Electric vehicle (EV) drivers could become targets for cyber criminals if new proposals that mandate the installation of credit card readers at EV charging stations are approved, according to a new security study published Tuesday.
The study – authored by cybersecurity experts April Wright and Jayson Street in partnership with the Digital Citizens Alliance – analyzes proposals in several U.S. states and concludes that requirements for credit card readers at public EV charging stations could expose drivers to increased risk of fraud, cybercrime and identity theft.
In Nevada, the Governor’s Office of Energy (GOE) issued a mandate requiring credit card readers at all Direct Current Fast Charge (DCFC) projects that receive funding through the state’s “dieselgate” settlement with Volkswagen.
“With a growing number of EVs on the road and dozens of new models hitting showrooms soon, the safety and security of EV charging stations should be paramount,” Wright said. “Yet, mandating credit card readers would expose drivers to new security risks and put them in the crosshairs of cyber criminals who use ‘skimmers’ and ‘shimmers’ to commit fraud.”
The authors argue that “skimmers” and “shimmers” – small devices engineered to steal credit card data – are a normally placed on gas pumps and other “unattended” locations (like ATMs) that are difficult for consumers to detect.
Compounding the problem, many EV charging stations are located in remote areas along highways and in parking garages, providing an opportunity for criminals to install credit car stealing devices without being detected, according to the study.
Stolen data captured by these devices are sold on the Dark Web, where it is used for fraud and identity theft costing up to 16 million Americans $16 billion annually, according to the study.
Payments made at EV charging stations currently rely on mobile payments that are “contactless” which the study says is more secure and the best way to avoid “skimmers” from capturing and storing all the details in a card’s magnetic stripe.
Wright and Street warn that new proposals in states including California, Vermont, Nevada and Arizona would be a significant step backward for EV charging security, forcing the installation of payment technologies such as Magnetic Stripe Readers that cyber criminals could exploit.
“It’s hard to imagine a better way to gift cyber criminals with high-value skimming and shimming targets than to require credit card readers at EV charging stations,” said Street. “EV drivers are perceived to have higher income on average, and compounding the problem, many charging stations are located in remote areas that would allow criminals to conduct their operations more covertly.”