Gasoline pumps are prime targets for card skimmers, illegal devices thieves attach to payment terminals and ATMs to collect enough information to clone a credit or debit card. That’s because pumps see high card volumes and are sometimes hard for station attendants to monitor. Bolder crooks will pull a big vehicle in front of a gas station pump, and one person will go in to ask for directions while another installs the skimmer, says Jeff Lenard, spokesperson for the National Association of Convenience Stores.
Most gas-pump skimmers originally were attached externally, over the card slot. Thanks to 3D printers and other new technologies, fake ones can be almost indistinguishable from the real ones. Today, however, most are installed inside the pump, making it more important to choose the most secure payment method.
How Skimmers Work
Skimmers swipe information stored on a card’s magnetic stripe: your name, your card number, and the expiration date, but not the three- or four-digit code known as a CVV. Thieves transfer this data to the magstripe of a counterfeit card, which they can use “ in a store that has not upgraded to chip-based technology,” notes Steve Scarince, associate managing director for Kroll, which specializes in cyber risk security. Or skimmers can use collected data for online purchases that don’t require a CVV.
Although cards with a chip have greater security, they are still vulnerable to skimming because they have the same information encoded on a magstripe.
Some thieves pair a skimmer with a keypad overlay that captures your Personal Identification Number (PIN). If you use a debit card to buy gas and punch in your PIN, crooks may be able to withdraw money from your bank account at an ATM.
Originally, thieves had to physically retrieve the skimmer to access the data it stole. Now, with bluetooth, a wireless technology for exchanging electronic information between devices over short distances, they can sit in a car nearby, “and the data comes to them,” Lenard says.
How to Know You’ve Been Skimmed
If you see surprise charges or withdrawals on your credit or debit card statement, your card may have been skimmed. Some crooks use counterfeited cards at the same place they installed the skimmer, so consumers may not notice fraudulent charges at a station they frequent.
Report any unauthorized activity to your bank or card issuer immediately. Credit card issuers will most likely reimburse you for fraudulent charges up to a certain amount, but recouping money stolen from your bank account can be much more complicated.
Fortunately, thieves don’t get enough information from skimmers to open credit accounts, file a tax return, or apply for unemployment benefits in your name. That kind of identity theft can happen when cybercriminals hack into databases and steal information such as your name, address, birth date, and Social Security number.
How to Protect Yourself
To prevent skimming at the pump:
- Pay in cash.
- Use a mobile payment app such as Apple Pay, Google Pay, or Samsung Pay. These let you make credit- or debit-card purchases by holding your smartphone close to the card reader. Not all gas stations accept these payment systems.
- Use a “contactless” credit card. Instead of inserting this type of card, you tap it on the reader. Cards with this technology include the Wi-Fi symbol.
If those options aren’t available:
- Don’t use a debit card, unless you can use it as a credit card without a PIN.
- Avoid using pumps out of the attendant’s eyeshot. Better yet, pay inside, where skimmers are much harder to install.
- Use pumps with horizontal slots for card readers and raised keypads. These are newer and harder to tamper with than pumps with vertical card readers and flush keypads, says Brian Krebs, publisher of KrebsOnSecurity.com, a cybersecurity and cybercrime news site.
- Sign up for instant text or email notifications that appear when your debit or credit card is used, or used for more than a certain amount. “This alert will help the cardholder contact their bank and shut it down before the fraud ramps up,” says Scarince.
- Avoid a pump without security tape on it—a sign that it has been broken—or shows other evidence of tampering. Many stations do not use seals, so you may not have any other choice, Scarince says. If there is a broken seal on your pump, but others around you are intact, consider filling at one with a good seal.