CHICAGO — Skimmers on gas pumps have long been an issue for fuel retailers, law enforcement and consumers. But if recent proposals to add card readers to electric vehicle (EV) charging stations become realized, criminals may soon find a new frontier for hacking, a report warns.
The Digital Citizens Alliance, a nonprofit coalition of consumers, businesses and internet experts that focuses on internet threats, cites a series of mandates and proposals to require that public EV charging stations offer credit-card readers, which are aimed at expanding access to the service.
For example, California’s Electric Vehicle Charging Stations Open Access Act requires open access to public charging stations, meaning users do not have to be members of a particular charging station network. Charging-station network providers such as EVgo and ChargePoint argue that “open access” can mean mobile payment technologies, while the California Air Resources Board believes the stations need to have hardware that enables them to process credit cards, EV magazine Charged reports.
While describing the open access proposals as “well-intentioned,” the Digital Citizens Alliance report warns that adding card readers to charging stations, many of which are unmonitored and unattended in areas such as parking garages, is inviting criminals to install skimming or shimming devices.
“It’s hard to imagine a better way to gift cybercriminals with high-value skimming and shimming targets than to require credit-card readers at EV charging stations,” said Jayson Street, a contributor to the report and vice president of information security for SphereNY, a New York-based consulting firm. “EV drivers are perceived to have higher income on average, and compounding the problem, many charging stations are located in remote areas that would allow criminals to conduct their operation more covertly.”
The report argues that EV charging stations and other point-of-sale (POS) terminals should offer secure payment methods such as mobile payment, and that legislators should meet with security experts “to better understand fraud risks associated with credit-card readers.”