Gas Station Credit Card Skimmers – How to Spot a Payment Card Skimmer and Protect Your Money from Card Skimmers at Fuel Stations
Gas station credit card skimmers are devices that hackers use to read credit card credentials at fuel station pumps. An electronic credit card reader is installed on a fuel pump to read and record the information from all payment cards used at the pump. The hacker then retrieves data collected by the reader. Visa is warning consumers of a new genre of gas station credit card skimming hack which requires no physical hacking device to be installed, making it imperceptible to the buyer.
After the hacker retrieves stolen card numbers from the reader, they clone the payment card numbers onto physical cards and sell them. They may also steal your identity or sell the card numbers on the dark web or use the cloned cards to make purchases for themselves. In the case of bank cards, the scammer may withdrawal your money at an ATM if they can capture the PIN number too.
What Is A Gas Station Credit Card Skimmer?
With gas station credit card skimmers, hackers install an electronic payment card reader either on the inside or outside of the fuel pump. The reader reads and records the payment card numbers and stores them. A single fuel pump card skimmer can capture data from 30 to 100 cards each day. The information must be retrieved from the reader meaning the thief must return to the scene for each download. Hackers makes money by cloning the stolen card numbers onto physical cards and selling them. They may also sell the credit card numbers on the dark web.
Up To 75% Off Leatherman Gear!
Gast Station Credit Card Skimming Malware
VISA stated that the company is aware of gas station POS malware that has compromised five North American fuel merchants. The malware infects the fuel seller’s network. If an employee clicks on a link in a phishing email, a malware download is initiated. Once infected , the malware steals payment card information from the fuel pumps.
Using phishing emails, the scammers target merchant employees. When the employee clicks on an email link, malware is downloaded to their computer and infects the entire network. When a customer buys gas the POS terminal on the fuel pump sends unencrypted data to the company’s network where it is also read by the malware.
What Does a Gas Station Credit Card Skimmer Look Like?
Gas Station Credit Card Skimmers are installed on the inside of the fuel pump. The pump door or dispenser door must be opened to place the reader inside. Internal readers are hooked up to the payment card reader and PIN pad to capture postal codes and PIN numbers. External card skimmers are installed over the top of the card reader that the buyer uses to swipe or dip their payment card. An external gas station credit card reader is in plain sight but may be hard to spot as the skimmers are designed to fit snugly over the scanner.
A more discreet version of an external credit card readers, called a shimmer, is inserted directly into the card reader slot. The shimmer reads the information from any card that is dipped in the card reader, like cards with a chip, for example.
How to Spot a Credit Card Skimmer
- Look for signs of tampering on the fuel pump door or panel. Make sure the gas pump panel is closed and undamaged. Many states seal the pump with a security seal. Make sure it is intact. Look at other nearby pumps to see if they look the same or have a seal.
- Look at the dispenser handle casing and make sure it is intact too. Internal card readers can be slipped inside the panel surrounding the pump handle.
- Check for any loose parts, wires, or damaged casing on the payment credit reader. If it’s hard to insert your card, a skimmer may be present.
- Look for hidden cameras that could record you as you enter your PIN.
- Inspect the keypad. Hackers can install fake keypads to record your PIN.
- Look at the card reader and pump. Does it look different than other at the station?
- If the housing around the card reader or pump is loose, scraped, or otherwise damaged the fuel pump may be compromised.
What Is Card Skimming?
Gas station credit card skimmers involve thieves attaching electronic card reading devices on gas pumps. Skimmers can also be attached to cash machines and POS terminals at checkouts in stores.
Credit card skimmers read all of the data from the magnetic strip on a payment card. This gives the hacker the cardholder’s name, credit card numbers, and the expiration date. Internal readers may be attached to the PIN pad. In the case of an external reader, the scammer may also install a camera in hopes of capturing the PIN numbers from bank debit cards.
Most gas station credit card skimmers require that the hacker return to the fuel pump to collect the stolen payment card data. The hacker may need to open the pump again to download the data to a USB flash drive. More modern versions can send transmit the stolen payment information over Bluetooth, so the hacker only has to be close to the fuel pump to download the stolen payment cards. But some can even send the data via SMS text message, meaning the thief does not have to return to the scene until they want to remove the skimmer.
How to Protect Yourself from Gas Station Card Skimmers
- No precaution of foolproof but common sense can o a long way.
- Use fuel pumps in highly-visible locations within the attendant’s view. Hackers need an opportunity and time to install a credit card skimmer. They are often discovered on fuel pumps that are furthest away from the attendant, out of view.
- Monitor your credit card account and add fraud protection.
- Enable SMS Text messages on your credit card so you know when the card was used
- Do not use a bank card or debit card as a gas station for payment. A credit card adds a layer of protection in between the hacker and your money
- When in doubt, pay inside.
- Pay with cash which is hacker proof but not very convenient.
- Pay with a credit card rather than a debit card. Most credit cards offer consumer protections against fraud.
Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers