Being able to pay by credit or debit card at the the gas station is a nice convenience. But when you swipe your card at the pump, you actually may be handing crooks what they need to steal money from your bank account at an ATM or go on a spending spree on your dime.
Credit card skimmers that thieves install where you swipe your card to pay at the pump can copy the account data from the magnetic stripe on the back of your card, along with your PIN if you type that in for a debit card transaction. In fact, what crooks prize most is capturing debit card data complete with PINs so they can make counterfeit cards to withdraw cash from your account at ATMs. “It’s an easy way to steal money with no guns or blood involved, and it’s also more lucrative than stealing credit card data to sell on the black market,” says Avivah Litan, a senior analyst at Gartner Research who specializes in fraud detection and prevention.
Just how lucrative? Two men indicted in July for a credit card skimming operation they set up at Murphy’s gas pumps in the parking lots of Walmart retail stores in Arkansas, Oklahoma, and Texas raked in $400,000 from April 2012 to January 2013, according to court documents filed in U.S. District Court for the Eastern District of Oklahoma. (This interactive map
illustrates how widespread card fraud is nationwide.)
The defendants, Kevin Konstantinov and Elvin Alisuretove, would leave skimmers in the gas pumps for one or two months, then retrieve them and wait another month or two before transferring the skimmed card information onto counterfeit cards they then used to withdraw cash from multiple ATMs, according to the court documents. On a single day in September 2012, for example, they used 75 counterfeit debit cards containing account data they’d obtained from gas pump skimmers to withdraw $45,280 from ATMs in the Oklahoma City area, the indictment states.
Criminals running skimming operations have been improving the technology they use to make stealing card data even easier, so card issuers and gas station owners need to step up their game to fight back, security experts say. Many different gas pumps can be opened with the same master keys, so crooks need only get copies of a limited set of master keys to get into pumps to install skimmers. Increasingly, they are using wireless internal skimmers that transmit the card data to them via Bluetooth devices, so they don’t even have to take the risk of retrieving the skimmer from the pump to download stolen card data.
“They just need to be within 30 feet of the skimmer, so one guy can go in to buy a Slurpee and distract the clerk while his partner sits in their car near the pumps downloading all of the stolen card data,” said Al Pascual, senior analyst of security risk and fraud at Javelin Strategy & Research.
Some gas stations are beginning to upgrade to pumps that have payment terminals equipped with antitampering devices, but that change is only occurring gradually because upgrades can cost $4,000 to $12,000 per pump, according to Litan.