Pay-at-the-Pump Skimming on TrialHawaii Case Showcases Response to Fraud Trend
Ariak Davtyan, 45, of Los Angeles, was extradited from California in early May on three counts of first-degree identity theft, after allegedly stealing more than $150,000 from six Hawaii financial institutions using credit and debit card information stolen from 156 consumer accounts. The modus operandi of the attack: Fraudsters allegedly used a master key to open the gas pump enclosures and then attached electronic skimming devices.
The widespread use of universal gas keys at pay-at-the-pump terminals is a known vulnerability, says Nicole Sturgill, research director at financial consultancy TowerGroup. Easy access makes self-service gas terminals easy targets. [See Pay-at-the-Pump Card Fraud Revs Up and Pay-At-The-Pump Skimming - a Growing Threat.]
Davtyan and accomplices Akop Tadevosovich Changryan and Karapet Kalantryan were indicted for installing skimming devices at four Aloha Island Mini Mart gas stations on Oahu. Changryan, who is expected to be sentenced June 3, was, in addition to the Aloha attack, charged with a similar card-skimming scheme at an area Shell station.
Aloha Petroleum, which owns the four mini marts, has since installed locking mechanisms on its fuel dispensers at all Aloha stations. The company also stopped accepting PIN-debit payments, since the link between magnetic-stripe details and PINs allowed Davtyan and his team to easily create fake debit cards used to withdraw funds at ATMs.
As the Hawaii scheme reiterates, once fraudsters can access, it's quite easy for them to install skimming devices that aren't readily visible. Comparatively, ATMs, which remain the world's No. 1 target for skimming, are required to have unique keys and codes for service and maintenance checks. Visa and MasterCard also have mandated several additional ATM security precautions, such as the use of encrypting PIN pads and Triple DES compliance, to ensure ATM deployers adequately protect cardholder data.
Industry ResponseJeremy King, European regional director for the Payment Card Industry Security Standards Council, says the battle against pay-at-the-pump skimming attacks is growing throughout the world.
"The fight back here is beginning, and we've been looking at it very closely with our PCI PTS standard, to see what we can do with our security guidance and merchants to try and make them understand the types of attacks that can happen and how these can be difficult to detect," King says. "We give them guidance on day-checks they should be doing. [See An End to Pay-At-The-Pump Skimming?]
New technology also is making significant strides to thwart skimming attacks, he adds. "There are anti-skimming devices now becoming available that can detect the presence of a skimming device, because a lot of the skimmers these days tend to transmit the data," even if they are installed inside terminals, hidden from view, King says.
But bankers say more needs to be done. "How difficult would it be to place tamper-proof seals around the access door and check daily?" asks Charles Groat, a security officer at Zions Bank [approximately $50 billion in assets]. Last year, Zions' cardholders took a hit after 180 pay-at-the-pump terminals in Utah were compromised with skimming devices and Bluetooth technology to transmit card data. Zions caught the fraud with analytics, after narrowing points of compromise to gas stations where cards had been used at the pump.
The creation of counterfeit cards from skimmed details has increased 200 percent over the last 18 months, Groat says, and Zions has pinpointed pay-at-pump terminals as the weak spot.
"Someone needs to make them more aware of the problems and responsible for losses," Groat says. "They are aware of it, but they are not doing anything to prevent it."
The National Association of Convenience Stores, better known as NACS, recently spearheaded an awareness campaign for store operators about the increasing threat of pay-at-pump skimming. In March, NACS launched its WeCare Decal, tamper-evident labels that aim to help retailers quickly identify potential security breaches if skimming devices are inserted at fuel dispensers or on other unattended PIN-entry devices.
NACS recommends the security labels be placed on fuel dispensers near card-readers, says NACS spokesman Jeff Lenard. "If the label is lifted to insert a skimming device, a 'void' message appears on the label, providing a visual alert to store employees, so that additional action can be taken," he says. "Because the labels clearly indicate that they are to prevent tampering, the labels help assure customers that their data is secure, and discourage criminals targeting the store."