Don’t Get Sucker Pumped

Gas pump skimmers are getting craftier. A new scam out of Oklahoma that netted thieves $400,000 before they were caught is a reminder of why it’s usually best to pay with credit versus debit cards when filling up the tank.
The U.S. Attorney’s office in Muskogee, Okla. says two men indicted this month for skimming would rent a vehicle, check into a local hotel and place skimming devices on gas pumps at Murphy’s filling stations located in the parking lots of Wal-Mart retail stores. The fraud devices included a card skimmer and a fake PIN pad overlay designed to capture PINs from customers who paid at the pump with a debit card.

A PIN pad overlay device for gas pumps. Photo; NewsOn6.com

According to their indictment (PDF), defedants Kevin Konstantinov and Elvin Alisuretove would leave the skimming devices in place for between one and two months. Then they’d collect the skimmers and use the stolen data to create counterfeit cards, visiting multiple ATMs throughout the region and withdrawing large amounts of cash. Investigators say some of the card data stolen in the scheme showed up in fraudulent transactions in Eastern Europe and Russia.
As the Oklahoma case shows, gas pump skimmers have moved from analog, clunky things to the level of workmanship and attention to detail that is normally only seen in ATM skimmers. Investigators in Oklahoma told a local news station that the skimmer technology used in this case was way more sophisticated than anything they’ve seen previously.

Increasingly, pump skimmer scammers are turning to bluetooth-enabled devices that connect directly to the pump’s power source. These skimmers can run indefinitely, and allow thieves to retrieve stolen card data wirelessly while waiting in their car at the pump.
Below is one such card skimming device, pulled off a compromised gas station pump late last year in Rancho Cucamonga, Calif.

A new, unaltered generic gas pump card acceptance slot. The device on the right has a bluetooth skimming device attached.

Pump skimmers can be fairly cheap to assemble. The generic gas pump card acceptance device pictured left in the image above (Panasonic ZU-1870MA6t2) can be purchased for about $74. The pump skimmer scammers must love this model: It almost looks like it’s designed to hold additional electronics.
Investigators say the individuals responsible for these pump scams are able to ply their trade because a great many pumps can be opened with a handful of master keys. In the end, it comes down to a cost decision by the filling station owners: This story from Fox News about a rash of pump skimmers discovered earlier this month in Minnesota says that it costs filling stations about $450 to re-key eight pumps.