16 • OIL
&
ENERGY
WE DON’T NEED TO TELL YOU THAT OVER THE
past decade, from Washington to Florida,
ID thieves have been taking advantage of the
widely available easily copied “universal”
keys that secure the doors of most gasoline
dispensers.
The thieves open the access door to the
dispenser or reader and attach a “skimming
device,” which transmits credit and debit
card data to their team, often via Bluetooth.
Unfortunately, the theft is usually detected
long after it can be traced to a compromised
dispenser. Skimmer teams used to hijack
data by attaching readers to ATMs, but now,
as one security consultant puts it, “Gas
station pumps … are far easier to tamper
with than ATMs, and [the attack is] more
difficult to detect.”
How big an international criminal
industry is credit card skimming? According
to Javelin Strategy & Research, “More than
120,000 cases of fraud will occur as a result
of information stolen in a huge data breach
last year, resulting in more than $3,300 in
losses, on average, to each victim, including
20 hours and $770 on lawyers and time lost
from work to resolve the case.” And this is
just in the United States. A simple Google
search will pull up weekly occurrences
worldwide. For more information, Google
the CNBC article
The Cost to Consumers of
a Data Breach.
LOW COST PROTECTION:
SECURITY STICKERS
Even though this type of data theft goes
back 10 years or more, the retail petroleum
industry has been slow to respond, perhaps
because the pain is remote and spread
among a vast population of transient
customers. A typical response from law
enforcement in TV or newspaper reports is
that “somehow” a thief gained access to the
card reader.
The convenience store industry response
has been to promote “Security Stickers,”
which are attached to a dispenser door to
provide an indication that a door or device
has been compromised. Not surprisingly,
careless managers attached the stickers
improperly, and of course now, in the days
of laser printers, stickers are easy for crimi-
Fuel Storage
nals to copy to cover their tracks. After all,
they are smart enough to use Bluetooth to
transmit and steal data.
Not only are “security stickers” easy
to copy, but few if any customers would
recognize that the stickers have been
compromised. Even if just one day passes
before a manager notices the tampering,
one day’s worth of stolen data can be quite a
haul. Stickers, cameras and alarms provide
a deterrent, but they only can record and
document unauthorized access after the
fact; the only way to attack the skimming
problem is to
secure the door.
FULL-SCALE DEFENSE:
DISPENSER REPLACEMENT
Taking a comprehensive approach,
major gas dispenser manufacturers such as
Dresser and Gilbarco have developed new
security measures that defend against skim-
ming at the source: encrypted card readers
that retrofit into old dispensers and are also
available in new dispensers. Data encryp-
tion at the reader makes the data unusable
for thieves.
Additional high level security devices are
built into new dispenser models, including
automatic shutdown, and alarms that
sound when doors are opened. As an added
level of security, European style EMV card
readers will eventually become the industry
standard. These enhancements combine to
combat the current level of attacks. But as
we know the battle goes on, and there will
likely be more technological challenges,
and defenses, to come.
And even with the latest technology,
criminal employees with access to a key can
bypass most high tech barriers. You cannot
secure a lock unless you secure the key.
HIGH SECURITY RETROFIT
Obviously, replacing gas dispensers
with new models that feature tamper-proof
doors and electronically secure card readers
is the optimum response. It is also the most
costly. Many operators will find replacing
dispensers and adding data encryption a bit
pricey.
Fortunately, a number of lock manu-
facturers, among them ComPX, Insta-Key,
Lock America and Van Lock, have devel-
oped “Retrofit Kits” that replace the low
security “universal” keys and locks that
were shipped with most dispensers. With
adequate key control, and non-duplicatable
key blanks, these retrofit kits can protect
dispensers against unauthorized access at a
fraction of the cost of new equipment.
However, in selecting a retrofit kit, it is
important to ensure genuine key control.
Only a lock manufacturer who “sells direct”
can ensure that each customer has a unique
key code. Manufacturers who sell through
distributors generally provide sets of keyed-
alike locks that the distributor then sells
in smaller lots, usually to different locales
to prevent duplication. Unfortunately,
skimmer teams roam the country, so no
one can be sure that separating key codes
geographically provides much protection.
A PERSISTENT PROBLEM
If you have any doubt about the persis-
tence and scope of the skimmer challenge
and the potential for skimmer teams to strike
anywhere without warning, just perform an
internet search on “gas dispenser skimming,”
and after you catch your breath, search “gas
dispenser locks” to take the first step to
keep your name out of the news and your
customers’ data out of criminals’ hands.
When you assess the lock or dispenser
replacement options, ask how the supplier
will ensure key control. Does each code
originate with the manufacturer, or is it
a part of a lot broken up and distributed
from a regional location? If it’s easy to get
new keys and key codes, perhaps it’s easy
for a dishonest or dismissed employee to
do the same.
There is ample information about the
threat, and there are ample options ranging
from the low cost stickers to mid-level
retrofit security locks, to higher-level
embedded electronic barriers. Whatever
your choice, it’s time to make it, because
skimmer teams continue to rove the country.
The right choice will protect your customers,
protect the industry, and may even increase
your profits by driving new customers to
your more secure facility.
The Battle Against Gasoline
Dispenser Skimmers
Choose Your Weapons: Security Stickers,
Retrofit Kits or New Dispensers
By Rich Morahan, Lock America
