A Spink County deputy captured two Cuban nationals from Las Vegas after a high-speed chase through Redfield and up Highway 281 Wednesday. Elivanjob Espinosa-Leon, 38, and Wilmer A. Vargas-Rodriguez, 46, are suspected of stealing credit card information with skimmers installed on gas pumps at an Aberdeen gas station back in November and a rural Brown County gas station this month.
The police and the press continue not to name the gas stations where the skimmers were found. One of the vicitms, Faith Justice of Aberdeen, thinks that secrecy is misplaced:
Justice said she thought she was safe when she heard the skimmers were found outside Aberdeen. She buys most of her gas in town. That is, unless she drives to Sisseton and fills up at the self-serve pumps in Groton. The last time she bought gas in Groton was March 4, the same day the two skimmer devices were found.
“That’s where my data was taken,” Justice said.
Two men arrested in connection with the skimmers appeared in Brown County court on Friday. During the hearing, officials referenced skimmers being found in both Groton and Aberdeen.
From the perspective of a consumer who has also been a victim, she said, it’s important for people to know where the devices are found.
Justice said she understands disclosing the information can hurt the business and it’s unfair to the business because they’ve also been the victim of a crime. But she feels the people who use that business have a right to know [Elisa Sand, “Drained Account Shocks Aberdeen Resident,” Aberdeen American News, 2016.03.12].
I share Justice’s concern for public awareness of where crimes have happened. The police and press tell us when convenience stores and banks are robbed. Why should citizens not be informed when a gas station has failed to protect its customers from credit card theft?
All businesses have an obligation to protect their customers’ private information. In the case of gas pump skimmers, station owners need to monitor their pumps to make sure the seals aren’t broken overnight and that thieves aren’t tinkering with the machines during the day. Pump makers may need to come up with new designs that will make their machines harder to crack. Fighting such crime and admitting when they have failed to protect customers from such crime is just part of the price of doing business. Customers have a right to know which businesses are carrying out their duty and which businesses have weaknesses in their customer protection practices.
Mr. H is righter than right on this. Even though the police removed these skimming machines we should punish these businesses by scaring the public into not shopping there. It is their fault for not stopping this crime from happening to them in the first place or by being a willing victim. The should get what they have coming.
And it is true the police tell us when a store like a casino gets robbed. Those casinos failed to stop that robber so it is just like that.
Makes one wonder if the local Chamber of Commerce didn’t twist the police chief,s tail a little by saying to him “We can’t punish tie business by disclosing their name, can we?
Ya damned right they should publish names–the laws were passed to protect the public–not the business. It’s aggravating to see this collusion of business interests and law enforcement–so apparent in SD anymore.
One of the Cuban Nats was working for Rubio and the other for Rafael Cruz trying to get some money for their campaigns.
We should publish the names of businesses who are the victim of employee theft, too, because there weren’t doing enough to protect their assets and will now charge us, the consumers, more to make up for the lost monies.
This is a tough one. Rarely can businesses protect themselves of this unless they check the pump after every visitor. These things aren’t integrated pieces of technology that require a long installation time. Most simply slide over top of the card input and record the card info. Some are so good, not even the most experienced person is going to notice one installed. ATM skimmers are bit more intricate as they may have a keypad that is placed directly over the existing keypad to also log the PIN. I have a tough time punishing a business for being a victim. I’d rather they contact the people who ran their cards during the possibly affected time. Other than that, keep the info private.
Yes, Jake. Punish the business. My info was breached when Target was hacked. What did I lose? Nothing. Target? Maybe just a walking dead company. We shall see.
I do not blame the business for what happened. However if the business does not let me know that my account could have been compromised, then that business is just as guilty as the criminals who installed the skimming device.
Now if law enforcement truly is there to protect and serve there would make sure that the possible victims get notified. If the business will not notify the victims, then law enforcement should release where the skimmers were found.
We should trust law enforcement to decide how hard to hit the press with the punishment of these false “victim” businesses, and let it go at that. There is no reason to take anything else into account, just let the cops buy some more ink in the newspapers or maybe pass a law next year making these businesses put up a sign. A big one, right on the sidewalk.
Scott, I like your approach. The crime is the thieves’ fault. The business could serve its customers better by contacting them immediately to alert them to the risk. If they don’t have that customer contact info handy, they could immediately hit the airwaves, urge everyone to check their accounts, and give the public the assurance that they’ve taken steps to make it even harder for thieves to get away with it again.
In a case like this, notification is up to the law or the credit card company, Scott. I’m sure they were notified asap. If the biz found and corrected the problem what good does putting Gruds banner on the street do?
I’ve had merchant accounts for over 30 years and I don’t believe there is any way possible the biz could find those customers in a timely fashion at best. I doubt Faith Justice had any losses that were not covered by her card company.
Dan, I was wondering: can the gas stations get contact information from the credit card transactions? And how big is a skimmer? ow can such a device installed externally escape notice?
If skimmers are so easy to install, perhaps we need to consider our own complicity in seeking the convenience of filling up with walking inside. Those card readers at the pump are essential after hours… but I suppose during the day we could all minimize the chances of losing our data and our shirts by walking inside and paying at the register.
Here’s a link to a compilation of Brian Krebs’s posts about skimmers: All About Skimmers.
Brian Krebs is the author of the Krebs on Security blog. Lots of interesting info about cyber security and cyber crime on his blog.
I don’t believe they can get any information from the cards. All they can see is the transaction and the last 4 digits of the account. A skimmer is slightly larger than the card input it is going over. Think of it like a thin glove that fits over your hand. The plastic part that protrudes can be fitted with a similar looking plastic piece that may only extend 1/8 inch over the original card scanner. Here is an example: http://bloximages.newyork1.vip.townnews.com/lancasteronline.com/content/tncms/assets/v3/editorial/d/c5/dc509e34-0ece-11e5-956e-3bf433a7c360/557725c1481a7.image.png
As you can see, most people wouldn’t even notice and most gas station attendants wouldn’t either.
Here is an atm skimmer for the PIN: http://hss-prod.hss.aol.com/hss/storage/midas/2b56ab0048db37d814a9db115f7236b2/200487946/12914799553_817b9dd658.jpg
Even those can be hard to detect if the keypad is recessed and the new set of keys fit over it nicely.
This is one of those things we all must protect ourselves from because it is tough for someone to detect and make sure their systems don’t have them, especially if they only leave them on for a couple hours.
It is the businesses responsibility to reasonably protect the public whom those businesses invite to the premises or participate in the stream of commerce. No free passes, Cory, Dan, & Scott. This type of SD police corruption is common. A half-wit short order cook spits in the hamburger destined for a cop – it’s swept under the rug, no prosecution as that will put the fast food joint’s poor HR hiring /screening/management in the public eye. Sure the half-wit food spitter was the alleged criminal. Yet just as surely the managers of the fast food joint failed to screen, failed to supervise, failed to manage, failed to reasonably protect the public and should have to publicly atone. With whom else did the spitter [and the management] share phlegm-burgers?
Seriously, even if ‘only a crook’ wees in the Rice Krispies’ are you going to put Kelloggs in your kids breakfast bowl tomorrow? Seriously, how reasonably did the company protect the public in its stream of commerce (pun intended). http://www.huffingtonpost.com/entry/rice-krispies-kellogs-plant-urinate_us_56e6446be4b0b25c91825769
One would think there would be a way to build a “detector” so the machine would recognize another machine in ultra close proximity.
Thanks for those pics, Dan! It’s useful to see the devices we’re talking about… and to see how hard they are to distinguish from normal card readers and keypads.
I wonder: is there any kind of standard design we could impose on gas pumps, ATMs, and other self-serve credit-card-reading machines that would allow consumers to easily recognize when some alien hardware has been installed? Would a standardization solution be worth the effort?
John, good Rice Krispies’ example. The captain is responsible for the actions (and inactions) of his crew; the business is responsible at some level for its failure to protect customers.
Perhaps the prospect of bad publicity would drive gas station owners to police their machines more attentively. If gas stations can post a service schedule on the bathroom door, they can post a service schedule on their pumps. That could require having two people on duty all the time, one to man the till, the other to patrol the pumps. Or we put webcams on the pumps, one staring straight at the customer’s face (ah, telescreens! Winston!), the other pointed down at the card reader and keypad.
Hey, Dan, I’m also wondering—while I can see how the keypad skimmer could be hard to circumvent, couldn’t the main card reader be programmed to recognize the difference between credit cards and an alien skimmer inserted? Shouldn’t the card reader reject the skimmer for staying in the slot for more than a second? Or does that skimmer not even insert itself into the card reader and instead just read the card on its way into the legitimate reader? Could we make touch-sensitive card readers that would detect whether any object has been affixed to it?
“It is the businesses responsibility to reasonably protect the public whom those businesses invite to the premises or participate in the stream of commerce.”
John….And what is reasonable? Doing what Cory said and have someone walking thru the pumps 24/7? These install in 2 seconds and most people won’t even notice. If you really want to be protected, go inside and require gas stations to remove pay at the pump. That is about the only way you can stop it. This has nothing to do with SD police corruption. I think someone might have peed in your Wheaties this morning.
Cory, I’m not sure some sort of standardization would do any good. They will just create new ones that slip over whatever they make. These things are barely noticable. About the only way to check is to pull on the device before you swipe your card. Cams would probably work once they notice one has been placed to help identify who did it and when, but they can’t afford to have someone watching those constantly. The skimmers sit on top of the original card input just like the keypad is placed over the original keypad. There is no integration whatsoever. You card slides across their magnetic reader just before it goes across the real one. They are run on watch batteries that simply record the info as it is swiped. I don’t believe there is anyway for a machine to notice another machine is close by. I’m not sure how we could enable that sort of recognition of a skimmer being attached.
The best solution to all of this?……that would be to implement what has been the standard in Europe for the past ten years. Get rid of signatures at the till and go to a PIN. Require this PIN to be entered for every purchase. They may be able to get your card info, but without your PIN, they can’t use it. When it comes to credit card security, we are way behind. We just enabled the chip technology in cards and that took way too long. IT’s about time we go to a PIN format and require people to enter it at every transaction. Again, it’s possible they could have a keypad skimmer along with the card skimmer, but that is much more difficult to do and a lot harder to get away with.
And John is wrong about his Rice Krispies example and his burger joint example. These are not installed by employees or vendors or servicing companies. These are installed by customers. Would you go after McD’s if you got up to go to the bathroom and a random customer came by and spit in your burger as it sat at your table unattended?
Skimmers can be hard to detect if they are designed well… which is the problem. I’ve seen numerous examples that most people would never know were installed until they were discovered by a routine inspection from an employee who knows if something is out of place. Perhaps this is why I often find myself pulling on the card reader on pumps and ATMs to verify it isn’t loose or doesn’t have any extra attachments.
I don’t expect a gas station to detect a skimmer immediately, but an examination of the pumps twice a day could prevent a large number of people from being a victim. So yes, part of the responsibility lies upon the business. There is no reason to keep their identities a secret as it would ensure people know if they were a potential victim as well as put a lot of minds at ease for those that fill up elsewhere.
If these same gas stations are robbed we know about it. If they fail an alcohol compliance check, we know about it. If they are caught with pumps that don’t dispense the same amount of fuel as indicated we know about it. If a customer tries to pay for his or her gasoline with a fake $50 bill we know about it. This should be no different.
By the way, when pumps start accepting Apple Pay, Samsung Pay, Android Pay (or other similar wireless technologies) etc. and when people utilize this technology this problem will be nearly eliminated. These technologies generate a one-time code for each transaction and they don’t pass the PIN or biometric information to the terminal which would make the information captured via a skimmer worthless.
Cards that have the integrated chip (EVM cards) will also eliminate most of this type of fraud, because the chip has to be inserted and remain in the terminal for a specific period of time. Since two devices can’t both be attached to the chip at the same time, and due to some of the other anti-fraud technologies such as dynamic data in chip cards, the skimmers would no longer be of any use.
The liability for fraud shifted from the banks and credit card companies over to the merchants as of October 1, 2015. Therefore any merchant who doesn’t already utilize chip cards is liable for fraudulent transactions that occur in their terminals. This is why you will continue to see merchants migrate to new terminals to accept EVM cards over the coming months because they don’t want to be on the hook for the fraud.
“I don’t expect a gas station to detect a skimmer immediately, but an examination of the pumps twice a day could prevent a large number of people from being a victim. So yes, part of the responsibility lies upon the business. ”
This still wouldn’t protect you if they had them on for a couple hours over the rush hour times. It is ultimately up to the consumer to protect themselves. Like you said, pull on the device and check it over. They can’t look at the pumps after every customer to make sure they haven’t been touched.
Naming the gas station is only going to hurt them more when they are a victim themselves. Most of the other things you identified that gas stations are a victim of aren’t going to cause a mass exodus from their pumps. The other things are criminal for them so they aren’t a victim, entirely different. Now, you just sent those customers from a gas station that probably won’t get hit with a skimmer again any time soon to a gas station that probably will.
“By the way, when pumps start accepting Apple Pay, Samsung Pay, Android Pay (or other similar wireless technologies) etc. and when people utilize this technology this problem will be nearly eliminated. These technologies generate a one-time code for each transaction and they don’t pass the PIN or biometric information to the terminal which would make the information captured via a skimmer worthless.”
Multifactor is the way around it. Unfortunately, that isn’t financially feasible for everyone and that is why the push for it will take so long. The card companies aren’t going to want to put a dent in usage because a large share of their customers can’t afford it. Just look at how long it took to get the cards chipped. We aren’t even using PINs, let alone going to a dynamic tokening system.
“The liability for fraud shifted from the banks and credit card companies over to the merchants as of October 1, 2015. Therefore any merchant who doesn’t already utilize chip cards is liable for fraudulent transactions that occur in their terminals. This is why you will continue to see merchants migrate to new terminals to accept EVM cards over the coming months because they don’t want to be on the hook for the fraud.”
The biggest problem these merchants face is unsecure networks. Most don’t even have a dedicated line to a firewall for their POS systems. You can probably get on half of them through the free wireless that they offer their customers. Again, it’s a financial hurdle that many businesses can’t/don’t want to afford.
PINs every time—dang, I’d better learn my PINs.
So if we ban all transactions on 24/7 pumps so that it forces people to go inside the building and then run their cards, the only thing that would be accomplished is people running out of gas in the middle of the night or after store hours. Not such a good deal in a snowstorm. As Les said about Target, same thing happened to us. My card number did show up at a gentleman’s leisure service in Irving, Texas. Fortunately my wife understood that I did not go there, or did I?… I am old and forgetful, so who knows. Stuff happens and we are all vulnerable. I like the idea about sending notices to the ones affected by the breach though.
This is an ongoing investagation, and the police are telling you just what they need to say for that investagation to work. We know there are two in custody, we were told that they found skimmers, they didnt say where for a reason. This would just be one of many.
they think there are more people involved. They have disabled the skimmers and think someone will be back to check on them. By not naming the businesses they make those not arrested get uncomfortable about whats going on and then make a mistake that gets them caught.
Misleading information is just part of police work. The thought that the public need information right now doesnt even come close in importance to completely solving the crime.
The Blindman
I’ll agree with that Bill… if an active investigation would be hampered by releasing too many details then by all means they should keep quiet. However when the investigation is complete, I still feel the public has a right to know where the skimmers were found.
If a gas station performs routine checks on their pumps (as they should be) they could publicly state that they know the skimmers appeared on the pumps between the hours of X and Y on Z date. They would know specifics. Without such investigations they would be forced to say they have no idea when the skimmers were installed. Thus this serves as an example of how lax one particular gas station has been and how they aren’t doing their due diligence to protect the consumer. Paying customers have the right to know who cares about their data and who can’t be bothered to spend six minutes a day looking at their pumps.
DB: “Again, it’s a financial hurdle that many businesses can’t/don’t want to afford.”
You’d be amazed at how quickly the retailers will find the money when the realize they are on the hook for credit card fraud. Unfortunately for some this discovery will come too late.
Within the next couple of years we should see mass adoption of chip-reading terminals because the card issuers are telling the retailers that failure to migrate will cost them money, and criminals tend to migrate to the easiest targets so it is better to migrate sooner than later.
Of course EVM cards won’t solve everything, but they do lead to a drop in fraud of about 60%… so it is significant. Personally I’d rather see a dual-factor authentication requirement with a PIN or biometric scan (such as some phones do with their fingerprint readers). I know the card companies don’t want to slow down each transaction by 1.5 seconds, but if it meant my financial data was that much more secure I’d be on board. I already enter a PIN when I use my debit card…. I’d be ok with doing the same for every card transaction.
Handy hint for remembering PINs – develop a three digit number that you won’t forget and for each card use the last digit of the card number plus your three digit code. Viola – you now have a unique four digit PIN for every card in your wallet. Or just do what most people do and change all of your PINs to be the same four digit number. Sure that isn’t recommended, but neither are the PINs of “1234”, “0000”, “1111”, or “1212”. The sad part is, approximately 19.8% of the people reading this post will have used one of those four PINs!
For every level of convenience we are afforded, there comes a level of responsibility on both the consumer and business. That level, is where most of us disagree. Outside of checks every hour, I don’t know how you are going to stop this from happening without upgrading our card technology entirely. If the station isn’t 24 hours, someone could be skimming outside of business hours and then it is again up to the consumer. I’m just not going to say this is the businesses fault or the consumers fault unless we know more details for how long it happened. Most of these are on for maybe a day at most, generally a few hours. Announcing those businesses may do more harm than good. I’m more for letting the possible customers affected know and that is about it. Chances are, the skimmers moved on to another station so avoiding the one that got skimmed might make you more vulnerable.
Daniel, what responsibility can the consumer take if the devices are so devilishly concealed that the regular consumer can’t recognize them?
About all you can do is pull on the device to see if it comes off. Outside of that, there is just an assumed level of risk for when using your card that really can’t be mitigated. We need to demand better authentication methods for using them in the first place and that has to come from the regulators forcing it onto the card issuers. I’m surprised it took this long for them to show up around here. Bigger cities have been dealing with it for a long time already.
About the same responsibility as someone handing you counterfeit $20, Cory.
This is milking a dead dry cow. Justice lost nothing. Stuff happens to good people all the time and we move forward and try to do a better job as it happens. You will be up 24/7 and insane if you think you can carry such an outrageous burden when elected.