The National Association of Convenience Stores reported last week that credit card skimming has become epidemic. To fight back, the organization issued a release saying that it will be working to educate retailers about master-key vulnerability as part of its WeCare campaign to educate retailers on best practices and provide new tools to detect ATM and gas pump tampering. Current practices gas stations use to protect pumps from having skimmers that can steal credit card information installed still leave them vulnerable by design, Gary Taylor, an expert at NACS told BankInfoSecurity.com.
“There are 900,000 pay-at-the-pumps out there, and, literally, I have four keys in my desk that will open up every dispenser in the United States that has not been upgraded,” he told the Web site. The keys can be used to open pay-at-the-pump stations to install internal skimmers.
Newer pumps are made with individual keys, but many existing pumps are still vulnerable. Some gas station operators are reluctant to upgrade their pumps because local fire departments have to keep copies of these master keys to shut off pumps in case of emergencies, the NACS release states.
The WeCare initiative offers tamper-evident labels that can help retailers notice altering of ATMs and gas pumps. If lifted or broken, a “void” message appears on the label.
In a NACS video interview, Zac Stoner, a manager at oil technology company Gilbarco Veeder-Root, explains ways for retailers to spot skimming devices on their equipment. One way to spot a skimmer is the condition of the card reader. Card readers are always outside and exposed to the elements. A brand new, glossy-looking card reader could mean the reader was replaced with a skimmer. The wear on all readers should be similar.
Skimmers are slightly bigger than a normal card reader; however, the difference is so subtle that an everyday customer most likely won't notice. Still, a store manger should, Stoner said.
Stoner also said keypads on gas pumps and ATMs should be flush with the rest of the pump. If a keypad is raised or a card reader isn’t flush or seems to fit in the pump differently, there’s a good chance it could be an overlay skimmer. Overlays are housings that fit over existing keypads and card readers to record information.
Another type of skimmer is a small video camera placed above ATM card readers that records people entering their PIN numbers. A blog post from The Consumerist provides pictures of some of the most common types. They’re almost impossible to spot by a person who usually stops by an ATM for less than a minute.
The data can be transmitted to someone nearby via Bluetooth, but most of the time, thieves have to come back to the site to retrieve the information from the device. If a retailer finds a skimmer on one of the pumps, Stoner said, they shouldn’t remove it and should call law enforcement.