Approximately 39 million Americans fill-up every day (with 29 million consumers paying by plastic) and fuel dispensers have become one of many targets for thieves looking to steal credit and debit card information by “skimming,” an aggressive tactic used to illegally obtain consumer card data for fraudulent purposes. Skimming occurs when a third-party card-reading device is installed either outside or inside a fuel dispenser, which allows a thief to capture a customer’s credit and debit card information to create counterfeit cards.
Skimming is one type of cardholder data theft and is different than data breaches, which is the physical theft of documents or equipment containing cardholder account data (cardholder receipts, files, PCs, POS terminals), or unauthorized access or deliberate attacks on a system or network environment where cardholder data is processed, stored or transmitted.
Skimming can occur at the point of sale or when a card leaves someone’s sight for a brief period of time. Fuel dispensers are among the potential targets for skimming. In these cases, a third-party card-reading device is installed either outside or inside a fuel dispenser, which allows a thief to capture a customer’s credit and debit card information.
There are three types of payment points most associated with skimming:
- Fuel dispensers: Convenience stores sell 80% of the gas purchased in the United States, and there are more than 122,000 convenience stores that sell fuel. The U.S. convenience store industry has 765,000 fuel dispensers (customers can fill up on each side of a dispenser) and approximately 1.45 million dispenser payment points.
- Restaurants and bars: An unscrupulous server can swipe a customer’s card in a skimmer in addition to swiping the card legally when taking payment. There are an estimated 600,000 restaurants in the United States.
- ATMs: Skimming devices can be attached to ATMs to gather card information. There are about 425,000 ATMs in the United States, and an estimated 150,000 at convenience stores. ATMs located outdoors and outside of a bank are potentially more vulnerable.
In total, these three areas above add up to roughly 2.5 million locations where skimming could be a potential concern.
The cost of skimming incidents goes beyond the monetary risk or cost at any location. These types of thefts often are very high profile, and companies that have been the targets of a data breach find that consumers are sometimes more hesitant to stop at their locations, whether or not the retailer was at fault. Just as consumers will treat a convenience store as “lucky” for selling a winning lottery ticket, they may also consider a store to be bad luck if it suffers a data breach.
Skimming equipment can be difficult to identify, especially when it’s hidden inside the dispenser. There are two types of skimmers:
External skimmers can be quickly installed by criminals who don’t need to gain access to the inside of a dispenser.
The most common technique used is a keypad overlay that matches up with the buttons of the legitimate keypad below it and presses them when operated, but records or transmits the keylog of the PIN entered by wireless. This device, or group of devices installed illicitly on an unattended location (typically ATM or gas dispenser) is colloquially known as a “skimmer.”
The criminals come back to collect the device, which now contains consumer data. Until the thieves collect the skimmer, data may not have been accessed. Therefore, it is essential that if a skimmer has been identified that it is not immediately removed. Retailers typically are told to take the dispenser offline and notify law enforcement, but to also keep the skimmer in place so that the criminals can be apprehended when they return to collect it.
Here are some things that retailers and consumers alike should look for related to external skimmers:
- Look to see if the keypad is raised to an unusually high level. While thin, the overlays will still be obvious if you look closely.
- Look to see if the keypad is secure. Overlays are typically secured with an adhesive and may be crooked or not adhered fully. They may feel loose compared to a proper keypad. Run your finger around the keypad to see if it feels right.
- Look for telltale visuals. If a keypad appears new yet the rest of the dispenser is weather beaten, that could be a signal a skimmer has been recently installed.
Internal skimmers are attached inside a fuel dispenser. They are more difficult to install and more difficult to notice.
Skimmers, formally called “portable magstripe readers,” are box-like devices usually 2 to 3 inches long. The can be purchased for about $400. Criminals can obtain a skimmer and preprogrammed laptop for about $1,000.
To install these skimmers, criminals need access to the dispenser. There are two methods to gain access. One is by using a key used to open the dispenser, but most criminals gain access by plying open the door. To do so, they often leave signs of entry, whether a panel door that appears misaligned after forced entry or telltale signs like scratches and other marks indicating forced entry.
To guard against this type of skimmer, retailers regularly inspect their dispensers to detect signs of entry. They may also use tamper-evident labels on door entries, which help identify potential security breaches if skimming devices are inserted at fuel dispensers. If the label is lifted to open a dispenser door and insert a skimming device, a “void” message appears on the label, providing a visual alert to store employees so that additional action can be taken. Because the labels clearly indicate that they prevent tampering, the labels also assure customers that their data is secure, and discourage criminals targeting the store.
If a customer believes that a dispenser may have been com¬prised, the first course of action is to treat the area as a crime scene. For one, don’t touch anything and alert the store staff so that they can immediately take the affected dispenser offline and contact law enforcement.
View additional NACS resources on skimming and payments security.