By Rich Morahan, Lock America
We don’t need to tell you that over thepast decade, from Washington to Florida, ID thieves have been taking advantage of the widely available easily copied “universal” keys that secure the doors of most gasoline dispensers.
The thieves open the access door to the dispenser or reader and attach a “skimming device,” which transmits credit and debit card data to their team, often via Bluetooth. Unfortunately, the theft is usually detected long after it can be traced to a compromised dispenser. Skimmer teams used to hijack data by attaching readers to ATMs, but now, as one security consultant puts it, “Gas station pumps … are far easier to tamper with than ATMs, and [the attack is] more difficult to detect.”
How big an international criminal industry is credit card skimming? According to Javelin Strategy & Research, “More than 120,000 cases of fraud will occur as a result of information stolen in a huge data breach last year, resulting in more than $3,300 in losses, on average, to each victim, including 20 hours and $770 on lawyers and time lost from work to resolve the case.” And this is just in the United States. A simple Google search will pull up weekly occurrences worldwide. For more information, Google the CNBC article The Cost to Consumers of a Data Breach.
Low Cost Protection: Security Stickers
Even though this type of data theft goes back 10 years or more, the retail petroleum industry has been slow to respond, perhaps because the pain is remote and spread among a vast population of transient customers. A typical response from law enforcement in TV or newspaper reports is that “somehow” a thief gained access to the card reader.
The convenience store industry response has been to promote “Security Stickers,” which are attached to a dispenser door to provide an indication that a door or device has been compromised. Not surprisingly, careless managers attached the stickers improperly, and of course now, in the days of laser printers, stickers are easy for criminals to copy to cover their tracks. After all, they are smart enough to use Bluetooth to transmit and steal data.
Not only are “security stickers” easy to copy, but few if any customers would recognize that the stickers have been compromised. Even if just one day passes before a manager notices the tampering, one day’s worth of stolen data can be quite a haul. Stickers, cameras and alarms provide a deterrent, but they only can record and document unauthorized access after the fact; the only way to attack the skimming problem is to secure the door.
Full-Scale Defense: Dispenser Replacement
Taking a comprehensive approach, major gas dispenser manufacturers such as Dresser and Gilbarco have developed new security measures that defend against skimming at the source: encrypted card readers that retrofit into old dispensers and are also available in new dispensers. Data encryption at the reader makes the data unusable for thieves.
Additional high level security devices are built into new dispenser models, including automatic shutdown, and alarms that sound when doors are opened. As an added level of security, European style EMV card readers will eventually become the industry standard. These enhancements combine to combat the current level of attacks. But as we know the battle goes on, and there will likely be more technological challenges, and defenses, to come.
And even with the latest technology, criminal employees with access to a key can bypass most high tech barriers. You cannot secure a lock unless you secure the key.
High Security Retrofit
Obviously, replacing gas dispensers with new models that feature tamper-proof doors and electronically secure card readers is the optimum response. It is also the most costly. Many operators will find replacing dispensers and adding data encryption a bit pricey.
Fortunately, a number of lock manufacturers, among them ComPX, Insta-Key, Lock America and Van Lock, have developed “Retrofit Kits” that replace the low security “universal” keys and locks that were shipped with most dispensers. With adequate key control, and non-duplicatable key blanks, these retrofit kits can protect dispensers against unauthorized access at a fraction of the cost of new equipment.
However, in selecting a retrofit kit, it is important to ensure genuine key control. Only a lock manufacturer who “sells direct” can ensure that each customer has a unique key code. Manufacturers who sell through distributors generally provide sets of keyed-alike locks that the distributor then sells in smaller lots, usually to different locales to prevent duplication. Unfortunately, skimmer teams roam the country, so no one can be sure that that separating key codes geographically provides much protection.
A Persistent Problem
If you have any doubt about the persistence and scope of the skimmer challenge and the potential for skimmer teams to strike anywhere without warning, just perform an internet search on “gas dispenser skimming,” and after you catch your breath, search “gas dispenser locks” to take the first step to keep your name out of the news and your customers’ data out of criminals’ hands.
When you assess the lock or dispenser replacement options, ask how the supplier will ensure key control. Does each code originate with the manufacturer, or is it a part of a lot broken up and distributed from a regional location? If it’s easy to get new keys and key codes, perhaps it’s easy for a dishonest or dismissed employee to do the same.
There is ample information about the threat, and there are ample options ranging from the low cost stickers to mid-level retrofit security locks, to higher-level embedded electronic barriers. Each level carries an increased cost with its increased security level.
You can choose to replace your gas dispensers, to replace your universal locks with high security locks, or to attach security stickers to indicate tampering. Whatever your choice, it’s time to make it, because skimmer teams continue to rove the country. The right choice will protect your customers, protect the industry, and may even increase your profits by driving new customers to your more secure facility.