As payment technology evolves, so does the techniques of hackers. Gas stations skimming fraud has been one of the hot topics that continually falls onto the list of latest and greatest ways that fraudsters compromised payment card data at the pump. This is going to continue being a major topic of discussions across the financial services ecosystem long after the EMV deadline sets in for gas stations in October 2020.
This week, reports surfaced about gas station skimmer fraud. This issue made headlines after Krebs on Security reported about a memo sent out by the U.S. Secret Service. Krebs initially reported that the skimmers discovered were part of new bluetooth and SMS technology that were being used to steal payment data from consumer's devices. Krebs updated his report to include some clarifications after getting more information from sources close to the matter. He concluded that skimming fraud did occur, but not through SMS-enabled devices.
What Krebs' on Security's latest report now indicates that this type of skimming fraud — particularly through BlueTooth technology — isn't a new concept, but is certainly a trend worth paying attention to. This original report on this subject from Krebs, indicated that a “new breed of credit card skimmers” were being installed at the pump. Krebs later updates this story to reveal that this "new breed" wasn't quite what it appeared. Yes, new incidents of skimming fraud continues to be discovered at gas stations, but not through new physical devices to steal that data via SMS/Bluetooth technology.
Krebs did a little more digging into this latest discovery and suggested that the stolen credit card data is conducted using bluetooth technology, but wasn't connected to SMS texts as originally reported.
"It was true that there were multiple gas pumps at the station that were internally compromised with Bluetooth skimming devices," Krebs noted. As for new devices? He's not convinced hackers are actually using SMS-based skimmers. At least for the time being. Stolen payment data at the pump will likely continue to be a prominent storyline as mobile payment technology becomes more widely used among consumers at the pump.
To keep up with evolving payment technology, gas stations have begun to add contactless payment capabilities at the pump. This is also being done in effort to thwart off the old-school pump skimmers that comprise the traditional magnetic stripe and EMV chip card payments. In light of this new report, it appears there are some security gaps that exist within NFC technology as it provides some opportunities for fraudsters to compromise payment data associated with these devices.
The Rise of Gas Station Skimming Fraud
In our State of Card Fraud 2018 white paper, we identified gas station skimming fraud as a prominent trend in the fraud ecosystem that is going to continue to plague the financial services industry.
What we noted last fall is that since the EMV chip card compliance deadline isn’t until October 2020 — roughly five years after the liability shift was implemented for merchants — this gap has left gas stations in the fraud spotlight. In fact, a single compromised pump can capture data from roughly 30-1010 cards per day. One secret service investigation alone last year led to the discovery of 59 skimmers at 85 station locations in 21 states.
Skimmers have been a rapidly-growing problem due to tech advancements that have allowed them to be designed slimmer than a credit card — and cheaper to produce. With fraudsters’ ability to insert them seamlessly into machines with less obtrusive methods, this has led to an uptick in concerns from issuers in how to proactively confront this expensive problem.
That stolen payment data from credit/debit cards is used quickly, and often sold on the dark web. This accelerates the speed at which fraud spreads and only exacerbates payment breaches. This will continue to get worse as fraudsters learn how to exploit new payment technology trends — including payment via mobile devices and bluetooth.
What FIs can Do About the Rise in ATM Fraud Attacks
The rise in ATM fraud has forced banks and credit unions to implement better fraud controls and continually upgrade their security features in order to think smarter about their fraud management strategies. What banks must consider is relying on fraud alerts that detect breaches in a matter of minutes and hours — instead of days and weeks.
Solving ATM fraud has become a 2 billion-dollar question. (The impact of ATM skimming on a global scale). Getting to the bottom of ATM fraud means having a better understanding of how fraudsters think, how quickly they act and what payment channels they are targeting most.
ATM fraud, in particular, is evolving at a rapid pace. Banks are using new tools to fight fraud, but fraudsters are moving faster. Banks typically have less than 48 hours after an ATM compromise before money is out the door. Banks need to quickly identify compromised ATMs and cards to get a handle on the scope of the problem — a process that can take weeks. Weeks isn't good enough when a problem needs to be solved in less than two days.
When an ATM breach transpires, fraud occurs within 48 hours. From a typical breach, the end cost results can result in the loss of $250,000. FIs must leverage sophisticated data-driven fraud detection techniques to get ahead of the problems before they spread. Being reactive, instead of proactive, in today’s fraud-filled world will always leave financial institutions playing catch up with the fraudsters.
What banks and credit unions really need is the ability to be alerted quickly if an ATM skimmer is in place. This is where the physical boundaries of ATM anti-skimming devices have their limits. Relying on machine learning and advanced analytics is the only way to detect skimmers faster and more effectively.