Cyber criminals will love charging station plan

Proposal calls for easy-to-scam credit card readers

ELECTRIC VEHICLE DRIVERS in Massachusetts and the Northeast could soon become targets for cyber criminals if a proposal that would force the installation of credit card readers at public charging stations is adopted.

Payments made at electric vehicle charging stations today rely on “contactless” methods using the latest in digital technologies – including mobile payments over smartphones and cards using radio frequency identification technology.  But a proposal under consideration by an organization coordinating clean air policies in eight Northeast states would, if adopted, force those who use the transportation technologies of tomorrow to use credit card readers – the payment technologies of yesterday.

From a security perspective, this credit card reader proposal represents an enormous step backward. It would mandate installation of technologies (Magnetic Stripe Reader and EMV chips) known to be insecure and which criminal enterprises and individual hackers exploit on a daily basis.

This could make electric vehicle drivers a new favorite target for cyber criminals and open them up to billions of dollars’ worth of harm in the form of credit card fraud and identity theft.

With a growing number of electric vehicles on the road and dozens of new models hitting showrooms soon, the safety and security of electric vehicle charging stations should be paramount. Yet, mandating credit card readers would expose drivers to new security risks and put them in the crosshairs of cyber criminals who use ‘”skimmers” and “shimmers” to steal credit card data.

Skimmers and shimmers – small, easy-to-obtain devices engineered to steal credit card data – are a rampant problem today at gas stations and other point-of-sale terminals. Cyber criminals can plant them on otherwise legitimate credit card readers in 30 seconds or less, and they are difficult for consumers to detect. Just a few months ago, a 15-person skimming ring that operated in seven states, including Massachusetts and Connecticut, was taken down.

Fraud related to these devices has become such a widespread threat that the US Secret Service has launched a nationwide crackdown with regular alerts to law enforcement, service stations, and drivers. In November 2018, the Secret Service announced it had removed nearly 200 devices at gas stations across 16 states.

 Stolen credit card data can be used for fraudulent purchases or sold on the Dark Web. The costs to consumers can be staggering, and retailers are also hit hard by fraudulent purchases that often cannot be recovered. Additionally, fraud rings can use the stolen data to commit additional crimes, including identity theft.

At a time when credit card fraud and identify theft costs Americans $16 billion annually, this problem will grow worse if new credit card reader mandates are approved for EV charging stations.

This troubling proposal isn’t limited to the Northeast. There are similar efforts in California, Arizona, Nevada, and Vermont. While these proposals may be well-intentioned, they would expose drivers to new security risks while providing cyber criminals with easy access to attractive targets.

A common perception is that electric vehicle drivers have above-average incomes, so it’s hard to imagine a better way to gift cyber criminals with attractive skimming and shimming targets than a mandate for credit card readers at electric vehicle charging stations.

Compounding the problem, many electric vehicle charging stations are located in remote areas along highways and in parking garages. This provides significant opportunity for criminals to install malicious devices without being detected.

There is a better way. EV charging stations and other point-of-sale terminals should continue to rely upon secure mobile payment solutions and policymakers should engage with the security community to better understand fraud risks associated with credit card readers.

Meet the Author

April C. Wright

Cybersecurity expert, Digital Citizens Alliance
With new electric vehicle models coming to showrooms, credit card reader proposals would lead to billions of dollars of credit card fraud and create unnecessary risks for drivers. The stakes have never been higher for consumer safety and security.

April C. Wright is a cybersecurity expert with more than 25 years of experience educating consumers, organizations, and policymakers on security and privacy risks in the digital age. Her study of the issue was supported by the Digital Citizens Alliance, a nonprofit backed by the health, pharmaceutical, creative, and security industries.