Skimming Survival Guide

Bluetooth, Cellular Skimmer

Skimming devices are used by criminals to obtain credit card numbers and cardholder information without the customer’s knowledge.  While skimming can occur at any point of sale (POS), it is most common at Automated Fuel Dispensers (AFDs). With the EMV liability shift at the forecourt just 18 months away, the window of opportunity for thieves to get this data is closing.

What is skimming?

Skimming devices are used by criminals to obtain credit card numbers and cardholder information without the customer’s knowledge.  While skimming can occur at any point of sale (POS), it is most common at Automated Fuel Dispensers (AFDs).

Modern skimmers capture not only the card number but track data from the magnetic stripe.  This includes information such as:

·        the primary account number

·        customer name

·        expiration date

·        PIN

·        card verification value (CVV)

·        card verification code (CVC)

Capturing this additional data makes the stolen card easy to use or sell and makes detecting unauthorized use difficult.

How does skimming work? 

While there are several different types of skimming devices, they all have the same objective—to steal customer information.  When a card is run through a reader connected to a skimmer, the device captures, stores, and transmits key information from the magnetic strip on the back of the card.

Once the card information is obtained, it can be copied to the magnetic strip of a blank card and used to withdraw funds or make fraudulent purchases.

Types of Skimmers

Memory Skimmers—Memory skimmers are devices that store cardholder information to an internal memory chip.  These devices require criminals to connect the device to the dispenser and then return at a later date and time to retrieve it.  Stolen card information must then be downloaded from the device.  Due to advances in technology and the risk associated with returning to the scene of the crime, most crime organizations are shifting away from these types of devices.

Bluetooth/Cellular Skimmers—installed within the dispenser, these devices syphon off card information from unsuspecting customers swiping their card at the pump.  Cardholder information is then scanned and sent via Bluetooth or a cellular device to a receiving device.  This allows thieves to gain access to cardholder information in almost real time, eliminating the need to return to the site and retrieve the device.

These devices are relatively inexpensive and easy to install.  An experienced criminal can open the pump and install a skimming device is less than a minute.

Card Reader Overlay—overlays are plastic devices made to look like legitimate POS equipment.  A card reader overlay attaches to an existing card reader and adds an additional Bluetooth component to capture and transmit cardholder data.  Card reader overlays may be found by simply tugging on the card reader.

PIN Pad Overlay—PIN pad overlay devices are made to be an exact replica in size, fit, and detail of your existing PIN Pad.  These devices use a combination of batteries and flash memory storage to capture and store key strokes and card data.

Texting Skimmers—The cellular-powered skimmers are a new variation that send stolen financial data via text messaging.  Skimmers tucked into gasoline dispensers have been used by criminals for years, but within the past 18 months, a new variation has been discovered.  Click here to read more.

What to Look For

Here are some tips on what to look out for:

·        A vehicle parked at a pump for a long period of time (fraudsters usually target the pump furthest from the store).

·        The same vehicle returning to the same pump repeatedly.

·        Broken or missing security seals.

·        Cars blocking the view of a specific pump.

·        Customers using the “tag team” method—one customer will distract the employee while the other installs the skimmer or overlay.

How to Prevent Skimming

·        Employee awareness is key!  Make sure your employees know what to look for and are doing routine pump inspections (at every shift change).

·        Use pump security seals and keep a log tracking their status.

·        Please hologram stickers on the inside card readers to quickly notice overlays.

·        Upgrade your pumps with a custom lock.

·        Keep your canopy lights well-maintained and bright.

·        Install tamper alarms to render the pump disabled if tampered with.

Useful Resources

Security Seals and Holograms

Pump Locks

Pump Alarms

Pump Inspections

It is recommended that dispensers be inspected at every shift change.

Listed below are some best practices for your inspections:

·        Take a picture of the inside of the dispenser when no skimmer is present to use as a point of reference.

·        Use a Bluetooth-compatible device to search for HC-05 connections.

·        If using an Android device, download the Skimmer Scanner App to search for unusual connections.  For IOS devices a Skimmer Scanner App is also available for download.

·        Look through both the front and back of the dispenser.  Fraudsters are opening the dispenser on one side and installing the skimmer on the other, making them harder to detect.

·        Compare the serial number on the current security seal to the last serial number recorded on the pump.

·        Replace any damaged or torn security seals.

·        Utilize the three-point method (placing the security seals in three distinct places on the dispenser door).

·        Check all inside store devices to ensure the hologram is still visible.

·        Should you find something suspicious and are unsure of what it is, please call your technician. 

What to Do if You Find a Skimmer?

Even the most vigilant locations can be hit with a skimmer.  If a skimmer is found, you must be ready to respond immediately.  Begin by implementing the Incident Response Procedures, which is required to be readily accessible on site as mandated by PCI Compliance (PCI DSS Requirement 12.10). 

Again, Ewing Oil would like to remind you that as a merchant you are required to adhere to PCI data security compliance.  It is crucial that you complete the PCI Self-Assessment Questionnaire (SAQ) annually and undergo scanning services on a quarterly basis.  You must uphold your PCI compliant status at all times.