We reported on ATM Card Skimmers in the past. It was amazing to most readers (me too!) how “normal” the addition of a card skimmer on your average ATM looks. Of course they are manufactured to slip onto the equipment unnoticed, but there is always that hope that you are attentive enough to catch such a thing.
Unfortunately it looks like a rash of ATM card skimmer crime is going on across the country right now (Florida and 180 stations in Utah) and has become much more advanced than the previous “slip on” remote cameras that are easier to spot and detach.
As it turns out the surprisingly near-sighted companies that manufacture the gas pumps and ATM card reading equipment use a single key approach; where 1 key opens all the god-forsaken machines. How, in 2010, where we bank online, identity theft is rampant and we’ve seen theft performed in every way possible, there is still a highly technical industry out there, that services the countries infrastructure, that isn’t smart enough to figure out that a single key opening the gas pumps isn’t a good idea.
Even though this design exhibits severe negligence on the part of the gas pump producer and the implied promise they make to us as consumers to at least make an attempt at keeping our electronic banking information safe, they will never be held accountable. If your information is stolen and used, well, that’s your problem. You shoulder the burden of proof, the time and costs associated with that.
There is something wrong with this picture.
So what these scammers have been doing, is rolling into gas stations late at night, opening the machines with the single manufacturer’s key, and then wiring up an additional card reader and Bluetooth transmitter inside the machine; so you have no hope of noticing if you are using a compromised machine or not.
The case of card skimmers installed inside the pumps isn’t just a few concealed cases, it’s a rampant issue with most of the 180 compromised machines found in Utah using that technique. I would expect at some point in time I’ve likely used a few compromised pumps at this point and have no idea if at some point in the future I’ll get surprise charges on my card from Uzbekistan.
It looks like being vigilant and checking the device you are using isn’t enough if the weakest link in the security-chain is the company that produces the device you are using in the first place. Here are a few ways you can make sure to avoid getting your card stolen by a card skimmer:
- Pay inside, there is a very low likelyhood that anyone came inside the gas station and hacked the credit card machine sitting at the counter (thanks Nick!)
- Sign up for and use gas-station-specific “Fast Pass” or “Fast Pay” dongles that you can add to your keychain. This helps you avoid your ATM or credit card all together.
Regardless of the strategy you employ, being vigilant and watching your ATM charges and credit card charges closely is always important. Also try and avoid using pumps, ATMs and other electronic payment devices that are in disrepair or poorly monitored areas — like at the back dark corner of a store — where it would be easy for someone to slip a device out of their backpack and fit it onto a machine when not being watched.
Try and use devices that are sitting front and center by an attendant and would be high risk for someone to come in and try and modify.
At least we can lessen our chances.
Update #1: As Nick correctly points out in the comments, walking inside and paying there instead of at the pump is a way to avoid getting caught by a card skimmer.
Update #2: In addition to Nick’s suggestion, I would say that those gas-station-specific “Fast Pay” dongles you can get are always a way to avoid getting your credit card snagged.
Update #3: I have gotten into the habit of grabbing the card slot on the machines and jiggling or pulling on it to see if it comes off:
It is far from sure-fire, but in the off chance that the adhesive has started to degrade, the whole panel might come off, revealing a card-skimming machine and keep you safe.
This does not protect you against the more advanced cases where the machine itself has been compromised as described in this article though, and that is unfortunate.