February 17, 2023

Millions of Americans receiving food assistance benefits just earned a new right that they can’t yet enforce: The right to be reimbursed if funds on their Electronic Benefit Transfer (EBT) cards are stolen by card skimming devices secretly installed at cash machines and grocery store checkout lanes.

On December 29, 2022, President Biden signed into law the Consolidated Appropriations Act of 2023, which — for the first time ever — includes provisions for the replacement of stolen EBT benefits. This is a big deal because in 2022, organized crime groups began massively targeting EBT accounts — often emptying affected accounts at ATMs immediately after the states disperse funds each month.

EBT cards can be used along with a personal identification number (PIN) to pay for goods at participating stores, and to withdraw cash from an ATM. However, EBT cards differ from debit cards issued to most Americans in two important ways. First, most states do not equip EBT cards with smart chip technology, which can make the cards more difficult and expensive for skimming thieves to clone.

More critically, EBT participants traditionally have had little hope of recovering food assistance funds when their cards were copied by card-skimming devices and used for fraud. That’s because while the EBT programs are operated by individually by the states, those programs are funded by the U.S. Department of Agriculture (USDA), which until late last year was barred from reimbursing states for stolen EBT funds.

The protections passed in the 2023 Appropriations Act allow states to use federal funds to replace stolen EBT benefits, and they permit states to seek reimbursement for any skimmed EBT funds they may have replaced from their own coffers (dating back to Oct. 1, 2022).

But first, all 50 states must each submit a plan for how they are going to protect and replace food benefits stolen via card skimming. Guidance for the states in drafting those plans was issued by the USDA on Jan. 31 (PDF), and states that don’t get them done before Feb. 27, 2023 risk losing the ability to be reimbursed for EBT fraud losses.

Deborah Harris is a staff attorney at The Massachusetts Law Reform Institute (MLRI), a nonprofit legal assistance organization that has closely tracked the EBT skimming epidemic. In November 2022, the MLRI filed a class-action lawsuit against Massachusetts on behalf of thousands of low-income families who were collectively robbed of more than $1 million in food assistance benefits by card skimming devices secretly installed at cash machines and grocery store checkout lanes across the state.

Harris said she’s pleased that the USDA guidelines were issued so promptly, and that the guidance for states was not overly prescriptive. For example, some security experts have suggested that adding contactless capability to EBT cards could help participants avoid skimming devices altogether. But Harris said contactless cards do not require a PIN, which is the only thing that stops EBT cards from being drained at the ATM when a participant’s card is lost or stolen.

Then again, nothing in the guidance even mentions chip-based cards, or any other advice for improving the physical security of EBT cards. Rather, it suggests states should seek to develop the capability to perform basic fraud detection and alerting on suspicious transactions, such as when an EBT card that is normally used only in one geographic area suddenly is used to withdraw cash at an ATM halfway across the country.

“Besides having the states move fast to approve their plans, we’d also like to see a focused effort to move states from magstripe-only cards to chip, and also assisting states to develop the algorithms that will enable them to identify likely incidents of stolen benefits,” Harris said.

Harris said Massachusetts has begun using algorithms to look for these suspicious transaction patterns throughout its EBT network, and now has the ability to alert households and verify transactions. But she said most states do not have this capability.

“We have heard that other states aren’t currently able to do that,” Harris said. “But encouraging states to more affirmatively identify instances of likely theft and assisting with the claims and verification process is critical. Most households can’t do that on their own, and in Massachusetts it’s very hard for a person to get a copy of their transaction history. Some states can do that through third-party apps, but something so basic should not be on the burden of EBT households.”

Some states aren’t waiting for direction from the federal government to beef up EBT card security. Like Maryland, which identified more than 1,400 households hit by EBT skimming attacks last year — a tenfold increase over 2021.

Advocates for EBT beneficiaries in Maryland are backing Senate Bill 401 (PDF), which would require the use of chip technology and ongoing monitoring for suspicious activity (a hearing on SB401 is scheduled in the Maryland Senate Finance Commission for Thursday, Feb. 23, at 1 p.m.).

Michelle Salomon Madaio is a director at the Homeless Persons Representation Project, a legal assistance organization based in Silver Spring, Md. Madaio said the bill would require the state Department of Human Services to replace skimmed benefits, not only after the bill goes into effect but also retroactively from January 2020 to the present.

Madaio said the bill also would require the state to monitor for patterns of suspicious activity on EBT cards, and to develop a mechanism to contact potentially affected households.

“For most of the skimming victims we’ve worked with, the fraudulent transactions would be pretty easy to spot because they mostly happened in the middle of the night or out of state, or both,” Madaio said. “To make matters worse, a lot of families whose benefits were scammed then incurred late fees on many other things as a result.”

It is not difficult to see why organized crime groups have pounced on EBT cards as easy money. In most traditional payment card transactions, there are usually several parties that have a financial interest in minimizing fraud and fraud losses, including the bank that issued the card, the card network (Visa, MasterCard, Discover, etc.), and the merchant.

But that infrastructure simply does not exist within state EBT programs, and it certainly isn’t a thing at the inter-state level. What that means is that the vast majority of EBT cards have zero fraud controls, which is exactly what continues to make them so appealing to thieves.

For now, the only fraud controls available to most EBT cardholders include being especially paranoid about where they use their cards, and frequently changing their PINs.

According to USDA guidance issued prior to the passage of the appropriations act, EBT cardholders should consider changing their card PIN at least once a month.

“By changing PINs frequently, at least monthly, and doing so before benefit issuance dates, households can minimize their risk of stolen benefits from a previously skimmed EBT card,” the USDA advised.

32 thoughts on “New Protections for Food Benefits Stolen by Skimmers

  1. mealy

    I assume there’s a hard and fast reason why contactless can’t additionally have a PIN added to it? What is it?

  2. Eric

    How long until touchless is the only way to interact? And that goes for ATMs too!

    1. mealy

      I tried to ask a question about why they “can’t” combine contactless tech with a simple pin, if that were some sort of hardware limitation or mere design oversight or what, but it didn’t make it past the moderation filter yet for whatever reason. I could research it myself but does anyone know off hand?

      1. timeless

        Looks like there have been attacks [1] against contactless PIN…
        EMV is a bit of a mess [2]. It’s still better than magstripe, but for something that’s been around for >30 years, it’s still in its infancy wrt security.

        In short, EMV _technically_ supports PINs for contactless transactions. In practice the EMV protocol is a mess. EMV readers generally speaking “trust” a lot of the data provided by the EMV client, but a lot of that data doesn’t appear to be signed, so it’s apparently fairly easy for a MITM to “patch” the data to subtract out the qualifiers (e.g. “please get my bearer to provide a PIN”).

        [1] https://link.springer.com/chapter/10.1007/978-3-642-39884-1_26
        [2] https://www.welivesecurity.com/2020/08/31/security-flaw-allows-bypassing-pin-verification-visa-contactless-cards/

        1. SeanB

          Yes, but still a few orders of magnitude harder than the easy to do clone of magstripe data and scribble a signature that will almost never be verified.

        2. mealy

          Good links. “Offline verification” ugh, another hole in the armor.

      2. samak

        They can combine contactless tech with a simple pin, we do it here in Australia.

        1. mealy

          Apparently there are two schools, chip and pin vs chip and signature.
          EU countries (and AU) mostly do the pin, US and Asia more the sig.
          It’s not a technical limitation at all but a likely bureaucratic one, like so
          many unreasonable fails an intent toward existing legacy compatibility.

      3. Anon

        In Australia contactless credit or debit transactions can trigger a PIN confirmation above certain threshold amounts, so I don’t think its a hardware limitation.

  3. Violet Lemm

    I live in CA. and last year was Skimmed over $800 and my claims were denied. Is there chance of recovering that now?

    1. Crystal

      I was skimmed in april 2020 .I had to appeal my claims because they were denied. But not sure if they can do anything now since been a year.i think i read you have 10days after the incident to report.

    2. Terry Bolo

      KCAL New in Los Angeles did a story about EBT theft, and is continuing to investigate the refusal of the state and county to reinburse the full balance. Contact news investigative reporters. File an appeal of your denial. It is not right for you to have to sustain the loss. This is a big problem, and people who have the cards issued to them did nothing wrong. It is like being robbed twice!

  4. SeanB

    The contactless payment can absolutely be required to have a PIN entry, as that is actually something the banks have control over. Set either by the issuing bank, or by a bit in the communication between reader and card, to require a PIN entry for a transaction. It is merely a convenience that banks do not set a PIN requirement for some low value transactions, but pretty much every EMV reader that you see with contactless capability will be able to handle PIN entry for any particular type of card. Not issuing a EMV card, which will still have the ability to have CNP transactions, or as a default fallback swipe, is actually cheaper for the banks to do, as they merely have to print the cover sheet, that is then bonded to the blank EMV cards they buy in bulk for a fraction of a cent each.

    Buying a non EMV card is a lot more cost, as now you are buying low volumes. Only in the USA can you get a debit or credit card that is magstripe only, every other country across the planet, even ones that are definitely third world, will accept contactless or CNP transactions, if they do not accept phone to phone transactions already, like most of Africa already does. Africa, where the poor US tourist has issues, because nobody will take swipe only, and also where no merchant, aside from a few hotels, will accept Diners or American Express cards at all.

  5. Info

    Contactless or touchless is being scammed as we speak, talk to a retail business owner there seeing this happen now. Cash is the only way you can eliminate it for yourself.

  6. Will S

    Go back to paper….no one stole those because no one wanted to use them. Was also a good way to incentivize people to get off Food Stams

  7. mark

    Question: if one has a food-only EBT, can that be drained? It can’t be used at an ATM unless they have cash on it. “Food stamps” can’t be hit, can they?

    1. nancyg

      That is my question…if these are SNAP benefits, why are the cards even allowed to be used at an ATM?

    2. ThursdaysGeek

      See my comment below about one person who got the runaround when her card was drained: the people went to various stores and bought baby formula. It’s compact, doesn’t go bad, and when her card was hacked, baby formula was in short supply. There are food items that can easily be sold again.

    3. Terry Bolo

      Yes, they just sell it to people who use it for food.

  8. Bryan W

    This seems like a great step forward in the right direction. From having no requirements to reimburse to having some and encouraging greater security measures. It’s not going to solve the entire issue but it will help those impacted by it.

  9. Blanche DuBois

    Good story Brian.
    It will provide rich fodder for future ones, if you want.
    Let’s watch how 53 jurisdictions respond, now that the USDA says it will pick up the state’s “open faucet” $ losses on EBT.
    That’s a strong incentive for the race to the bottom of minimal EBT security.
    As the advocate said, who wants security to be “overly prescriptive”.
    Right! That would be a very bad precedent…
    And best, none of the USDA reimbursements (We pay twice?) involve a tax increase; just more Federal debt.
    A win-win for all, including the data thugs.
    Enjoyed the part that the USDA gave the 53 jurisdictions a more than ample 30 days to create and implement a “security fix” for EBT from scratch.
    “We Americans can do it! Just look at what we accomplished with the REAL ID program, also involving the same 53, even with the security incentive of 11Sp2001 and 3000+ dead Americans!” (2025?…For sure?…This time?…)
    The story’s also a good sub-set of the larger US saga with the mentioned EMV-PKI (chip) security piece.
    EMV-PKI (chip tech) was invented in France in 1992 in response to card fraud. US Issuers “swiftly” adopted it in 2015, but only so to speak.
    US Issuers (unlike their foreign counterparts) gratefully chose the near useless “chip & scribble”, and kept that 1928 magnetic strip tech in full force.
    (What? Other “overly prescriptive” items reared its ugly head in the fraud battle?)
    And the Issuers’ reward for no PIN: Still facing credit card CP fraud, with CNP fraud to boot.
    Because of the US Issuers’ strenuous efforts since the 1970s, the average adult American today has 4 CCs, so if Issuer A flipped his software switch and required a PIN entry, the US cardholder would just shift to Issuer B’s CC, who made no such silly PIN demand, thereby costing Issuer A his Interchange Fee.
    What US Issuer wants to be first?
    To be fair, US Issuers know their customers, who also think “qwerty” is a great P/W. For 4 CCs, having 4 separate and unchangeable PINs, would be customer mental assault and battery.
    For US Issuers, income and marketing are always superior to “barely just enough” security.
    In the US, the net-net fraud expense is always measured against the ROI for that product line.
    (Hint: US fraud losses are a business expense.)
    The beauty of US Issuers and this EMV-PKI & PIN quandary is that, unlike those foreign Issuers and central banks with their pesky anti-fraud views, the Federal Reserve holds it has no “specific” authority to order full implementation by a date certain, or if that doesn’t work with the listener, just let the private sector solve it…Whatever!
    The good news of this is that we now have a thriving fraud ecosystem, funding both US and foreign data thugs, all ever ready to exploit whatever US or state public or private sector programs that comes along, that is centered on “easy electronic commerce”.
    Covid unemployment fraud anyone? Zelle fraud anyone?
    And best, if a data thug is caught/extradicted to US, they can claim they never used a gun to steal millions. Even US courts and state legislators see un-armed major fraud as just a cost of doing business.
    Brian, thanks to this designed US infrastructure, you have a deep well of future fraud, data breach, etc., etc., stories coming down the pike. A deep river that never runs dry.
    Ain’t it a great country, or what!

  10. SteveB

    “But Harris said contactless cards do not require a PIN, which is the only thing that stops EBT cards from being drained at the ATM when a participant’s card is lost or stolen.”
    Totally stupid logic. If the recipient’s card is lost or stolen, they will/should know about it 99% of the time. These people are having their info skimmed and put onto 1970’s technology that can be copied for pennies per card. How the hell can they stop it if they don’t know it’s happened until their benefits are completely drained? At least if the card is lost/stolen, they can immediately report it and prevent further theft. Instead, they’re issued the cheapest tech available and we all end up paying more in the long-run.

  11. ThursdaysGeek

    On a related note, the podcast ‘The Runaround’ recently put out by ‘This American Life’ tells of someone who had money drained from her EBT, how she tracked down the people who did it (turns out baby formula is a good way to turn stolen EBT funds into cash, especially in the summer of 2022), and tried to get the police to do something. This bill is partly a result of her trying (and failing) to get the money back.

    And, for people like Will S. who have some disdain for people on food stamps – she is a person who is working, but many people who work still don’t earn a living wage. It’s hard to pull yourself up by your bootstraps when you’re wearing worn out flip flops.

  12. Happy Chick

    This seems like a great step forward in the right direction. From having no requirements to reimburse to having some and encouraging greater security measures.

  13. Priscilla

    I’ve been skimmed twice this year in January and March it just happened both times the transactions are in l.a. I’m in the Bay Area . I’ve used the card only at grocery stores and 7/11 I’ve come to the conclusion that 7/11s are where the skimmers are being placed be careful and change your pins before the first of the month,or when you receive your help(assistance)

  14. Paul

    “By changing PINs frequently, at least monthly, and doing so before benefit issuance dates”
    No one is ever going to do that.

Comments are closed.