agile in order to push out more low quality products, meaning sales have more junk to sell.
Shouldn’t at least some of the burden be on the retailers to regularly check their system for skimmers?
How hard would it be to put together a list of things or a tool to detect this?
The skimming is a real problem in one of the states I see listed as I have personally dealt with it over the last 4-5 years with EBT cards. One component is the servicer of those EBT cards. They were less than willing to get involved when we and other issuers noticed sharp velocity cash outs on our ATMs for those EBT BINs. This also results in ordering more refills to ATMs because the cash position keeps dipping below normal.
It becomes cartoonish at some point when you see the same person using 10-15 different EBT cards. There is no lawful reason that we can think of. At least earlier on when trying to contact the servicer or the State many issuers hit dead air. Even contacting LEO proved inactive IF there was no one really reporting a loss or again the State was not responding back to LEO which in turn led to no arrests. Only now is it kind of picking up steam independent of getting caught with a thin deep insert.
The servicer I am speaking of is also a bank and I have called them out pretty harshly before in this context. Mainly because in PIN compromise or a skimmer they operate completely different on their OWN revenue generating portfolios and could easily minimize the fraud. Instead, they have taken the contract money and offered no Risk/Fraud protection to these states for their EBT and assistance program and the criminals know it.
The “Ted Leaf” comment above if the kind of thing that is ruining this information source. I come to this site to get useful information, including the comments that used to be a good source of information. Now it is turning into an outlet for infantile political rants. Waiting for the spray points, doxing, and violence. It can’t be that hard to police this a little.
unfortunately, these kinds of confused posts show up here once in a while, purposely to divert the discussion to their own scattered brain trail.
So sad to see. :/
This has been an issue for years and yet the most obvious step, as you point out, is issuing chipped cards. Why don’t states do that?
Some of the card issuers aren’t fly-by-night outfits either, such as Bank of America. One would think they would care about public perception, but apparently not. Which leads me to believe it’s not just greed, but also corruption. Not only in getting such contracts, but possibly insiders also profiting from the fraud somehow.
Regardless, there needs to be more fraud protection for EBT recipients. Is any progress being made on that front?
It would take a massive do-over in government for that to change.
Expensive, fraught. Necessary, but not a bargain on a short timeline.
It’s kind of locked in a death spiral of fearing expensive change now,
as an excuse to do nothing, as they get exploited and spend manhours
on the ass end of the bargain instead.
Last month I had two chipped credit cards compromised by card skimmers installed in both a gas pump (first card) and in the counter card reader (second card) at a gas station in the City of Rancho Cucamonga, California. In my case the major banks that issued the cards detected the cards had been compromised and notified me within an hour. Based on my experience I’m skeptical that a chipped card offers any more protection.
Mag stripes can always be skimmed – having a chip on the card doesn’t prevent this in any way. *Using* the chip (dipping rather than swiping whenever available) protects against skimming by not giving a skimming device an opportunity to read the mag stripe. And as magstripes are (finally!) phased out, banks have increasing leeway to decline magstripe transactions and reduce fraud that way.
Gas pumps or aka AFDs use a composite card reader where the chip reader and the mag stripe reader are enclosed in the same insert unlike your typical grocery store which will have the EMV insert at the bottom and the swipe to the right. ATMs also use this methodology. The problem here is at least with the initial US EMV roll out these readers would read both the Chip and mag at the same time. If the Chip read was good it would dump the mag read. If not, it would go into what is called “fallback” and use the mag stripe data. In most cases you wouldn’t be able to tell how the pump or ATM processed your transaction unless it showed the entry mode on your receipt.
In the issue with your gas pump compromise is that those skimmers do not take the chip data, they take the mag stripe data and possibly the PIN if entered. They run off of internal power. It is not that the Chip card failed you it was that the gas pump read that mag stripe which is a problem with any bank dealing with skimmers. Sometimes the catches are a lot easier if you typically do only contactless or EMV and all of a sudden there is fallback (mag stripe) transactions. This would be a good indicator on why you got the alert from your bank.
Why not just demagnetize the strip with a strong magnet or degausser, leaving only the chip to be read?
It’s really sad to see how the public sector boasts cyber here and there and then it creates a weak infrastructure to distribute resources to the poor people.
Uh, my understanding of the California EBT card is that the little silver emblem with the Golden Gate bridge is an embedded cvv number. All existing and new cards were updated, and in the process of being updated, as of March 2022, without that, the pin is still useless because the cvv number can’t be read since it is embedded within the card and not the magnetic strip. This does not include the use of the card with online websites since the cvv is not visible and can not be used for an online purchase, only the pin number is used, however it is supposed to protect the card from skimming since the skimmers can not read the cvv number through the terminal being used to make the purchase and be electronically verified.
There are multiple card verification values (CVVs) on a payment card (exactly how many depends on what features are on the card). On a plain magstripe card such as those discussed here, there is always a CVV on the mag stripe (can be checked by machine but not read visually) and there should be a CVV2 printed on the back of the card (3 digits which can be read visually but not machine checked). This is why skimming rarely leads to online purchases, since a skimmer records mag stripe information while the printed CVV2 is usually required online. The only CVVs embedded within a card are the eCVVs associated with EMV/payWave/PayPass chips – the absence of which is the subject of this article. Design features like holograms or little silver logos are incorporated to make cards more difficult to forge or tamper, but have no security value beyond this.
Do you mind providing an official source, or otherwise regard this? Perhaps my comprehension in substandard, because what you described doesn’t make much sense
Let this be record of public sentiment that any willing participants of the aforementioned activities will find equal opposition outside the realm of Whitehats and Law Enforcement. All inadequate persons will do well to reconsider returning to work at their nearest street-corners and staying the fuck out of our fields.
I do think this is about cost as opposed to some sort of discrimination. Every dollar spent on a chip card is one less dollar to be paid out in benefits. But this kind of thing MUST be stopped. As Brian notes, these vital programs are already underfunded. The very least we can do is go after those who abuse the system and make them feel the pain they’ve visited upon others.
Never posted here. Thinking about the dual meaning, “those most vulnerable.” Defend these should be the cardinal rule in cybersecurity. Why are low hanging fruit challenges left wayside?
The best thing a consumer can do for using debit cards is attach it to a separate account. You may be able to successfully dispute a charge, but while your disputing, the money for your rent or mortgage is gone from the account. Daily limits on the card limit exposure to fraud, but daily limit is also Saturday, Sunday, etc. Using a separate account is how a person can control the amount of money that can be exposed to fraud.
Crazy stuff. There should be more control on this