The Rippleshot Data Breach Blog

Gas Station Skimming Through the Roof

Written by Kaleigh Simmons | Feb 9, 2016 10:33:20 PM

We’ve long covered the issues with gas pump skimmers, and have consistently seen automated fuel dispensers (MCC 5542) show up in the most compromised merchant categories. But this history, combined with the extended deadline for gas stations to become EMV compliant, has led to them being an even bigger and easier target for hackers.

No financial institution, no matter which area of the country they’re in, is immune to these kinds of headlines, and they’ve only gotten worse and more prevalent over the last six months.

Feb 6: Kissimmee police to sweep city for skimming devices at gas stations [Orlando Sentinel]

Jan 29: Credit Card Skimming Device Found On Hingham Gas Pump [CBS Boston]

Jan 20: Gas pump 'skimmer scam' hits Oregon [KTVZ Central Oregon]

Jan 6: Another card skimmer found on gas pump in Ralston [Omaha.com]

Nov 20: Card Skimmers Found on Local Gas Pumps [Cincinnati.com]

Nov 20: Credit card skimmers a growing problem at gas pumps [The Detroit News]

Nov 13: Credit cards skimmer found at West Chester gas station [Journal News, OH]

Sept 2: Authorities search for suspects behind credit card ‘skimmers’ [Woodtv.com Grand Rapids, MI]

 

In an interview with NBC News in November, Craig VanBuren, director of the Consumer Protection Section at Michigan's Department of Agriculture, the agency in charge of inspecting gas stations throughout the state said, “It’s crazy. What we're finding since August has just really blown our mind."

Michigan isn’t alone. In Louisiana, according to a piece from the National Association for Convenience and Fuel Retailing, 25 skimming devices were recovered in the state since June of last year.

A recent report, Data Breach QuickView from Risk Based Security, found that of the top 12 organizations with multiple reported compromises last year, six are from convenience stores and gas stations. Shell Oil tops the list with 14 incidents in 2015, and 7-Eleven is right behind it with 13. Circle K Convenience Stores, Exxon Mobil, Sunoco and Marathon Petroleum Corporation round out the rest of the list.

While both gas pumps and ATMs have seen increases in skimming, many experts predict gas stations to be the primary target, because of the ease in which they can install the skimmer device.

Gray Taylor, a security and compliance expert with NACS, told Bank Info Security back in 2011 that many pumps are still tied to master keys that are easily purchased online by hackers. This statement is still largely true, unfortunately.

"There are 900,000 pay-at-the-pumps out there, and, literally, I have four keys in my desk that will open up every dispenser in the United States that has not been upgraded," Taylor said. "Today, you can buy new dispensers that have unique keys. The problem is doing something with the dispensers that are out there; getting these guys to upgrade."

While many financial institutions are manually focusing on trying to identify gas pump CPPs (common points of purchase), automated solutions can help detect the devices early on, before too many cards are used fraudulently. To learn more about how Rippleshot Sonar can help, click below: