How do thieves use gas pump ‘skimmers’ to steal account information?

It’s enough to make a road-tripping motorist paranoid: Machines called “skimmers” appended to gas-pump credit-card slots to steal customers’ account information.

How do thieves do it?

Easily, by just traveling from one station to another, installing the devices and collecting the data either by retrieving the skimmer later or using a Bluetooth attachment to transmit the information wirelessly.

Authorities in Alabama just arrested two men federal investigators say ran “a multi-state scheme” to steal bank and credit-union account information by installing skimming devices at gas stations.

A federal grand jury on Feb. 15 charged Eunices-Llorca Menses of Naples, Fla., and Reiner Perez-Rives of Houston, Texas, with conspiracy to commit wire fraud, wire fraud, and aggravated identity theft.

Prosecutors say Menses, 30, and Perez-Rives, 34, rented vehicles to travel through Alabama, Florida, Tennessee and Virginia in late December, stopping at service stations to install skimmers on gas pumps and using the account information gleaned to “activate or reactivate credit, debit, or gift cards, and make unauthorized cash withdrawals and purchases at several places around the Southeast.”

Soon multiple victims were reporting fraudulent use of their accounts, some having visited the same gas station in Ozark, Ala., where investigators found a skimmer with a Bluetooth connection that enabled thieves to collect account information “while sitting up to 30 feet away from the gas pump,” authorities said.

When arrested, Menses and Perez-Rives had 39 credit or debit cards that had been re-encoded with stolen account numbers, 315 gift cards, and “a homemade device” matching connections to the Bluetooth skimmer on the Ozark gas pump, investigators said.

If convicted, each faces up to 30 years in prison, plus paying victims restitution.

The U.S. Secret Service has noticed an increase in such scams nationwide as businesses transition from magnetic-strip cards to those with a more secure computer chip, said Secret Service Resident Agent in Charge Clayton Slay of Montgomery.

“As retail businesses make the transition to EMV, criminals are targeting those business that have not made the change,” he said. “This includes credit-card readers on gas pumps…. Criminals can breach the gas pump and install a skimming device which can be there for weeks or months before crooks return to download the credit card and PIN numbers, if used.”

“EMV” is short for Europay, MasterCard and Visa, the three companies that started the technology.

Slay said the skimming devices usually can’t be detected from outside the gas pump, and if no account fraud raises suspicion, they’re often not found until the pump’s being serviced.

The federal, state and local authorities who teamed up to probe the scheme warn customers carefully to monitor accounts and report fraud immediately.

About the only way to prevent such fraud is to pay the cashier inside the station or use only pumps that are in plain view of store employees or security cameras, “as criminals normally target pumps that allow them to install skimming devices undetected,” authorities said.

This story was originally published February 23, 2017 at 1:46 PM with the headline "How do thieves use gas pump ‘skimmers’ to steal account information?."