CHICAGO -- Picture the criminal behind a skimming attack. Often, it’s not a lone wolf or a nerdy kid in a hooded sweatshirt pounding furiously at his computer. Instead, many of the criminals behind skimming attacks are more like mafia bosses, powerful moguls who lead small armies of hackers and spies, and run large, sophisticated skimming rings to steal the identities of consumers and sell their information on the dark web.
The criminals who are connected to digital crime syndicates either generate or are given a list of merchant targets and the skimming equipment necessary to steal payment card data. Chad Kobayashi, senior manager of retail technology for convenience-store chain Maverik Inc., Salt Lake City, says such campaigns are usually not unique to one retailer. Rather, the offender will target any gas station along a particular interstate corridor.
“The attackers are normally just looking for the greatest probability of a payout,” he says.
For law enforcement and the professionals who investigate and fight these crimes, it is a complicated, time-consuming business. Mark Carl, CEO of Alpharetta, Ga.-based ControlScan, cites one recent case of an organized skimming ring targeting a string of U.S. gas stations.
“We simply know that it was tied to organized crime,” he says. “How it was tied is actually a matter of a broader investigation that none of us are at liberty to talk about.”
Carl’s line sounds like something out of a spy movie. But it speaks to the realities of the global campaign against skimmers and other cyber malcontents. “It is scary when you get outside of the United States,” he says. “These guys working with the card brands—sometimes they’re embedded in these groups so they can know who’s going to be hit and when. So yeah, a lot of secret-agent stuff.”
Beyond EMV
Given the wide reach of cybercrime, every retailer must be on alert—especially those who have not switched their outside fuel-pump POS systems to accept payments from EMV (Europay, Mastercard and Visa) chip cards. With the October 2020 EMV liability shift seemingly years away, and given the high cost of new equipment, most retailers have not yet made the switch. And even when they do, it does not automatically protect them from skimming attacks.
Cybercriminals have developed a device similar to a skimmer—the shimmer—that can be placed in EMV chip readers. Shimmers catch an EMV card’s chip before it reaches the POS, enabling the criminal to create an illegal magnetic stripe, or magstripe, copy of the card to be used elsewhere. These devices are still rare, however, and they are more cumbersome for bad actors to install, Kobayashi says.
“A more common attack is not an exploitation of EMV itself, but rather disabling EMV on a targeted device to force it to revert back to magstripe,” he says. “Most EMV terminals are designed for backward compatibility, and if an attacker can force a terminal to only work with the old technology, then they can rely on the time-tested methods of skimming to harvest credit-card data.” Forcing a terminal to work only with magstripe cards is usually easy, because most EMV readers are also magstripe-compatible. All someone needs to do is cause the chip reader to malfunction and they have a magstripe reader.
Retailers with EMV-compatible gas pumps should thoroughly investigate instances of EMV malfunctions on the forecourt just to be safe, Kobayashi says. It is also important to keep in mind that EMV is not inherently meant to be a solution to skimming.
“As we begin to roll out EMV at the pumps, once the liability has shifted, the merchant will be on the hook if the card was fraudulent,” Carl says. “As far as protecting the data itself, EMV is not a security solution. It really only changes the question of who’s paying for the fraud.”
Facing Limitations
Those still using magstripes in the forecourt have plenty of options for protecting themselves. Maverik employs a host of strategies, including installing EMV-compliant POS systems at new stores, using unique locks on each pump, modifying or augmenting POS terminals to make it more difficult to break into them, and inspecting every POS device at every shift.
Even so, retailers and law enforcement are in an arms race with skimming criminals, and no one solution is perfect.
“Most of the fixes, as far as putting electronics on the pumps so there are alerts when doors are opened, are very expensive,” Carl says. “There’s training clerks to look for skimmers all the time; that’s also a solution. But when it comes to systems, there’s really not a lot we can do outside of that to protect the pump from a skimmer.”
Faced with such unmanageable risk, ControlScan offers insurance against skimming incidents. “When we provide security tools and compliance, if merchants have a breach by a skimmer, they can now make a claim on that and get reimbursed up to whatever insurance level we’ve given them,” he says. “Typically it’s about $100,000 of coverage for a single location.”
The insurance money covers real and associated costs of the breach, which include noncompliance charges from the card brands, chargebacks and sometimes even legal action from a consumer whose card information was stolen. Carl says consumer legal action against the retailer is much rarer compared to the fees and chargebacks, but it is still a risk.
Skimming attacks tend to be regional, with certain states as hot spots. For example, inspectors found 169 skimmers in Florida during 2015. But in 2018, inspectors found 539 skimmers in the first six months of the year, putting Florida on track to reach more than 1,000 reported skimming incidents in one year, according to the Florida Department of Agriculture and Consumer Services.
Numbers like these go far beyond what other states experience. Carl, who monitors and analyzes Florida skimming, has heard plenty of theories about why Florida is such a hotbed for skimmers, but he does not subscribe to any of them.
“Is it easier to get in and out from other countries? Maybe. Is it a larger population of certain people from other nations? Possibly,” he says. “But when you tie all of these things together, there really is no clear sign as to why Florida has such a problem compared to everyone else.” Carl is confident that finding the reason behind Florida’s skimming epidemic could reveal clues about the source of organized skimming crime.
Scrambling for Protection
There is one technology that can put a serious dent in skimming: point-to-point encryption (P2PE), which scrambles credit-card numbers into an encrypted code while they travel to the payment processor. Carl calls P2PE “the only true solution” for skimming, though he also admits that it does not deter 100% of cases. Perpetrators can still install shimmers that touch the chip on the card before it reaches the POS P2PE.
But without P2PE, retailers are vulnerable to all sorts of skimming strategies. “They can simply walk to the back of the store and put a skimmer on the pump’s connection to the POS and connect it to all of the cards from all of the pumps. They are going to find a way to get in there,” Carl says.
One issue keeping P2PE out of c-stores is the channel’s use of fleet cards, Carl says. Fleet cards are not required to be encrypted because they do not come from the card brands, he says. Furthermore, the logic used to make routing decisions concerning fleet cards is built into the POS at petroleum locations, Carl says, and the system’s logic needs to see the fleet-card numbers unencrypted to make those routing decisions. “We’re involved with a lot of communities and partners in trying to bring some solutions to the table,” he says.
Carl predicts that P2PE will eventually become standard, making skimming much more difficult to execute. “It will simply be included with all of those processing solutions and built into the pricing,” he says. “Right now, it’s either very hard or very expensive to do, but that will go away over time and that will solve the problem.”
WASHINGTON -- As the art of skimming evolves, retailers need to be aware of some of the techniques and technologies criminals use to access data at their stores, said an agent with the Secret Service.
Steve Scarince, assistant to the special agent in charge, Los Angeles Field Office of the Washington, D.C.-based Secret Service, said criminals get more sophisticated with technology but often use simple devices and rouses to execute their crimes.
Here are a few hard and soft tricks to be aware of:
Criminals are using 3-D printers to replicate in stunning detail the cover of an in-store point-of-sale (POS) terminal. These devices can capture credit-card and personal identification numbers (PINs). The printer creates a polyurethane mold from which criminals can make 20 fake facades before the product shows defects. Thieves come into the store in pairs, with one distracting the cashier while the other installs the device. It can take four seconds.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.