Being able to pay by credit or debit card at the the gas station is a nice convenience. But when you swipe your card at the pump, you actually may be handing crooks what they need to steal money from your bank account at an ATM or go on a spending spree on your dime.
Credit card skimmers that thieves install where you swipe your card to pay at the pump can copy the account data from the magnetic stripe on the back of your card, along with your PIN if you type that in for a debit card transaction. In fact, what crooks prize most is capturing debit card data complete with PINs so they can make counterfeit cards to withdraw cash from your account at ATMs. “It’s an easy way to steal money with no guns or blood involved, and it’s also more lucrative than stealing credit card data to sell on the black market,” says Avivah Litan, a senior analyst at Gartner Research who specializes in fraud detection and prevention.
Just how lucrative? Two men indicted in July for a credit card skimming operation they set up at Murphy’s gas pumps in the parking lots of Walmart retail stores in Arkansas, Oklahoma, and Texas raked in $400,000 from April 2012 to January 2013, according to court documents filed in U.S. District Court for the Eastern District of Oklahoma. (This
illustrates how widespread card fraud is nationwide.)
The defendants, Kevin Konstantinov and Elvin Alisuretove, would leave skimmers in the gas pumps for one or two months, then retrieve them and wait another month or two before transferring the skimmed card information onto counterfeit cards they then used to withdraw cash from multiple ATMs, according to the court documents. On a single day in September 2012, for example, they used 75 counterfeit debit cards containing account data they’d obtained from gas pump skimmers to withdraw $45,280 from ATMs in the Oklahoma City area, the indictment states.
Criminals running skimming operations have been improving the technology they use to make stealing card data even easier, so card issuers and gas station owners need to step up their game to fight back, security experts say. Many different gas pumps can be opened with the same master keys, so crooks need only get copies of a limited set of master keys to get into pumps to install skimmers. Increasingly, they are using wireless internal skimmers that transmit the card data to them via Bluetooth devices, so they don’t even have to take the risk of retrieving the skimmer from the pump to download stolen card data.
“They just need to be within 30 feet of the skimmer, so one guy can go in to buy a Slurpee and distract the clerk while his partner sits in their car near the pumps downloading all of the stolen card data,” said Al Pascual, senior analyst of security risk and fraud at Javelin Strategy & Research.
Some gas stations are beginning to upgrade to pumps that have payment terminals equipped with antitampering devices, but that change is only occurring gradually because upgrades can cost $4,000 to $12,000 per pump, according to Litan.
How to minimize risks posed by debit and credit card skimmers
- To totally avoid becoming a skimming victim at the pump, use cash when you buy gas, which also should knock down the price per gallon you’ll pay.
- Use a credit card rather than a debit card at the gas pump, and preferably one that provides an attractive cash-back rate for gas. It's rare to see a lower price at the pump for debit-card transactions compared with credit-card transactions, according to Jeff Lenard, spokesman for the National Association of Convenience Stores. While some stations offer discounts both for cash payments and PIN-based debit transactions, Lenard said in most cases, discounts apply only when you pay with a specific convenience store’s debit cards tied to a loyalty program, such as those offered by the Savannah, Georgia-based Parker’s chain.
- If you must use a debit card, never type in your PIN. Instead, select the option on the screen that allows you to have your debit card purchase processed as a credit card transaction. The purchase still is debited from your checking account, but you won’t need to enter your PIN, which is what the bad guys need to withdraw cash from your account at an ATM.
- Monitor your bank and credit card accounts regularly to spot unauthorized charges or cash withdrawals and report them immediately. Under federal law, delays in reporting fraudulent transactions can increase your liability for losses. For more details on your legal liability for fraud-related losses on credit and debit cards, see this helpful advice from the Federal Trade Commission.
—Andrea Rock Why the U.S. has become a magnet for ATM and credit card skimming
The credit and debit cards most Americans use rely on decades-old technology that makes them susceptible to being skimmed and counterfeited. In most cases, your credit- and debit-card account data is stored unencrypted on a magnetic stripe on the back of each card, which thieves can easily and cheaply copy.
But most other countries in the world now use or are shifting to Europay MasterCard Visa “smart cards,” which have multiple layers of security to prevent skimming, starting with a computer chip in each card that stores and transmits encrypted data. In the first year after EMV cards were introduced in France in 1992, total fraud losses there dropped by 50 percent, and card counterfeiting fell by 78 percent.
Because of U.S. banks’ continued reliance on outdated magnetic-stripe technology, America now has become the prime target for organized criminals who run skimming operations. A European ATM Security Team report released in July found that ATM-related fraud continues to migrate away from countries using the more secure EMV card technology, while the U.S. is the top location for ATM-related fraud losses, followed by the Dominican Republic, Brazil and Thailand.
“As long as the shift to EMV is being put on the back burner in the U.S., we’re going to continue to attract criminals from overseas who are withdrawing millions in cash-out fraud at ATMs in the U.S.,” said a Javelin security analyst, Al Pascual.
For more on the skimming risks you face and why U.S. banks have been slow to update to more secure technology, read "
House of Cards
" and watch our related video (from 2011) at the bottom of this page.
The map here identifies card-fraud hotspots, where the actual theft of card and PIN data occurred in 2012. It is based on data from FICO Card Alert Service, which analyzes more than 65 percent of all ATM transactions in the U.S. each day. "Criminals engaged in card fraud are migratory and while they still are spending a lot of time hitting locations in the Northeast, we're also currently seeing an increased amount of skimming and other card fraud occurring in Southern California and Florida," says John Buzzard, client-relations manager at FICO Card Alerts. Click on your state to see how prevalent card fraud has been or on the hot spots for more details about where these crimes most often occur.—A.R.
Consumer Reports has no relationship with any advertisers or sponsors on this website. Copyright © 2007-2013 Consumers Union of U.S.