Bank Info Security, Tracy Kitten
Tuesday, March 15, 2011
Pay-at-the-pump skimming is on the rise, and not just in the U.S. We can expect these skimming incidents to grow because gas pumps are easy targets.
Pay-at-the-pump skimming is a growing, global problem. And despite increasing publicity about identity theft and card fraud, little is being done to fix the pay-at-the-pump problem.
The European ATM Security Team reports that card skimming attacks at unattended gas pump terminals are up in 2011. Building on last year's rash of card-skimming attacks at gasoline pumps in Utah and Florida, more attacks have already been reported in 2011, this time in Arizona and Europe.
Tucson, Ariz., Police Sgt. Michael Garcia in early March told a local TV station that pay-at-the-pump skimming had been on the rise in Tucson since January, when police confiscated the city's first gas pump card skimmer.
Banks with more sophisticated fraud-detection solutions, such as Salt Lake City-based Zions ($50 billion in assets), have linked recent incidents of card fraud back to gas stations. But they can't control how -- or if -- station owners address the issue.
Last week, the European ATM Security Team reported that card skimming attacks at unattended gas pump terminals are up in 2011, despite Europe's migration toward EMV. "Although these are often not successful," EAST says, "six countries reported this form of attack, with two reporting increases."
In Europe, EAST notes that most skimming attempts are unsuccessful, because of EMV. That is, the cards can't be compromised in EMV-compliant countries, EAST says. Still, because of the lingering magnetic stripe on EMV cards, if mag-stripe details aren't turned off, skimmers can collect the stripe details from an EMV card and compromise that card in countries such as the U.S., where the mag-stripe is still commonly used.
Despite the evolution of the PCI Data Security Standard, clearly we have inadequate checks and balances for card fraud liability.
Jeremy King, head of European initiatives for the PCI Security Standards Council, says the council recognizes the problem and is addressing it through PCI PIN Transaction Security requirements. In May of 2010, PTS version 3 was released, including lines specific to security at unattended payment terminals such as pay-at-the-pump.
"The council reacted to this by actually creating and releasing what was at the time the Unattended Payment Terminal set of requirements, which looked at how to improve the security of this type of terminal," King says. "As we've moved into version 3 and created the PTS standard, a whole section about unattended terminals is being incorporated into the document."
In short, pay-at-the-pump terminals, King says, are designed to provide fuel. Payment and security were not at the forefront of thinking during manufacturing. So, the council is offering recommendations. "If you do not want to change your whole fuel pump, then there are now going to be solutions that will enable you to make the payment aspect more secure and up to the standard of PCI PTS," King says.
That's great. But what if station owners don't upgrade their systems? A liability shift has to come into play, somewhere.
These skimming incidents will continue because gasoline pumps are easy targets. Continued use of universal keys and codes to access pump enclosures make them ideal, since fraudsters can hide skimming devices inside the enclosures, where they are undetectable, at least on the surface.
It's no wonder more than half of U.S. consumers cite card fraud as their greatest concern, according to a recent survey from ACI Worldwide. The survey includes responses from 4,200 consumers across 14 countries. In the U.S., 58 percent of consumers surveyed say they think card fraud is increasing.
Consumer perception is not far off from reality.