According to the Federal Trade Commission, 19 Americans fall victims to identity thieves every minute. Javelin Strategy and Research released its 2016 Identity Fraud Study, and found that $15 billion was stolen from 13.1 million U.S. consumers in 2015.
Credit card fraud is the second most frequent means of stealing from consumers, and perpetrators are getting trickier all the time. This animated GIF shows one way that sophisticated identity thieves are jacking your credit card data from a card reader at a gas pump. We talked to an expert to figure out how it’s done, and what to look for.
“These folks are very smart and have some skills,” says our anonymous pal, an IT professional specializing in security. “They have little home manufacturing facilities for different types of fakes.” He says that typically, thieves like this will set up a tiny shop to steal credit card data focused on one retail outlet. “They make them to work over all the cash machines for one local bank.” In the case of the animated GIF, it’s a card reader that slightly modifies the reader for a certain type of gas pump, so that they look completely normal.
For example, the device below showed up on Krebson Security’s blog, marketed to thieves and customized specifically for Exxon stations. The device sells for about $2,000.
“These things just read the card as it goes by,” he says. “They don’t interfere with the machine underneath reading it and thus making a transaction.” The magnetic stripe simply swipes past a secondary reader so that thieves don’t have to mess with the electronics inside the machine. “Though I remember a few years ago somebody actually put them IN some machines,” he says.
Gas pumps are still particularly susceptible to credit card skimmers, for a few reasons. First, the technology is now readily available. Devices like this used to be huge and bulky, and the critical bits weren’t readily avaiable. “They’re really easy to make,” our consultant says. “It’s pretty much a small battery, a mag reader and some sort of memory to store all the data. The tech is available over the counter all over the place. It’s no different than any swipe card reader USB you can get for $10. It’s just removed from its container and rewiggled into whatever shape they want.”
Second, EMV — or “chip card” — technology is still relatively new, and gas stations got a temporary reprieve from mandatory updates. Remember, paying at the pump is a relatively recent phenomenon. It wasn’t until 2002 that 80 percent of the convenience industry invested the billions required to add card readers at the pump. Changing all those readers requires another hefty investment, and the industry has until October of 2017 to update.
Third, consumers have become complacent about using credit cards at the pump in the last 20 years. You jam your card home and punch in your PIN without even thinking about whether the card reader looks suspicious. As Lt. John Faine, criminal investigations section commander in Warren County Sheriff’s Office, Lebanon, Ohio, told CreditCard.com, “People have so many things on their mind — they don’t notice.” When questioned after suspicious charges appeared on their card, Faine says that victims often report “a weird feeling, like the slot had been tampered with. It wasn’t noticeable when it happened, but after the fact, they said, ‘You know what, it did feel like something was off when I put my card in.'”
How do you avoid getting ripped off at the pump? It’s not necessarily convenient:
- The best way to avoid being skimmed is to pay inside. As easy as it is to piggyback a skimmer on an outside card reader, doing it inside the store is a whole different matter.
- Use cash.
- Look for any anti-tampering seals on the pump, but this is a voluntary program on the part of the convenience industry and not every filling station will have it.
- Choose a pump close to the building.
- Monitor your accounts for suspicious activity.
If you think your card has been compromised, immediately contact the bank that issued your card. File a police report with your local police department. It’s not necessary to file it in the location where you suspect the theft happened. Be sure to get a printed copy of the police report, along with one to send to the bank.