Using payment cards to purchase fuel at gas pumps may have gotten a little more risky. In a security alert, Visa warns that it has detected new cases of fraud in which criminals are stealing credit card data by breaking into a merchant’s network.
“Skimming” card data at gas pumps has been a problem for years, but these scams have all been fairly low-tech. A criminal might replace a gas pump’s card reader with a device that captures a consumer’s payment card information, but they must return to the scene later and retrieve the device.
Over the summer, Visa found that “threat actors” have stepped up their game when it comes to stealing consumers’ payment card information. Using phishing emails, the scammers target merchant employees. If one clicks on an email link, they download malware that infects the entire network.
Data captured from the network
The malware looks for payment card transactions made at the company’s gas pumps and captures the information from the card. It is able to do that fairly easily because many point-of-sale systems at gas pumps still use the old fashioned magnetic strip on the back of the card and not the more secure embedded chip.
When a customer buys gas with a credit card, the point-of-sale system sends the unencrypted data to the company’s main network where the scammer’s software is waiting to capture it. Visa says many companies make it easier for thieves by not walling off this data from the rest of the network.
Visa warns that this is a very troubling trend because criminals now see gas pumps as much easier and more lucrative targets. They’re much less risky as well, since the fraudsters don’t have to physically visit the location to install skimming hardware.
“Fuel dispenser merchants should take note of this activity and deploy devices that support chip wherever possible, as this will significantly lower the likelihood of these attacks,” Visa said in its security alert.
Equipment updates needed
Visa says that encrypting credit card data would also help deter thieves from stealing this information. Without these safeguards, the company warns that gas stations will continue to be an attractive target for sophisticated threat actors motivated by obtaining payment card data from point-of-sale systems.
Consumers can reduce their risk by controlling the way they pay for fuel. Paying with cash is the most secure form of payment, but it isn’t the most convenient.
If you choose to use a payment card, select a credit card rather than a debit card. Most credit cards offer more robust fraud protection and limit customer liability in cases where fraud is promptly reported.
Consumers should use only one credit card for fuel purchases and check the balance regularly to look for fraudulent or unauthorized purchases.