As public charging stations for electric vehicles become more common, cybersecurity experts advise criminals could be taking notice of a possible new target.
A recently released report by the Digital Citizens Alliance (DCA) warns of the risks involved when public charging ports — often not overseen by an attendant — accept traditional credit card payments via the magnetic stripe on the back side of the card, or even the “chip” on the front.
Too often, say the study’s authors, cybercriminals will covertly install malicious devices onto the card readers, capable of swiping the card user’s information. The Digital Citizens Alliance — a consumer-focused nonprofit charged with educating the public and policymakers about cyber-risks — would like to see transactions at public EV chargers remain “contactless,” where payment is made via smartphone app, a contactless point-of-sale application such as ApplePay, GooglePay, or an RFID-type device.
“So, instead of actually inserting your chip, or inserting your credit card, with mag-stripe, like an ATM, you would just sort of touch it up to the reader,” said April C. Wright, a cybersecurity expert, and one of the authors of the report.
Several proposals around the country would require that EV charging stations accept multiple forms of payment, including a swiped credit card. The California Air Resources Board will consider a proposal later this month to require that all public chargers accept credit cards, in an effort to remove barriers around EV charging. The regulation is in line with the Electric Vehicle Charging Stations Open Access Act passed by the California Legislature in 2013.
“The proposed regulation requires chip readers, because they are secure and ubiquitous, and allows other credit card options as well, including tap readers,” said Dave Clegern, a spokesman for the Air Resources Board.
The legislation, “aims to increase access to charging infrastructure and increase EV drivers’ confidence that they will be able to use available EV infrastructure when they need it,” he added. “The current situation is confusing to consumers.”
California remains the largest market for electric vehicles. Since 2011, nearly 595,000 electric vehicles have been sold in the state, according to Veloz, which advocates for electric vehicles.
The DCA contends magnetic-stripe readers are not safe, and cites a 2018 Secret Service operation that found and removed nearly 200 skimming devices installed on card readers at gas pumps across 16 states.
“The bottom line is these proposals are not considering the insecurity of mag-stripe cards. They want different payment options, but they’re not really considering security,” said Wright.
“The technology they are talking about — when we talk about mag-stripe and chip cards that are being pushed into a machine, instead of just being tapped on — they’re definitely less secure than the other methods of payments that are currently available,” she added.
And because EV drivers are perceived as part of a higher income demographic, the charging ports may be a more attractive target for criminals aimed at lifting consumer data.
Other states considering requirements that EV charging stations accept credit cards include Vermont, Nevada and Arizona.
For its part, officials in California say the proposed new rule would do more than just require credit card readers. Charging stations would have to be clear about rates so that consumers would know how much the service cost. Also, charging providers would have to report new, current and decommissioned charging locations to the National Renewable Energy Laboratory’s Alternate Fuels Data Center and the California Air Resources Board to ensure up-to-date information for consumers.