Cyberthieves Using Bluetooth To Steal Gas Station Credit Card Data

Written by Evan Schuman
March 4th, 2010

When cyberthieves plant skimming devices inside POS PIN pads, they typically have one of two headaches. First, they have to return to the scene of the crime to retrieve the device and its stolen data, which is dangerous. If the thieves use the device to wirelessly phone the data to one of their own, it’s safer initially. But if that data is detected and examined, it could lead law enforcement right to the culprits—a.k.a., problem number two.

But one group of cyberthieves in Utah—as yet uncaught—has hit about 200 gas stations in that state with a toothy tweak: Bluetooth-y, to be precise. By arming their skimmers with a Bluetooth transmitter, the stolen card data was beamed out indiscriminately to anyone nearby—make that very nearby—who happened to choose to listen for it. When such a device is found by law enforcement, it reveals nothing to point to the thieves’ location—past or present—and nothing to even indicate how long it’s been there. The devices in the Utah case had no local storage whatsoever, police said; they simply grabbed the data and instantly beamed it away.

Each device had a PIN pad tied into its motherboard, a PIN pad that fit precisely behind the real PIN pad. When a customer pushed the 6 button, that pressure activated the 6 button on the device, which Bluetoothed it out to whomever, said Sgt. Troy Arnold of Utah’s Sandy Police Department.

Depending on how high-powered the Bluetooth device is, transmission distance ranges from a few dozen feet to a maximum of perhaps a city block. But the confiscated devices were “very low powered,” Arnold said, adding that the receiving end of the transmission “couldn’t have been more than 50 feet” away.

That fact leaves police with a few theories. Because the devices couldn’t retain any data, a drive-by approach—where a car drives by, stops at a traffic light and downloads all the accumulated data—wouldn’t work. That means that some type of receiving device—most likely a laptop—had to have been hidden nearby.

Arnold’s best guess is that the Utah thieves used a crew driving different cars, each with a laptop in the backseat, probably covered by a blanket or coat. One crew member would pull up to the gas station and park, probably while shopping in the adjacent convenience store. That thief would hang around for as long as he/she could without drawing too much attention. The thief would likely have an upper limit tied into the laptop’s battery.

At the end of a shift, a new thief would drive up, relieving the first. Even if the device was unmonitored for several hours, the crew would simply lose the data stolen during that time. A small price to pay for relative safety.


3 Comments | Read Cyberthieves Using Bluetooth To Steal Gas Station Credit Card Data

  1. Terry Hare Says:

    Accoding to the story, the thieves need to be very close to the pump to read the data, but I believe that with a throw-away wireless phone collecting and relaying the data, basically just a little more technology, they could collect the card numbers and pins from anywhere in the world.

    This sounds like too much effort, expense and project management skills for a common criminal, this is likely a small group, probably with someone inside one of the companies that make, deliver or service the pumps.

    What is scarey is that this technology can translate to other card readers and if the perpetrators add local storage, the problem is even harder to uncover as they could drive up once a week purchase gas and download the data. If they managed to get access to other POS terminals this could be a bigger problem, just walk through with a smart phone and collect the data…

    The publicly known better surveillance will likely keep this technology from ATM’s and cash drawer termnals, but who knows with criminals?

    The technological answer is to put a specrum analyser at the locations to monitor all wireless signals to see if there is a device translating the data an pushing it to another network.

    If I had a C-store, I would have my pumps checked out by a third party to protect my customers, this could be a much bigger problem if it came from the pump distribution chain.

  2. Evan Schuman Says:

    The story also pointed out that a cell connection is dangerous because it can point to the thieves, while Bluetooth, in theory, wouldn’t.

  3. Todd Michaud Says:

    My question is, how did the thieves manage to implement the system in the first place? That sounds like quite an elaborate install. Did these locations run outdoor cameras at night?

    I would also agree that if this elaborate of a setup was created, I find it highly unlikely there would not be some type of localized storage on the device. It seems foolish for there not to be one.

    It seems interesting that the police investigating this have not used an opportunity to go “fishing for the theives” by taking out one of these devices and setting up one that is still transmitting, just bogus data. I’m not a bluetooth expert, but there is a pairing process that happens, I would think that they could at least see if the device was paired (and when) and glean some information that way.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.