Card skimmers are targeting gas stations and older ATMs

ATM skimmers and gas pump skimmers are common ways for cyberthieves to steal credit and debit card numbers, and the problem isn't going away, said Scott Schober, a cybersecurity expert. The president and CEO of Berkeley Varitronics Systems, a New Jersey-based wireless security company, recently spoke with ATM Marketplace about some of the latest trends in credit card skimming. The following has been edited for clarity. 

Q. What are the trends? Where do we find skimmers?

A. In the world of ATMs, cyberthieves are most likely to go after the lone wolf in the field — the ATM in the corner of a restaurant, gas pumps at closed service stations or kiosks in the mall when foot traffic is light. They are less likely to target an ATM attached at a bank due to the possibility of cameras and live surveillance. 

However, the bad guys are still stealing our card numbers at the bank, increasingly at the point where you enter to use an ATM after hours.

The after-hours glass vestibules that house ATMs usually require an ATM card to unlock the door. The card slot that unlocks the door for customers could also contain a card skimmer. So, even before you hit the ATM, they are skimming your card, and virtually no one realizes that.

It is truly a devious way for criminals to compromise a card because they don't even have to touch the ATM. They'll pretend to be a service person accessing the door frame. That way, they can take their time installing a skimmer, because they don't look suspicious. Meanwhile, they are collecting cards all day long. 

Q. That's pretty scary. How long does it take to install a skimmer?

A. It varies greatly from location to location. For instance, if the company that installed the card reader used tamper-proof screws, then it is much harder for a crook to install a skimmer. But at older banks, ATMs with traditional card readers sometimes allow a thief to use a common Phillips screwdriver, making skimmer installation a trivial matter that takes only a few seconds.

Cybercriminals focus on the low hanging fruit — the older institutions, the smaller, community banks that don't have funds to spend on secure doors, cameras and the latest ATM security measures. But that is typical across the entire spectrum of cybersecurity. Thieves always aim for the easiest targets.

Q. What about EMV chips? Don't those protect against skimming?

A. Banks have issued EMV technology on our credit and debit cards, but the cards still have a magnetic stripe on them with the same card holder data as the chips — and therein lies the problem. There are just too many legacy magnetic cards and readers still in circulation, and no vendor is willing to lose a sale due to technology incompatibilities, even if a new technology bolsters security. Therefore, when you slide or dip your card into an ATM and there is a skimmer present, it pulls data tracks 1 and 2 from your card. The skimmer ignores the EMV chip entirely.  

Until the payment industry completely migrates away from magstripes on debit and credit cards, cybercriminals will continue to skim every penny they can. The payment industry needs to upgrade their infrastructure to accept EMV-only cards, but it will be many years before we see this transition. 

Q. I won't hold my breath. What are the other easy targets? 

A. U.S. gas stations are a unique problem in that many of them have not upgraded to support chip-and-pin security due to that fact that a Federal mandate has not been enforced yet. And that won't happen until probably late 2020. 

Gas pumps still rely on magnetic stripe technology to read our credit and debit cards. At the gas pump. in particular, there are about six different keys that open the vast majority of gas pumps coast to coast. Thieves can buy these keys on eBay or the dark web and then use one to open up the front panel of the gas pump and insert a bluetooth skimmer. It takes a skilled cyberthief about 15 seconds to plug that into the card reader, close the door and lock it. 

Once that's done, every time a card gets inserted into the pump, the skimmer is reading the magstripe, and later on, when the cyberthief returns, he or she can download the hundreds of cards stolen from that skimmer from the convenience of their car parked 75-feet away via bluetooth. 

Q. What about the PIN numbers?

A. If they want your PIN, they can use a hidden video camera or keypad overlay that records every button pressed, but in most cases, consumers use their credit card to purchase gas. 

Q. What about organized crime?

In more elaborate schemes, crooks will steal your card number and use it to burn a fresh card. They'll return to the gas station with a pick-up truck containing a 300-gallon bladder, fill it with gas and pay for it using your card number. Then, they drive around the corner where they meet up with a huge tanker truck and pump the fuel into it. That tanker truck then goes back to the same gas stations and resells the fuel for cash. 

This is happening throughout the country, but certain key states, like Florida, Texas, Arizona — and this is feedback from law enforcement — are more problematic than others. In New Jersey, we are not allowed to pump our own gas. There is always an attendant on duty, so there's less opportunity for a crook to plant a bluetooth skimmer unnoticed.

Q. How do you, as a card user, protect yourself?

A. Number one, always use cash at the gas pumps. You are statistically better off using pumps at the center of the station where there are more cameras and more activity. Also, be careful of service stations located off major highways and exits. These are often plagued with skimmers because people are usually in another state by the time they realize their card has been compromised. This makes the skimmer that much harder to trace. And finally, use stations you are comfortable and familiar with.