This is page 2 of:
Cyberthieves Using Bluetooth To Steal Gas Station Credit Card Data
Such a plan is hardly without risks, though. Video surveillance of the parking lot—as well as the observations of employees—could identify the suspects and the cars they use. The smart approach would be to capture the card data and then battle the clock. The longer the thieves wait to use the data, the better the chance that security footage may be overwritten or otherwise deleted.
But there’s pressure on the other end. Stolen credit and debit cards—including ATM cards—have a notoriously short shelf-life. Expiration dates roll around and cards are changed, so a cyberthief needs to use the stolen card as quickly as possible.
And as soon as the first stolen card information is used, it’s critical for the thieves to use as many of the other cards as possible as quickly as possible. Depending on the situation, it may be only a matter of hours after the first bulk use before many of the cards are deactivated; it will happen as soon as software identifies the common point of purchase.
One wireless security expert, Joshua Wright, a senior instructor at the SANS Institute, questioned Arnold’s conclusion that the device had no local storage.
“I find that scenario very unlikely. I think it is much more likely that they did store the credit cards, perhaps with non-persistent storage, such as local RAM on the circuitboard, and the thieves drove by to collect them,” Wright said.
Wright made an interesting observation after watching video of police showing the captured devices.
“Looking at the low-resolution video pictures of the skimming device, I believe the [device included] a right-angle SMA external antenna connector, intended to extend the range of the Bluetooth device,” he said. But Wright then estimated the boosted range as barely 50 feet, which is exactly what Arnold had estimated.
These scenarios suggest a few things that retailers can do to try and protect their data, including longer retention of parking lot surveillance, making sure cameras are positioned to capture license plates as well as drivers, and watching out for parked cars with blankets covering items in the backseat. Then again, the laptops could be hidden in trunks or in backpacks worn by the thieves. They might even be hidden in bushes near the collectors.
The only advantage that retailers have is the extremely short transmission distance of Bluetooth today. Maybe IT and LP should paraphrase the oft-quoted advice: Keep your friends close and your cyberthieves closer.
-Marc
March 4th, 2010 at 11:44 am
Accoding to the story, the thieves need to be very close to the pump to read the data, but I believe that with a throw-away wireless phone collecting and relaying the data, basically just a little more technology, they could collect the card numbers and pins from anywhere in the world.
This sounds like too much effort, expense and project management skills for a common criminal, this is likely a small group, probably with someone inside one of the companies that make, deliver or service the pumps.
What is scarey is that this technology can translate to other card readers and if the perpetrators add local storage, the problem is even harder to uncover as they could drive up once a week purchase gas and download the data. If they managed to get access to other POS terminals this could be a bigger problem, just walk through with a smart phone and collect the data…
The publicly known better surveillance will likely keep this technology from ATM’s and cash drawer termnals, but who knows with criminals?
The technological answer is to put a specrum analyser at the locations to monitor all wireless signals to see if there is a device translating the data an pushing it to another network.
If I had a C-store, I would have my pumps checked out by a third party to protect my customers, this could be a much bigger problem if it came from the pump distribution chain.
March 4th, 2010 at 1:14 pm
The story also pointed out that a cell connection is dangerous because it can point to the thieves, while Bluetooth, in theory, wouldn’t.
March 4th, 2010 at 1:32 pm
My question is, how did the thieves manage to implement the system in the first place? That sounds like quite an elaborate install. Did these locations run outdoor cameras at night?
I would also agree that if this elaborate of a setup was created, I find it highly unlikely there would not be some type of localized storage on the device. It seems foolish for there not to be one.
It seems interesting that the police investigating this have not used an opportunity to go “fishing for the theives” by taking out one of these devices and setting up one that is still transmitting, just bogus data. I’m not a bluetooth expert, but there is a pairing process that happens, I would think that they could at least see if the device was paired (and when) and glean some information that way.