Fraud at the pump… Don’t be a victim of skimming!

Just think about that ominous day where you login to your bank or credit card account only to discover that somebody else is spending your money. You may even notice that most of these charges seem to be coming from a variety of gas stations hundreds or thousands of miles away. How did this happen? Well, chances are you were one of 8 to 12 million victims of ID theft each year. Specifically, a victim of “pay at the pump” gas pump skimming. The act of capturing the magnetic data on your credit card to create another card. We’ll tell you how this happens, and give you a few suggestions to help make sure you aren’t’ a victim.

There are many different ways a thief can capture your card data. They may build elaborate facade devices that fit over ATM card scanning openings, or even by dishonest retailers or employees who scan your card for the sole purpose of harvesting your credit card information. But in the case of gas pump card skimming, this can all happen without you, the retailer, or their employees having any idea that anything is wrong. What a thief does is to put a skimming device in the actual pump. So when you insert your card, you purchase the gas as usual, and they get your data. But how could they possibly do this?

Capturing your credit card data

This skimming device is placed inside the gas pump and captures your card data.

This skimming device is placed inside the gas pump and captures your card data.

Two things make this kind of ID theft possible.; The first is that not all gas pumps are PCI DSS compliant (Payment Card Industry Data Security Standard). It’s this standard that Visa, Mastercard, American Express, Discover, etc. require of merchants and manufacturers which aid in the prevention of such crimes. The PCI standard requires that the information on the magnetic stripe on your credit card be encrypted at the point of scan/swipe. This just means that the scan device (where you put your card) jumbles your card data immediately and that it remains “jumbled” until it hits the processing agent where it’s, “unjumbled.” If a thief was able to capture this data, it would be a useless jumbled mess. So, the case of pump skimming, the thief may naturally prefer a non-PCI compliant pump.

What also makes this possible is the actually security of the gas pump, or lack thereof. The locks on the gas pumps are pretty common. While the merchant may have a key, the primary key holder are those that need access for maintenance purposes. And there’s no way those support individuals can manage thousands of keys for the various stations they support. So there are a handful of master keys that can work virtually anywhere. If a skimmer has access to the pump they can simply open the pump and place a skimming device inside and lock it back up. They just unsnap the cable that goes to the card scanner, and snap their skimming device between the original cable and the card reader. They have versions of the skimming devices that can reside in the pump for days or weeks, just collecting the card data. Then they’ll come back and pickup the device and export all the card information. There are even some skimming devices that can be accessed wirelessly for a real-time download of the data. In this case, they don’t risk coming back.

The sharing (and profiting) of your credit card data

An example of a card encoder with blanks. Often used for security cards, hotel keys, etc.

An example of a card encoder with blanks. Often used for security cards, hotel keys, etc.

The skimmers don’t always use the card data themselves. They make their money by selling the credit card information to others. This is often done in various exchanges where they’ll offer the detail of hundreds or thousands of credit cards for a certain price. A special premium is paid for any group of cards that hasn’t been previously sold. The buyer of the card data can then take this data and make a new card. Actually, what they do is to transfer the card data to what is often referred to as a “blank.” Basically, it’s the same kind of card you might use for security access or a hotel key. Any card that can hold the tree tracks of magnetic data as required by a credit card.

There’s nothing really magical about this side of the crime. Card encoders and bulk blank cards are readily available. Your credit card information has now been duplicated on a blank white card with no numbers, colors, holograms, or security codes. Again, those that make the cards might not use them, but the will sell them and often times, individually. The trick of course is where can they use a simple blank white card to make a purchase? Where can they make a charge without someone asking to see the card? Yep, right back at the gas station. And this is why many of the counterfeit cards are often associated with gas station purchases as there’s nobody that will see this fraudulent card.

How to avoid becoming a victim

Perhaps the most obvious suggestion is by simply paying by cash for your gas. But we know this isn’t always possible as in some cases, there might not even be an attendant to take your money. Not to mention, it’s not convenient for most of us. With that said, here are a few things you can do to help avoid the damage associated with pump skimming.

  • Try to use the pumps closer to the attendants whenever possible. Those that break into the pumps will often choose pumps that are hard to see by the attendant. Often times they’ll pull up in van with side doors which they’ll swing open, virtually blocking anyone from seeing what they are doing.
  • Pay attention to the various stations you visit. Many merchants will put “seals” on the pumps which make it easy to spot possible breaches. Also, many also have cameras on each of the pumps. You may be well served by frequenting an establishment who has taken steps such as these.
  • Don’t use your ATM card. It’s probably a good deal easier to dispute charges associated with your credit card vs. your debit card. At least if charges are applied to your credit card, you can dispute those without paying for it. But with your ATM, the money is “gone” until you get it back.