Security Experts Call Mandates at
EV Charging Stations A Major Step Backward
June 11, 2019 – Electric vehicle (EV) drivers are likely to become targets for cyber criminals if new proposals that mandate the installation of credit card readers at EV charging stations are approved, according to a new security study published today.
The study – authored by cybersecurity experts April Wright and Jayson Street in partnership with the Digital Citizens Alliance – analyzes proposals in several U.S. states and concludes that requirements for credit card readers at public EV charging stations could expose drivers to increased risk of fraud, cybercrime and identity theft.
“With a growing number of EVs on the road and dozens of new models hitting showrooms soon, the safety and security of EV charging stations should be paramount,” said Wright. “Yet, mandating credit card readers would expose drivers to new security risks and put them in the crosshairs of cyber criminals who use ‘skimmers’ and ‘shimmers’ to commit fraud.”
Magnetic Stripe Readers and EMV Chip Readers -- A Significant Step Backward
Today, “skimmers” and “shimmers” – small, easy to-obtain-devices engineered to steal credit card data – are a rampant problem at gas stations and other point-of-sale (POS) terminals. Cyber criminals can plant them on otherwise legitimate credit card readers in a matter of seconds, and they are difficult for consumers to detect.
Fraud related to these devices has become such a widespread threat that the U.S. Secret Service has launched a nationwide crackdown with regular alerts to law enforcement, service stations and drivers. In November 2018, the Secret Service announced it had removed nearly 200 devices at gas stations across 16 states, and this is only a small percentage of the total devices actively exploiting cards.
- In 2017, Colorado authorities busted a 12-person skimming ring that stole an average of $2.5 million per week. More than 8,000 victims were impacted by the skimming.
- This year, six individuals were arrested in an Arizona skimming ring that targeted consumers at 12 different gas stations in the Phoenix area.
- A Sacramento-based skimming ring was busted this year that stole account information from at least 40 people in the area.
Stolen data captured by such devices is sold on the Dark Web, where it is used for fraud and identity theft costing Americans $16 billion annually.
Payments made at EV charging stations currently rely on “contactless” methods using the latest in digital technologies – including mobile payments over smartphones and RFID cards.
Wright and Street warn that new proposals in states including California, Vermont, Nevada and Arizona would be a significant step backward for EV charging security, forcing the installation of payment technologies such as Magnetic Stripe Readers that cyber criminals exploit on a daily basis.
“It’s hard to imagine a better way to gift cyber criminals with high-value skimming and shimming targets than to require credit card readers at EV charging stations,” said Street. “EV drivers are perceived to have higher income on average, and compounding the problem, many charging stations are located in remote areas that would allow criminals to conduct their operation more covertly.”
State and Regional Proposals
Proposals are currently under consideration in several states that would impose credit card reader mandates on both new and existing EV charging stations.
- In California, the California Air Resources Board (CARB) would mandate all operators of public EV charging stations in the state to install credit card readers on their stations.
- NESCAUM – an association of eight Northeast and Mid-Atlantic states – is considering whether to issue a recommendation for all member states to establish requirements for credit card readers at publicly funded EV charging stations.
- In Nevada, the Governor’s Office of Energy (GOE) issued a mandate requiring credit card readers at all Direct Current Fast Charge (DCFC) projects that receive funding through the state’s "dieselgate" settlement with Volkswagen.
- In Vermont, the state agencies overseeing Volkswagen’s settlement spending issued a mandate that all DCFC stations that receive funding have credit card readers installed.
- In Arizona, the Corporation Commission is considering best practices for stations deployed by utility investments, which may include mandating payment options such as credit card readers.
The study was conducted in partnership with the Digital Citizens Alliance, a coalition focused on educating the public and policymakers on the threats that consumers face in our connected world.
The full study can be downloaded here: “Charging in the Crosshairs: How EV Drivers Could Become Cyber Criminals’ New Target”
About the Authors
- April C. Wright is a cybersecurity expert with more than 25 years of experience educating consumers, organizations and policymakers on security and privacy risks in the digital age and working with them to strengthen their networks and prevent breaches. She speaks at cybersecurity conferences across the globe and has worked with a variety of government agencies, industry associations and businesses.
- Jayson E. Street is Vice President of Information Security at SphereNY. He is a renowned cybersecurity expert, hired by leading companies and banks to “legally hack” their networks and identify vulnerabilities. He has been featured in National Geographic, FOX Business, Ars Technica, Scientific American and CSO Magazine.
About Digital Citizens Alliance
The Digital Citizens Alliance is a nonprofit, 501(c)(6) organization that is a consumer- oriented coalition focused on educating the public and policymakers on the threats that consumers face on the Internet. Digital Citizens wants to create a dialogue on the importance for Internet stakeholders— individuals, government and industry—to make the Web a safer place. Based in Washington, DC, the Digital Citizens Alliance counts among its supporters: private citizens, the health, pharmaceutical and creative industries as well as online safety experts and other communities focused on Internet safety. Visit us at digitalcitizensalliance.org
Digital Citizens Alliance