Why You Should Be More Careful at Gas Stations…and What You Can Do About It!


Most commonly found on ATMs, skimmers steal credit card information in creative ways (literally-they have to look authentic). One example is using a bogus card reader over the real one and a pin pad cover device to steal your pin or zip code. Newer, more sophisticated card skimmers include wiretapping ATMs and more. 

Card skimming doesn’t just happen at ATMs, but can be found in grocery stores, gas stations, and basically anywhere with a card reader. Specifically in the United States, there is a growing problem with pump skimmers (skimmers attached to gas pumps). This particular type of skimmer uses bluetooth technology to transfer data back to the person responsible for installing the skimmer after skimming the payment information from the pump. The process is quick and easy, only requiring the person to pull up to the gas station and connect to the device to receive the newest skimmed information. 

But a new app may help with that! Researchers from the University of California San Diego and the University of Illinois Urbana-Champaign presented an app on August 14th at USENIX Security 2019 conference, held in Santa Clara, California. With help from the U.S Secret Service (who normally investigate these pump skimming cases), they have created an app that uses bluetooth technology to detect pump skimmers. Named Bluetana, this app has been tested for one year by 44 volunteers over 6 different states, mostly law enforcement and state employees. During that year, they were able to find 64 skimming devices.

But there are already apps which detect pump skimmers; what is so great about Bluetana?

Yes, there are already apps which detect pump skimmers; however, current apps commonly report false positives, detecting instead other bluetooth devices nearby, like police speed scanners. Bluetana was created with those false positive reports in mind, and, in consequence, is more accurate than previous apps.  

Why are fraudsters using pump skimmers anyways?

Pump skimmers are cheap to make (about $25) and they can make over $4,000 per day. In the paper detailing their work, the researchers reported that “based on the prior figures, we estimate the range of per-day revenue from a skimmer is $4,253 (25 cards per day, cashout of $362 per card, and 47% cashout success rate), and our high end estimate is $63,638 (100 cards per day per day, $1,354 cashout per card, and cashout success rate of 47%).” 

But low costs and high returns are not the only reasons. Gas pumps are easy targets, usually left unattended, with low security. The pump skimmers only require a couple seconds to set up, and as mentioned before, don’t require much time after that to gather the stolen financial information from the reader. Additionally, the skimmers use the pumps’ electricity, effectively eliminating the need for batteries. By mooching off the pumps’ electricity, the small devices can live indefinitely without upkeep. All of these reasons contribute to the ease of using pump skimmers. 

Bluetana is already being used by agencies in several states across the country, but it will not be released to the public.

How can I protect myself from these pump skimmers?

While you don’t have access to this app, there are still things you can do to prevent your financial information from getting skimmed (or reduce the impact if your information has been skimmed). Here are some suggestions:

  1. Use only gas stations with newer pumps and better security. Newer pumps will have horizontal card slots, as well as raised, metal keypads. Also choose a gas station that has higher security, such as a security guard or workers at the pumps, security cameras, etc.
  2. Be aware of what skimmers look like and watch out for them. Check out Brian Kreb’s article from Krebs on Security about different types of skimmers here. 
  3. Use a credit card instead of a debit card. If you spot fraudulent charges on your credit card, you are only responsible for up to $50 of that charge. When using a debit card, you can be held responsible for much, if not all, of the fraudulent changes if they are not reported immediately.  
  4. And, of course, monitor your financial accounts to catch any fraudulent charges quickly.