Electric vehicle charging stations could become one of the next big targets for fraudsters — thanks to proposals in several state that researchers say would weaken their security.
Most electric vehicle (EV) charging stations rely solely on a credit card linked to an app or through contactless payments with RFID-enabled credit cards or through a driver’s smartphone. Contactless payments are one of the most secure ways to pay, cutting out the credit card entirely and reducing the chance that a card will be cloned or have its data skimmed. For charging stations — often in the middle of nowhere and unmonitored — relying on contactless payments can reduce device tampering and credit card fraud.
But several states are proposing EV charging stations install magnetic stripe credit card readers, which the researchers are prone to abuse by fraudsters.
Arizona, California, Nevada, Vermont, and several states across New England are said to be considering installing credit card readers at publicly funded EV charging stations.
“While these proposals may be well-intentioned, they could expose drivers to new security risks while providing cyber criminals with easy access to attractive targets,” wrote security researchers April Wright and Jayson Street, in a paper out Monday by the Digital Citizens Alliance, a nonprofit consumer group.
Instead, they say EV charging stations and other point-of-sale machines should continue to rely on contactless payment methods and lawmakers “should engage with the security community to better understand fraud risks associated with credit card readers.”
“These proposals would effectively reverse the industry’s careful considerations regarding EV charger payment options,” said the researchers.
Much of the issues fall on the continued reliance of magnetic stripe cards, which remains one of the most common payment methods in the U.S.
Where other nations, including the U.K. and most of Europe, have adopted chip-and-PIN as the primary way of paying for goods and services, the U.S. still relies on the insecure magnetic stripe. Hackers can easily skim the data off the credit card and repurpose a stolen magnetic stripe to commit fraud. Although chip-and-PIN is more secure than the magnetic stripe, card fraud remains a risk until chip-and-PIN becomes the primary method for making payments. Even with chip-enabled cards, fraudsters can still steal payment card numbers and card verification codes by using hidden pinhole cameras.
Credit card skimming is said to be a $2 billion industry.
Using mobile contactless payments, like Apple Pay or Google Pay, would largely render the risk from card skimming almost entirely moot, they say.
Until more secure options are used, the introduction of magnetic stripe readers at EV chargers “would represent an unnecessary risk” to drivers.