PHILADELPHIA – The U.S. Secret Service’s Philadelphia Field Office has alerted retailers to be on the lookout for a new skimming technique to steal payment card information at gas pumps.
Contactless enabled dispensers use near field communication (NFC) to allow the wireless exchange of payment data between some smartphone applications or contactless credit cards and the payment terminal. Contactless payment systems mask real credit card numbers with a special token, known as a device account number, that contains information identifying both the mobile device used for payment and the payment card itself to the NFC reader.
Per the Secret Service, fraudsters are now using a sophisticated technique that involves a cellular relay skimmer located in the contactless NFC reader on the outside of a gas pump. When customers make a contactless payment, this skimming device picks up the contactless card primary account number over-the-air before it reaches the point of interaction (payment terminal), which means that it will even defeat point-to-point encryption.
Since this skimmer contains a cellular relay, it can transmit stolen card data wirelessly via text message. Consequently, fraudsters can receive real-time transmissions of the stolen card data from anywhere in the world.
The Secret Service notes that retailers should be aware that a small external cellular antenna may also be attached to this device. Any questions relating to this alert can be directed to the GIOC at firstname.lastname@example.org or 202-406-6009.
Recently, New York law enforcement discovered a “texting” skimmer that sent data to mobile phone numbers via text. A recent Convenience Matters podcast discusses how retailers can prevent skimming at the pump. Additional guidance and resources on skimming prevention, including Conexxus-hosted webinars, are available at convenience.org/skimming.
NACS, February 20, 2019