On Christmas morning, Rob Brand learned that his debit card had been skimmed and the card was used to try and purchase something from Amazon Prime.
“I have not heard of this before,” said Brand, a 48-year-old IT professional.
As a precaution, he notifies his bank when he travels outside of the U.S., but this holiday season there was no need because he was with his sister in North Park. When his card was fraudulently used in India to purchase something on the Amazon site, the bank declined the sale.
“My sister was re-ordering a gift for my dad and my debit card was declined,” he said. “I checked with my bank and they notified me [about the debit card being skimmed].”
His sister said that the card was skimmed at “the 76 [gas station] on the northwest corner of University Avenue and Boundary Street” by her house.
Debit and credit card skimming is achieved when high-tech thieves place another card reader atop the existing bank-provided one at the gas pumps or ATM machines. To the naked eye it looks like the bank’s equipment, but as the customer swipes or inserts the card, the information is stored on a memory card or sent to someone lurking close by — even as the transaction goes through, leaving the victim none the wiser.
Krebs on Security is a tech-security news and investigation blog founded by Brian Krebs, who has authored more than 1300 blog posts for the Washington Post’s “Security Fix” blog. A large portion of his website is dedicated to his investigations of ATM and gas pump skimming devices and operations around the world.
According to the Krebs on Security website, “Bluetooth skimmers are equipped to tap directly into the [gas] pump’s power supply and to allow thieves to retrieve stolen card data wirelessly, just by pulling up to the compromised pump with a Bluetooth enabled laptop or smartphone and downloading the data without ever leaving the vehicle.”
“Debit fraud from station on University” was the title of Brand’s sister’s social media post to warn others in North Park against “the skimming scammers.” Other neighbors from South Park reported about being skimmed during the holidays season as well.
“On December 20th, I went to the Pacific Beach Vons after work around 6 p.m. and my debit card was declined,” said Nancy Davey. “I knew I had money and was confused.”
Davey is a 60-year-old South Park resident who suspects her card was skimmed at the 7-Eleven at 2101 Fern Street (between Hawthorn and Ivy streets) by her house. There were about ten other people on the Nextdoor app who posted their suspicions about the same 7-Eleven store’s debit/credit machines, since before Christmas.
“About an hour earlier someone had withdrawn $300 from City National Bank ATM in Solana Beach,” she said. “Since I still had my card I knew it must have been skimmed and copied.”
She said that after she called about the mysterious withdrawal, she was reimbursed the following day.
Another South Park resident reported that her card was skimmed at the same 7-Eleven during the holidays. “[The skimmers] opened an Amazon Prime account and withdrew almost $500 between the two accounts linked to my card,” she posted.
Paul Turner from North Park said he pays with cash at gas stations to save on money per gallon and to avoid the potential skim. His card was skimmed earlier this year and “[the perps then] purchased two $500 gift certificates at a Walmart in Philadelphia.”
On Krebs’s website, he posted a video of a scammer who attached a hidden camera to the skimming device to obtain the PIN numbers for the debit cards. “I was surprised to see that out of the dozens of customers that used the compromised cash machines, only one bothered to take the simple but effective security precaution of covering his hand when entering his four-digit code,” he said.
Others in the neighborhood agreed that covering the pad is a good practice because the perp can possibly be watching with binoculars or a camera. But even covering keypads might not be foolproof. Krebs said some of the more sophisticated thieves mask their code-nabbing-keypad over the original keypad. These keypads, though, are more costly and difficult to install than the card skimmer.
In a 2016 Reader skimmer article, the author suggested to look at the security-seal stickers on the gas pump to see if they are intact or broken.
Another North Park neighbor who was getting gas for her minivan said to wiggle the card reader to see if it’s loose. She also suggested an app called Skimmer Scanner by SparkX. “This app uses your phone’s Bluetooth radio to detect a common radio component in modern fuel pump skimmers (HC-05) and warn you if you’re about to get scammed,” states the app-download page. “If you happen to detect a device, please don’t attempt to remove it yourself and let the station attendant know.”
On December 30, I called the 76 gas station (at 3252 University Avenue, between Bancroft and Boundary streets) for a comment regarding their point-of-sale machines; the lady working could not give a comment.
Ihab, the owner of the 7-Eleven in South Park, said in the past 21 years that he has owned the store, his ATM machine inside the store was last compromised with a fraudulent skimmer three years ago.
“Yesterday [December 29] there were three people that said we had a problems here at the pumps,” he said. “After I checked every point-of-sales [machine], the ATM, and the pumps, I couldn’t find anything. Then to make sure, I called our hotline for loss prevention and they diverted me to the maintenance people and they checked [December 30], and they said there was nothing. [The technician] said there’s a possibility that [the thieves] put [the skimmers on] and they take it off after a couple of hours.”
Ihab then showed me the red stickers on the gas pumps and said that if they are tampered with they would’ve turned white. He said he had reviewed some of the security-camera footage and didn’t see anything out of the ordinary.