Blog
Gas pump skimming and ATMs
February 10, 2014 by atm Atom — blogger, atmatom
This month, the Manhattan District Attorney indicted four lead defendants on charges of skimming gas pumps to steal customer bank data, which was used steal and launder more than $2 million in cash at ATMs. While this is not an isolated case of debit and credit card compromise, the incident does offer some useful takeaways.
Magnetic stripe technology in the US remains a target rich environment for criminals.
"By using skimming devices planted inside gas station pumps, these defendants are accused of fueling the fastest growing crime in the country," said Manhattan District Attorney Cyrus Vance.
All of the lead and other defendants were of eastern European descent, supporting the theory that POS, gas pump and ATM fraud in Europe has been made more difficult following the adoption of EMV technology.
Now that Canada and Mexico have joined Europe, Asia and most of the rest of the world in adopting EMV, the U.S. clearly has a "fraud bull's eye" on its back. Some experts estimate that card fraud in the U.S. could easily triple from a base of $1 billion before EMV is fully implemented in the U.S. in 2017.
Unlike Target and Neiman Marcus breaches, this was a physical attack on gas POS devices.
According to court documents, the defendants used skimming devices to copy credit and debit card numbers and PINs at Race Trac and Raceway gas pumps in Georgia, South Carolina and Texas. These were not computer breaches; the thieves physically installed skimming devices in the gas pumps.
Apparently these skimmers were undetectable to victims who paid at the pump with credit and debit cards. The devices were also Bluetooth-enabled, meaning that the defendants did not have to retrieve the devices to obtain cardholder information.
In many cases the devices were left in place for months, yielding a bounty of customer card and PIN information. The ability to physically attach a skimming device to the inside of a gas pump should raise concern on the part of every U.S. ISO operating ATMs with factory locks and outdated security modules.
The scam took more than a year to uncover.
The thieves collected magnetic stripe and PIN data from gas pumps in the South; forged bank cards were manufactured on the East Coast. Cash was then withdrawn from ATMs in New York, deposited into the thieves' bank accounts and withdrawn from ATMs on the West Coast.
Unlike recent reported computer breaches, this scam went undetected for 13 months, causing fraud losses to mount over time.
By the time investigators were able to make arrests, the thieves had stolen more than $2 million. The case underscores the need for regular physical inspection of retail ATMs for installed skimming devices.
ATMs were once again the mechanism used to steal cash from compromised accounts.
Forged cards were used to make withdrawals from more than 70 bank accounts, all in amounts well under $10,000.
While ATMs were not the source of the breach, the fact that ATMs are often used to steal cash from compromised accounts should be of great concern to the ATM industry.
Unfortunately, guilt by association is likely to plague the retail ATM industry as fraud losses from card compromise and the resulting publicity continue to mount.
It might behoove the ATM industry to adopt an aggressive posture in proposing solutions to help combat U.S. card fraud.
The alternative is to pretend that the card schemes will continue to absorb magnetic stripe fraud losses and that Congress will continue to ignore the growing howls of pain from its constituents.
Read more about security.
This article has been republished from the Triton blog, atmAToM, with kind permission from Triton.
About atm Atom
Included In This Story
Triton Systems
Triton FI based products • NO Windows 10™ Upgrade • Secured locked down system that is virus/malware resistant • Flexible configurations - Drive-up and Walk-up • Triton's high security standards • NFC, anti-skim card reader, IP camera and level 1 vaults are all options • Triton Connect monitoring • Lower cost
