[special technology section]

Are Your Pumps Fraud Centers? Hackers are targeting fuel islands for thousands of dollars—and you might not even know it By Carole Donoghue || [email protected]

E

very time the price of fuel takes off, marketers become bigger targets for fraud. Despite the best efforts of majors, marketers and law enforcement, fraud at the pump continues to grow. According to numerous sources, much of the theft is emanating from organized-crime gangs operating out of Eastern Europe, largely out of U.S. reach. “Organized crime is well financed and highly mobile, so they can move easily between cities when they start feeling the heat in one,” says Mike Swillo, U.S. credit card operations manager for Houstonbased Shell. “It’s like having 10 fingers and 15 pegs—you hit it on the head here and it pops up over there.” No one quite knows how much is lost annually to pump fraud in the United States because of the way banks collect fraud data and their reluctance to share what they consider competitive information. Their secrecy can be a major drawback in dealing with the issue, fraud experts say. Gray Taylor, who heads the Petroleum Convenience Alliance for Technology Standards (PCATS), estimated in a study he conducted two years ago for the Federal Reserve that the average c-store loses

about $930 a year in card fraud. “That doesn’t sound huge, but in terms of gallons needed to be sold to make up that amount, it’s pretty big,” he tells CSP. Major-oil company data suggests that pump fraud accounts for 0.5 to 0.6 basis points per $100 of purchases. Total fuel sales at convenience stores alone amounted to $486.9 billion in 2011,

according to NACS data. When gasoline is typically selling for $4 and up, losing dollars becomes prohibitive and further erodes already sluggish margins at the pump. “At $4 per gallon, that’s around $320,000 a month, with $1,600 of it being pocketed by criminals,” an official at one major oil company says, based on typical station volumes and payment methods. CSP

M ay 2012

107

True or False: To recognize the potential for fraud, be familiar with what is real, experts say. Look for any notable changes in the appearance of the card-entry slot and pay attention to objects nearby. A pinhole or an additional piece of plastic could give away a camera’s hiding place, or a false keypad may have been installed.

Tools of Theft Skimming, the practice of stealing card data from credit- and debit-card magnetic stripes, is rising across all industries. On the West Coast, it has become so pervasive that some police departments have equipped their cruisers with card readers. “We are taking down group after group, but they just are spreading to the North and East as we become more successful in the West and Southwest,” says U.S. Secret Service agent Steve Scarince, head of the Los Angeles Fraud Task Force. Gangs have even expanded operations to rural areas where stations are more likely to use older pumps that can still be opened with the manufacturer’s universal key. On occasion, they may leave a special mark on dispensers to let other gang members know which one holds the skimmer, sources say. Unattended POS terminals are ideal test sites for fraudsters, whether it’s a gas pump, a card reader in a parking lot, an ATM or a Redbox kiosk. If they can get a valid authorization on a counterfeit card, they can quickly move to a high-end store for a shopping spree or use the counterfeit cards to purchase gift cards they can then sell for 50 cents on the dollar. One of the newer devices being used is what law enforcement has dubbed the Ziploc Skimmer, so called because it is cush-

108

CSP

Ma y 2 0 1 2

ioned in gel and placed in a Ziploc or Tupperware container that allows it to be shipped through the mail or by express delivery without much chance of damage or detection, Scarince tells CSP. The Ziploc skimmer is more expensive than regular skimmers. It costs about $3,000 to produce and may be Bluetooth-enabled, allowing thieves to pull up to the station and download card data with a laptop as they sit in their cars. And the dispensers may be inadvertently helping. Some of the devices have rechargeable batteries that can draw power from the pump itself. Many of the devices have been found throughout the Southeast, particularly in Florida. How many of the Ziploc skimmers are out there is not known, but the Secret Service recovered more than 60 in 2011.

“That doesn’t sound huge, but in terms of gallons needed to be sold to make up that amount, it’s pretty big.” Agents believe Los Angeles is the main production hub for the device, which is then shipped out to the field. Crooks are even running their own form of marketing campaign. In the Denver market, skimmers were installed at pumps on the outside edges of stations, furthest from the cashier’s line of sight. Banks then started receiving complaints from victim account holders who said they had received phone calls from the bank promising them gift cards if they

fueled at specific sites. Skimmers are not illegal, although Scarince questions why anybody would have one. They were originally sold to businesses for card-reading purposes. No bigger than a pack of gum, they weigh less than 2 ounces and are concealed in the palm of the hand, making them a favorite for gangs in league with servers in restaurants and bars. It doesn’t take long to install one, even at a supermarket. “It’s easy at 11 p.m. Someone spills orange juice at a checkout, the staff runs to clean it up, and that’s all the distraction it takes,” says one enforcement source. One of the most popular skimmers is the Mini-123, which can store from 2,000 to 3,000 credit cards. It’s battery-operated and even PIN-protected, and its software deletes records after the data has been saved onto a computer, so it’s ready for service again. Skimmers can cost $50 on eBay and were at one stage even available on Amazon. The skimmer is the first step in creating a cloned card. Encoders, embossers and tippers are used to add the data and the hologram and put foil on the account numbers. Printers can cost $10,000 for an upscale model, but a box of blank cards with mag stripes can be purchased over the Internet for about $95 to $115. An all-in-one machine that will silk-screen cards and put tipping foil over numbers costs $5,000 to $25,000, depending on the model. Gift cards work well for fraudsters, especially for money laundering. In 2011, two men from Romania who had recoded Dunkin’ Donuts gift cards with stolen Visa card data were caught as they tried to stuff nearly $18,000 they had withdrawn from a JPMorgan Chase

ATM in New York into their pockets. In November, they were sentenced to three years in prison. The crooks will sometimes incorporate skimmers into false fascia placed over the real card-reading slot. A pinhole camera may be installed in a strip over the top of the keypad or perhaps hidden beside the “take one” brochure holder on the pump to record the PIN being entered. Alternatively, a PIN pad overlay can capture the PIN as it is entered. “The quality of fake fascias, particularly on the user interface side, is extremely accurate in appearance,” according to British security firm QinetiQ. At some ATMs, cheeky crooks have even installed clearly visible skimmers, telling customers that they can swipe their cards there to “clean” them.

Fighting Back Shell has been proactive in tackling pump fraud at the pump through new programs, proprietary anti-fraud tools and closer collaboration with card issuers and law enforcement. It also uses its own test lab to replicate fraud and try out new deterrents. “Criminals take the path of least resistance, and our goal is to protect the customer, site operator and the brand,” says Swillo, the company’s U.S. credit-card operations manager. “As Shell stations become harder to attack, the crooks will move on to an easier target.” Shell has introduced initiatives that have reduced fraud, prompting customers to enter their ZIP codes, which Swillo says is still “the best line of defense against fraud at the pump.” In 2011, the company offered jobbers a special allowance—initially $250 per site, later raised to $400—to install new locks on their dispensers. “The number of sites where skimmers were found at Shell fell in 2011 after we implemented the

110

CSP

Ma y 2 0 1 2

Counterfeit Skimming Initiative,” he says. Shell is reserved when asked how many of its stations are hit by fraud annually, but the company says it has seen a “significant reduction” in the past three years. Fraud levels in 2011 remained the same as 2010—a significant achievement considering prices have risen and majors have had to raise pump limits as a result, Swillo says. But he acknowledges that Shell can never be complacent about fraud: “When you build a better mousetrap, you eventually get smarter mice. …As tactics change, the industry must adapt and be proactive.” Shell has just started a market test of a pump device that sounds a 105-decibel alarm when the dispenser door is opened, and it automatically kills the power to the pump.

“When you build a better mousetrap, you eventually get smarter mice.” “If there’s no power, there’s no loss, because you can’t steal something from a pump that has no power,” says Dave Jacobs, vice president of Flint Loc LLC, the Philo, Ohio-based firm that produces the system. The device displays a message on instore POS if the pump has been opened, and it will send alerts to corporate headquarters or a smartphone. The system, which also can include a remote monitoring system, will cost marketers $300 to $800 per dispenser, depending on the version purchased, Jacobs says. So far, the company has installed about 7,000 of the devices across the United States, especially in fraud hot-spot states such as California, Texas and Florida. Companies using it include Susser, Circle K, RaceTrac

and TravelCenters of America. Oil companies and some trade groups, such as NACS, have been selling marketers’ security seals to place on dispensers. The seals display the word VOID if the pump door has been opened. Chevron recently urged its marketers to buy the seals, calling them “an effective, low-cost/ low-tech device” in combating fraud. But not every marketer has the concept down quite right. Scarince says one station he visited had placed the seal on the hinges of a pump door, where it did no good at all. The seals can also be sliced with a razor and then replaced with a fake seal once a skimmer has been installed. And, according to one station worker, after a while the stickers just pile up and employees don’t bother replacing them. And, of course, gizmos and gadgets will be of little help if station employees are in on the scam. That’s what happened at one California station: An employee who had worked there for a few months and then disappeared was found to have planted skimmers in the pumps. Initial estimates of losses were put at up to $200,000. There have also been cases of employees turning a blind eye while skimmers are installed because their families have been threatened or they have been bribed, such as a Jack in the Box employee in Houston who was paid $3,000 for skimmed numbers.

Visa Pushes Chip-and-Pin The United States is the top nation in the world for credit-card fraud. It accounts for 47% of global credit- and debit-card fraud, despite generating only 27% of the worldwide volume of purchases and cash in 2010, according to the Nilson Report, which monitors the payments industry. The environment for U.S. merchants is expected to deteriorate further as most

countries abandon swipe-and-sign for chip-and-pin cards, otherwise known as EMV (Europay, MasterCard and Visa), which carry data embedded in microchips, making them harder to clone. The United States introduced mag-stripe cards in the ’70s and, along with some lesser developed African nations, is among the few still relying on the old technology. Countries in Europe, Asia and Latin America have already switched to EMV, and China has announced it will no longer accept mag-stripe cards after 2015. With Canada also moving to the system, the next logical place for fraudsters to go is the States, Swillo and other fraud experts say. Chip-and-pin technology has had a dramatic effect on fraud in countries where it has been adopted. In Britain, numbers just released by the U.K. Cards Association show the amount lost to card fraud in 2011 fell 7%, to about $538 million, the lowest level in 11 years. Losses due to counterfeit cards fell by 24%, ending up at around $56 million. Not surprisingly, then, Visa is pushing for adoption of chip technology in the United States. Some large merchants, such as Nordstrom and McDonald’s, have voiced support for the system; Walmart, Home Depot and Best Buy are introducing terminals that read both contact and contactless chip cards. Other players are less enthusiastic. Some card companies are reluctant to issue the new cards until retailers agree to accept them, while merchants don’t want to invest in a chip system until card companies adopt the cards. (Not everyone has embraced EMV; see this special column in CSP Daily News: http://www.cspnet.com/EMVpig.) A report by banking and payment industry consultants Mercator Advisory Group says replacing terminals alone could cost U.S. merchants up to $2.64 billion. The bill for card issuers to replace all payment cards could run as much as $2.85 billion, plus another $310 million to update ATMs to accept the new cards. Some banks, such as JPMorgan Chase and Citibank, have started to issue chip cards, but only to their elite clients, charging them $95 to $595 in fees for the privilege of having one. The cards carry the chip plus a mag stripe so they can be used in the United States and overseas. Wells Fargo has also issued a limited number of cards to frequent overseas travelers as part of a market test. Visa is taking its usual carrot-and-stick approach to the issue. In October, it will eliminate the requirement for merchants to validate their compliance with PCI data security standards if

112

CSP

Ma y 2 0 1 2

75% of their Visa sales originate from chip terminals. Acquirers and processors will have to be able to support merchant chip transactions by April 2013. By October 2015, Visa will shift liability for counterfeit-card sales to the merchant if it has not installed chip terminals. Fuel retailers will catch a small break: Visa will give them an additional two years, until Oct. 1, 2017, before a liability shift for automated fuel dispensers. A Visa spokesman says he doesn’t know how much it would cost marketers to install chip technology at their stations. However, major oil companies wrestling with the issue in Canada say the bill is running $2,500 to $3,000 per dispenser for hardware add-ons at the pump and in store. The question is: How much financial support will majors give their marketers to make the required changes? “The problem is, fuel wholesalers have just been required to become PCI compliant, and now they’re being asked to invest in EMV equipment,” says Swillo. “There are a lot of questions about how this will be accomplished.” Most of the fraud at U.S. pumps occurs at Gilbarco dispensers, in large part because the North Carolina-based firm has the biggest U.S. market share. Because dispensers can last 15 to 20 years, some marketers who have not upgraded their pumps can be particularly susceptible to skimming and other fueltheft schemes. According to the company, Gilbarco has a secure card reader available for a retrofit on both old and new dispensers. “We encourage those in high fraud areas to upgrade to FlexPay Secure Card readers and to specify them on new dispensers,” says Chris Whitley, Gilbarco’s marketing vice president. In October, it unveiled a new dis-

penser, the Encore 700 S, which it says can be upgraded to EMV specifications relatively cheaply. It also comes equipped with an alarm and disabling device if the

dispenser is tampered with. Equipment distributors are quoting prices of around $14,000 for the dispenser, which is being widely installed in Canada. n

CSP

M ay 2012

113