Sebastopol skimming case highlights rise of card theft at gas stations, other outlets

Petaluma resident Candy Riddell figures she’s lucky her balance was too low to cover more than $350 someone tried to spend on her bank card last month in Riverside County, 500 miles away.

When her account number and PIN were used a second time the same day, also in the city of Hemet, the fraud prevention team at Wells Fargo Bank suspected something was wrong and notified Riddell her bank card had been compromised.

But it wasn’t until she saw news stories two weeks later that she worked out how it happened.

She is apparently one of dozens of people so far whose card numbers were illegally swiped by thieves this spring through an unauthorized device concealed within a fuel pump pay machine at the Sebastopol Fast Gas station. The crime was first reported by police ?two weeks ago and the culprits have yet to be caught.

“I use that gas station all the time,” said Riddell, 70. “I kept thinking, ‘Who the hell would have my ATM and also know my PIN?’?”

Amid a national epidemic of identity theft and bank fraud, Riddell and others were victims of a particular brand of high-tech theft known as “skimming.”

It makes use of widely available technology to collect and store data from a card’s magnetic strip, unlocking all the information thieves need to spend your money.

A variety of components are used, but the latest wave of illicit technology are thin devices inserted into the slots used to scan ATM cards - making it difficult to impossible for a even a wary consumer to detect.

Gas stations are particularly vulnerable to the tampering because most on-duty attendants work in buildings some distance from the pumps.

Skimming is an evolving crime, with a rising number of cases reported at gas stations, banking and other commercial outlets nationwide, according to security experts. Independent fuel stations, including many in California and the Bay Area, appear to have been among the hardest hit over the past decade.

Skimming operations were discovered last year at two Marin County gas stations, the San Anselmo Gas & Shop and the Mill Valley Chevron station. The scams defrauded scores of people from around the region, authorities said.

At least a half-dozen Sonoma County gas stations have also been hit since 2010, according to authorities and a station owner.

The northerly part of the state “is somewhat virgin and untapped” for such criminal operations, according to Peter Van Alyea, founder and president of Rohnert Park-based Redwood Oil Co. But mounting law enforcement cases indicate skimming activity in the region is on the rise.

The Northern California Computer Crimes Task Force, one of five high-tech task forces around the state, has been consulted “on numerous cases” of gas station skimming, said Central Marin Police Detective Sean Kerr, who is assigned to the group.

Sonoma County has at least three cases under investigation, including the Sebastopol incident. Nearly 700 member accounts at Redwood Credit Union were compromised in that case, according to the credit union.

In Santa Rosa, police are looking into two unpublicized cases of skimming at fuel stations within the past year, though details have not been divulged to safeguard the investigations.

“It isn’t a widespread problem, but it is a problem,” said Santa Rosa Police Sgt. Marcus Sprague, who oversees the department’s property crimes unit.

One possible victim, Anne Moulding, 64, of Santa Rosa said she recently tried to use her bank card to pay a bill over the phone and was declined because only $11 remained in her account.

She learned from the bank that someone using her card in San Jose had cleaned her out, using a number she believes could only have been obtained when she purchased gas at a Santa Rosa station the day before.

Though Exchange Bank restored funding to her account after several days, “it was pretty hard, because I’m on a very limited income,” Moulding said.

Another Santa Rosa case, in 2010, involving a Valero gas station on Farmers Lane came to light because the device was installed in a manner that disabled the pump, leading to its discovery before it could cause any harm, police said at the time.

Customers of a family-run Healdsburg gas station hit in the spring of 2011 weren’t as lucky. Concealed devices there were used to defraud at least several dozen people and to make thousands of dollars in fraudulent expenditures.

Sebastopol police were tipped to the first such case in their jurisdiction June 13, after Redwood Credit Union personnel investigating members’ reports of fraudulent transactions found a common point of use: the independently owned Sebastopol Fast Gas on Gravenstein Highway South.

At least one person called in as well, reporting fraudulent use of a card they believed had been compromised at the gas station, Police Chief Jeff Weaver said.

Earlier versions of card skimming often utilized modified or molded plastic card readers that fit over or into actual readers, capturing information when customers swiped their cards and storing the data until the thief could come back. Astute gas station attendants or patrons might in those cases be able to tell something was awry.

But the Sebastopol case, like many before it, involved more discrete and simple ribbon computer cables plugged into the pump’s internal workings and capturing data from card readers on either side of the pump, police said. They were so camouflaged by the other hardware that it took multiple inspections for them to be detected.

Police went three times over about a week to work with station owner Ali Kazemini to try to figure out how an increasing number of customer accounts had been compromised, Weaver said.

It wasn’t until a licensed technician for the pump manufacturer was called in and “delved physically deeper into the electronics” that the innocuous-looking cables were yanked, Weaver said.

Ron Felder, executive vice president and chief lending officer at Redwood Credit Union, said about 1,500 of his members used their cards at the Gravenstein Highway station on the south end of town during a period going back to March 1, about the time the fraud claims suggest the skimmers were installed. But a smaller number of members, about 675, bought gas using their cards’ debit function and entered a PIN, the digital key thieves are after. At least 40 of those members have found fraudulent charges on their accounts, most made in Southern California, Felder said.

Until gas stations uniformly utilize chipped-card readers - the current deadline for conversion is October 2020 - Felder recommended consumers always choose to process their bank cards as credit cards, eliminating the need to punch in the sought-after PIN thieves hope to steal.

Criminals know gas station card readers are often unsecured and typically lack the more secure chip-enabled encryption. They can even use wireless, Bluetooth technology to download captured and stored data without having to reopen the pump.

But for station owners, upgrading to chip-enabled card readers requires costly retrofits to fuel pumps, starting at $5,000 per pump.

Still, Kerr, with the computer crimes task force, said responsibility rests with gas station owners to install and maintain security mechanisms to protect customers.

That’s what Kazemini, who has owned Sebastopol Fast Gas since 2006, did after his business was hit. He put in new locks on pumps, making them more secure than those at many competitors.

But his business already is down by 50 percent, and he worries customers may be reluctant to return.

“We found the problem,” he said. “We fixed the problem, and they should feel safe coming in.”

Val Alyea, of Redwood Oil Co., which operates 23 mostly Chevron fuel stations from Cotati to the Oregon border, said he’s instructed his staff to be vigilant since he was notified of the Sebastopol case.

He has installed unique pump locks for each of his gas stations, confounding would-be thieves armed with universal keys.

He also uses Chevron-issued security seals that are hard to counterfeit on the access doors to his pumps. His attendants are instructed to check them regularly for any signs of tampering.

A broken seal at his Chevron station in Cloverdale thwarted a would-be skimming operation there, he said.

“If the retailers are vigilant, there’s no reason for a skimmer to remain in there more than a day,” he said.

You can reach Staff Writer Mary Callahan at 707-521-5249 or mary.callahan@pressdemocrat.com.