Beware the New Generation of Card Skimmers
A new generation of skimmers that wirelessly transmit stolen data is stymying authorities and causing anxiety among credit unions and other card issuers anticipating upcoming EMV liability shifts at ATMs and gas pumps.
The skimmers use Bluetooth — a technology that lets devices communicate wirelessly when they’re within about 30 feet of each other — and they’re keeping people like Wisconsin Trade and Consumer Protection Division Administrator Frank Frassetto up at night.
Among other things, Frassetto's team enforces consumer protection laws, regulates business practices and tests gas pumps annually in the state. He said it got word last spring of wireless skimmers at Michigan and California gas stations; later, there was an incident in the Southeast. By August, they were in his backyard — an equipment technician doing routine maintenance discovered one at a gas station in Madison.
At that point state and city inspectors fanned out and began scrutinizing high-risk spots along area highways and interstates, Frassetto said. They found 16 more.
“It's a crime of opportunity,” he said.
Typically, skimming is a three-step process for criminals: Install the skimmer, wait for people to swipe their magnetic stripe cards, then take the skimmer out and download the data. But Bluetooth skimmers eliminate a big chunk of that work — criminals install the skimmer, then simply walk or drive near the device later to download the data. There's no need to break into the machine again and risk getting caught.
Although the percentage of EMV-chip cards has spiked in the last year, the fuel in the skimming engine is the magnetic stripe that appears on the back of those cards, however. And even though more retailers are using EMV terminals, there are two points of sale where the mag stripe is still king: ATMs and gas pumps. That makes them tempting targets for Bluetooth skimmers, which only take 30 seconds to install, according to Frassetto.
Prevention is difficult, too. Gas stations often have cameras, for example, but attendants at busy locations don't have time to stare at the feeds, Frassetto noted. Many gas stations also rely on alarms that alert station attendants if someone opens the panel at the pump — but states don't always require them, he added. Pressure-sensitive tape over the panel door is another option.
The Hope for EMV
“Unfortunately there's very little credit unions can do,” CUNA Mutual Risk Management Senior Consultant Robert Jarosinski said.
“Really what this boils down to is antiquated techniques by gas station pump owners, as well as not a whole lot of skin in the game to evolve or to change and to adapt to more secure technologies,” he said.
Jarosinski, who is also in Madison, Wis., happened to be one of the victims of the gas station skimmers discovered there over the summer.
“That's really the best that we have right now — a tamper sticker to notify the gas station attendant if it's been tampered. We’re going to need something a little bit more to stop that,” he said.
It's one reason he and many others in the industry are eyeing Oct. 1, 2017. That's when gas stations and ATMs will shoulder the liability for card-present fraud if they don't support EMV (On Oct. 1, 2016, Mastercard began sending ATM owners the bill for fraud involving EMV-enabled cards used at ATMs that don't support EMV. Visa plans to make the same shift in October 2017).
But there are some caveats. Like the previous EMV deadline, it's not a legal mandate; gas stations could decide it's cheaper to pay for fraud than install new readers. Additionally, the liability shift pertains to criminals who use fake cards for purchases at the gas station — not to criminals who steal data at gas stations, Jarosinski noted.
Credit union card issuers can't just limit card use at gas pumps, either. “The member-experience aspect is so important to credit unions, and it's difficult to find a rule to target fraudsters and target behavior [in a way] that doesn't impact them,” Jarosinski said.
Plus, it may not matter. “They would still swipe their card to attempt that purchase and then that data would be lost even though they didn't make that purchase,” he said.
“I think it's going to get worse before it gets better,” Jarosinski said.
“The power of EMV is really everybody doing it and getting to the point where we say goodbye to mag stripe,” he added.
It's clear some criminals agree with Jarosinski and have already set their sights on tackling post-mag-stripe technology. For example, a recent investigation by cybersecurity company Kaspersky Lab concluded that at least a dozen sellers are now offering skimmers capable of stealing fingerprints, and at least three are researching devices that can get data from palm vein and iris recognition systems. Kaspersky Lab also uncovered discussions in underground communities regarding mobile applications that thwart facial recognition systems by overlaying masks onto human faces.
Wisconsin Division of Trade and Consumer Protection Administrator Frank Frassetto offered some tips credit unions can share with members who want to avoid gas pump skimmers:
Don't use the pump furthest away — that one is easier to manipulate because it's the hardest for the attendant to see. Use the dispensers closest to the building instead.
Pay inside. Then you can avoid using the pump altogether.
Look at the key lock mechanism on the dispenser panel. If there are scrapes or signs of bending, alert the attendant.
Look for pressure-sensitive tape around the dispenser panel. If it's ripped, looks peeled off or cut, somebody's probably been in there.