Becki Turner got the call from her bank’s fraud department on Labor Day. The investigator wanted to know if she had withdrawn $500 from an ATM in California over the holiday weekend. She hadn’t. She couldn’t. Turner was home in Puyallup, Wash.
“I was just flabbergasted,” she says. “I had the card with me, the ATM was in another state, and the person using the machine had to have my security code.” Turner worried crooks had gotten into the banking system and stolen her password.
It wasn’t anything that complicated. Puyallup police say thieves snagged her account information — along with the debit card numbers and PIN codes of hundreds of other people — at two gas stations in the area.
They did it by installing their own hard-to-spot card reader, called a skimmer, on top of the card reader built into the pump. The skimmer is able to grab the account information from the card without interfering with the legitimate payment transaction.
The crooks used the stolen data to create (or clone) fake debit cards that were used at ATMs in Washington State over the Fourth of July weekend and in Northern California on Labor Day weekend. The bad guys like three-day holidays because it gives them more time to use the cards before the unauthorized withdrawals are spotted.
“We are looking at a sophisticated, very well-organized group of individuals,” says Detective Jason Visnaw with the Puyallup Police Department. When all the victims from these two incidents are identified, the total loss could reach half a million dollars.
Why steal debit card numbers? “With a credit card you have to go and buy merchandise and then you have to fence it or pawn it,” Det. Visnaw explains. “With a debit card, you’re getting cash money.”
This is not an isolated case. Gas pumps are being compromised in cities across the country. “We don’t view it as an epidemic, but there are cases open in at least a half dozen states right now,” says Ed Donovan, spokesman for the U.S. Secret Service. These investigations are underway in California, Nevada, Pennsylvania, Delaware and Washington.
Donovan tells me the Secret Service believes some of these crimes are inside jobs, involving someone at the service station.
Gas pumps are just the latest target
Skimming credit cards and debit cards is not new. Portable card readers make it possible for anyone to copy the information stored on a card’s magnetic stripe. This information is not encrypted so it’s easy to steal.
“You just run it through the skimmer and it has all the information right there in plain text,” says former White House cyber security advisor Howard Schmidt. “It’s very easy to imprint that data on another magnetic strip and use it somewhere else.”
The first skimming cases were reported at restaurants and stores where dishonest employees ran cards through their reader before ringing up the sale. As technology improved, the bad guys developed skimmers for ATMs. Now they’ve added gas pumps.
The skimmers are designed to slip over the real card reader. They can be hard to spot. And quite frankly, most of us would never look for something like this anyway. We want to pay and go.
So how do they get your PIN number? They can hide a little camera in the skimmer or on the pump. It shows your fingers as you type in the number.
There are also fake keypads that slip over the real keypad that can transmit the PIN code as you enter it.
In Las Vegas, police have discovered even more sophisticated technology – wireless transmitters installed inside the pump. “They can actually sit in the parking lot with a laptop and get real-time information as victims use their card,” explains Lt. Robert Sebby of the Las Vegas Metropolitan Police Department. Because there’s nothing on the outside of the pump, there’s no way you can tell the pump is compromised.
Not a safe way to pay
Nancy and Jim Tew no longer use their debit cards to pay at the pump — and for good reason. They both had their debit card numbers stolen at one of those gas stations in Puyallup, Wash.
Nancy Tew found out about the theft when her card was rejected at the grocery store. “To my astonishment, I had no money in the bank,” she said.
The thieves used her account number at ATMs in Hollywood, Calif., to steal $600. They got $900 from her husband’s checking account. She tells me it was “totally bizarre and really scary” to be targeted like that and not even know it.
The Tews now pay for their gas — with cash or debit card — at the register. That may sound paranoid, but other victims of this skimming attack tell me they now do the same thing.
Police in Puyallup and Las Vegas now advise residents not to use their debit card at a gas pump because there’s no way to be sure it hasn’t been tampered with.
That’s smart advice and here’s why. Debit cards do not offer the same fraud protection as credit cards. If crook armed with a skimmer snags your credit card number and uses it to buy things, you can dispute the charges with the credit card company. You won’t owe a thing while they investigate.
If the crook grabs your debit card number, he can go to a cash machine and pull money out of your checking account. It could take days for the bank to investigate and put that money back into your account. During that time checks could bounce or you might not be able to pay your bills. That’s why the only way I pay at the pump is with a credit card.
Another safe way to pay is with a gas station charge card. If you must use a debit card, choose the "credit" option. Your debit card doesn't become a credit card; it just means you don't have to punch in a PIN code. That's why it's actually safer. If the thieves get your card number, they won't have your PIN so they can't use it at a cash machine.
© 2013 msnbc.com Reprints