Cyberthieves Using Bluetooth To Steal Gas Station Credit Card Data
Written by Evan SchumanWhen cyberthieves plant skimming devices inside POS PIN pads, they typically have one of two headaches. First, they have to return to the scene of the crime to retrieve the device and its stolen data, which is dangerous. If the thieves use the device to wirelessly phone the data to one of their own, it’s safer initially. But if that data is detected and examined, it could lead law enforcement right to the culprits—a.k.a., problem number two.
But one group of cyberthieves in Utah—as yet uncaught—has hit about 200 gas stations in that state with a toothy tweak: Bluetooth-y, to be precise. By arming their skimmers with a Bluetooth transmitter, the stolen card data was beamed out indiscriminately to anyone nearby—make that very nearby—who happened to choose to listen for it. When such a device is found by law enforcement, it reveals nothing to point to the thieves’ location—past or present—and nothing to even indicate how long it’s been there. The devices in the Utah case had no local storage whatsoever, police said; they simply grabbed the data and instantly beamed it away.
Each device had a PIN pad tied into its motherboard, a PIN pad that fit precisely behind the real PIN pad. When a customer pushed the 6 button, that pressure activated the 6 button on the device, which Bluetoothed it out to whomever, said Sgt. Troy Arnold of Utah’s Sandy Police Department.
Depending on how high-powered the Bluetooth device is, transmission distance ranges from a few dozen feet to a maximum of perhaps a city block. But the confiscated devices were “very low powered,” Arnold said, adding that the receiving end of the transmission “couldn’t have been more than 50 feet” away.
That fact leaves police with a few theories. Because the devices couldn’t retain any data, a drive-by approach—where a car drives by, stops at a traffic light and downloads all the accumulated data—wouldn’t work. That means that some type of receiving device—most likely a laptop—had to have been hidden nearby.
Arnold’s best guess is that the Utah thieves used a crew driving different cars, each with a laptop in the backseat, probably covered by a blanket or coat. One crew member would pull up to the gas station and park, probably while shopping in the adjacent convenience store. That thief would hang around for as long as he/she could without drawing too much attention. The thief would likely have an upper limit tied into the laptop’s battery.
At the end of a shift, a new thief would drive up, relieving the first. Even if the device was unmonitored for several hours, the crew would simply lose the data stolen during that time. A small price to pay for relative safety.
March 4th, 2010 at 11:44 am
Accoding to the story, the thieves need to be very close to the pump to read the data, but I believe that with a throw-away wireless phone collecting and relaying the data, basically just a little more technology, they could collect the card numbers and pins from anywhere in the world.
This sounds like too much effort, expense and project management skills for a common criminal, this is likely a small group, probably with someone inside one of the companies that make, deliver or service the pumps.
What is scarey is that this technology can translate to other card readers and if the perpetrators add local storage, the problem is even harder to uncover as they could drive up once a week purchase gas and download the data. If they managed to get access to other POS terminals this could be a bigger problem, just walk through with a smart phone and collect the data…
The publicly known better surveillance will likely keep this technology from ATM’s and cash drawer termnals, but who knows with criminals?
The technological answer is to put a specrum analyser at the locations to monitor all wireless signals to see if there is a device translating the data an pushing it to another network.
If I had a C-store, I would have my pumps checked out by a third party to protect my customers, this could be a much bigger problem if it came from the pump distribution chain.
March 4th, 2010 at 1:14 pm
The story also pointed out that a cell connection is dangerous because it can point to the thieves, while Bluetooth, in theory, wouldn’t.
March 4th, 2010 at 1:32 pm
My question is, how did the thieves manage to implement the system in the first place? That sounds like quite an elaborate install. Did these locations run outdoor cameras at night?
I would also agree that if this elaborate of a setup was created, I find it highly unlikely there would not be some type of localized storage on the device. It seems foolish for there not to be one.
It seems interesting that the police investigating this have not used an opportunity to go “fishing for the theives” by taking out one of these devices and setting up one that is still transmitting, just bogus data. I’m not a bluetooth expert, but there is a pairing process that happens, I would think that they could at least see if the device was paired (and when) and glean some information that way.