Skimming Stopped by Bank, Merchants

Pay-at-the-Pump Scheme Launches 10-Month Spree
Skimming Stopped by Bank, Merchants
A U.S. District Court in Orlando, Fla., has charged two suspects in a pay-at-the-pump skimming scheme that resulted in numerous fraudulent retail transactions worth hundreds of thousands of dollars. [See More Pay-at-the-Pump Skimming.]

According to the criminal complaint, authorities believe the two men carried on their scheme for at least 10 months, compromising a minimum of 175 credit cards in central Florida.

Robin Miguel Corrales Castro, 35, and Silvio Leon, 38, co-owners of Simple Mobile, a small business that allegedly served as a front for their scheme, were arrested on charges of conspiring to produce, use or traffic in one or more counterfeit devices. Three more suspects, Ivan Malagon, Lazaro J. Corrales Castro and Federico Martinez, also were mentioned in the complaint, although their arrests have not been made.

The scheme was ultimately foiled by the criminals' brazenness. After multiple fraudulent purchases totaling at least $73,500 at area Target stores, the suspects were busted by banks' transactional fraud-detection systems and retailers' in-store surveillance.

In June, Chase Bank notified Seminole County, Fla., authorities after one of its accountholders was hit with charges at an Orlando Target totaling $73,577.27. In July, retailer Target confirmed fraudulent transactions had been conducted at several of its central Florida locations. In addition to Target, Best Buy, Home Depot and Wal-Mart also reported fraudulent activity.

When detectives with the Seminole County Sheriff's Office Financial Crimes Task Force and the Secret Service raided Castro's home, they found 1,000 Target gift cards that had been encoded with stolen card numbers. Police surveillance also caught Leon and Malagon, who is still at large, successfully completing purchases at Target worth $1,129.42; $2,644.33 worth of purchases, however, were declined.

Once merchants and card issuers started connecting the dots, it was easy to trace the scheme's steps.

In July, American Express confirmed $125,564.60 in fraudulent transactions linked to Target purchases. AmEx also identified the point of card compromise to be a Hess gas station located in the Orlando suburb of Winter Springs.

'They Got Greedy'

Robert Siciliano, a McAfee consultant and identity theft expert, says the criminals in this case dropped the proverbial ball. "This case shows that the masterminds in this weren't all that smart, scamming in their own backyards over and over," he says. "They got greedy."

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

But the fraudsters' greed does not veil the fact that skimming vulnerabilities linked to card fraud in the U.S. are growing. "Whether hacked, or in this case skimmed, account takeover with U.S.-based magnetic-stripe card data is just too easy a target for criminals not to go after," he says. "It's almost like they can't stop themselves from doing it."

Jeff Lenard, spokesman for the National Associations of Convenience Stores, says pay-at-the-pump skimming is an issue the convenience-store and petrol industries are taking seriously. In March, NACS launched its WeCare Decals, tamper-evident labels that aim to help retailers quickly identify potential security breaches. NACS also launched an awareness campaign that focuses on steps retailers can take to protect cardholder data at the pump. [See Skimming Concerns? Here's What You Need to Know.]

"Skimming should be a concern for anyone who accepts plastic," Lenard says

The NACS campaign is designed to educate merchants about skimming vulnerabilities at the pump, as well as in the store. [See Steps to Stop Skimming and Fighting Fraud: Banks, Merchants Must Align.]

Lenard says retailers that sell fuel should focus on three key areas to prevent pay-at-the-pump skimming:

  • Inspect pumps regularly to see if there has been any tampering;
  • Secure the pumps so they are less susceptible to tampering - i.e. cannot be accessed with universal keys;
  • Monitor any suspicious activity.

"NACS has developed a number of guides, as well as a video, to help retailers protect their businesses and minimize the risk of skimming at their stores," he says.


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 19 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network