Image: Buying gas © Somos Image, Corbis
Using a debit card to buy gas can save you a few cents a gallon at some stations. It can also give bad guys easy access to your bank account.
Gas stations are proving to be a weak link in efforts to combat debit and credit card fraud. Outdated technology and poor security allow criminals to install skimmers that capture account numbers and PINs. If you swipe your card at a compromised pump, the captured information can be used to create a clone of your card that can be sold to other criminals or taken on fraudulent shopping sprees.
Organized rings of thieves operate on a large scale. A Los Angeles man named Aleksandr Goukasian was convicted in June of participating in one such ring that stole 38,000 account numbers from gas pumps in California, Nevada and Texas. The credit and debit cards were used to siphon $100,000 from users' accounts. The gang collected PINs and ZIP codes in addition to account numbers, federal authorities said.
Liz Weston
Liz Weston
Security experts said the size of the fraud wasn't surprising. What was unusual was that a ringleader was actually caught, since so much of this type of crime goes unprosecuted.
The low risk of getting caught isn't the only enticement for evildoers. Gas pumps are tempting targets because:
● One master key opens thousands of pumps. Only a handful of companies manufacture gas pumps, said fraud expert Avivah Litan of Gartner Research, and a single key typically opens that company's pumps, making it easy for crooks to install skimmers. A friend who works at a gas station or an attendant willing to accept a bribe is all a thief needs to get access. "If you get the physical key," Litan said, "then you can open all the gas pumps made by that manufacturer."


● Gas pumps are usually unattended. Sometimes the bad guys pose as maintenance technicians, but skimmers can be installed relatively quickly out of sight of gas station employees. Since the skimmers are installed inside the pumps, they can be hard, if not impossible, to detect from the outside.
● Gas stations are resisting investing in more secure technology. A gas pump doesn't need to have a skimmer installed for your information to be at risk. Older models don't even encrypt your PIN, so it's sitting "in the clear," Litan said, available to anyone who knows how to hack into the machine. Newer gas pumps not only feature encryption but also have unique keys, eliminating the "universal access" problem. Upgrading to the newer models costs gas station owners and franchisees up to $20,000 per pump, however. "Visa and MasterCard have been trying to get the gas industry to invest in better technology," Litan said, but push back from the stations has led the card networks to repeatedly put off requiring the upgrades.