The Evolution of Cybercrime – Bluetooth Credit Card Skimmers

While you might not think of cyber criminals as business professionals; they face the same economic pressures as legitimate organizations.  As an example, consider the product lifecycle and how manufactured goods go through a sequence of stages from introduction, growth, maturity, and decline.  Case in point: credit card skimmers.  Traditional credit card skimmers required the criminal to return to the scene of the crime to retrieve stolen credit card data.  To overcome this shortcoming, cyber criminals have undertaken several product innovations.  One innovation is the addition of wireless connectivity.  Providing wireless connectivity allows the crook to remove credit card data and pin numbers without having to physically remove the device.

There are several options available for wireless connectivity

  • WiFi – While it’s a potential option, there’s a large number of tools available to detect rogue wireless devices.
  • Cellular – Offers the ability to move data easily yet requires an ongoing contract and can potentially be tracked by law enforcement.
  • Bluetooth – Cheap, can be purchased as a standalone card and most importantly, can be difficult to locate and detect.

Just as Bluetooth skimmers have become more popular, they are also much more difficult for the average consumer to detect.   These devices can be hidden inside of gas pumps, point of sale terminals, and other pen entry devices (PEDs).  Common techniques include placing the skimmer inside of the gas pump electronics bay or removing PEDs from retail locations and replacing them with tainted versions modified to specifically skim payment card numbers and PIN information.  Notice the gas pump shown below and how there is no external sign of tampering.

Credit Card Skimmer

Bluetooth Credit Card Skimmer Placement

Inside the gas pump’s electronics bay, the criminal places the Bluetooth skimmer inline with the card reader so it is system powered and may reside there for months without detection.  The hacker must only drive by the location once a week or so and inquire the Bluetooth device to retrieve the stolen credit card data.

Card Reader

What can be done to prevent and detect these types of crimes?  Some gas stations have started placing seals on gas pump card readers to detect tampering.  Credit card companies have urged retailers to scan for Bluetooth devices.  While its possible to scan for Bluetooth addresses, the BD_ADDR, a combination of 12 alphanumeric characters, is going to be very hard to identify if the device is in non-discoverable mode.  This means these devices are not easily detactable and that consumers must practice care any time they are using card readers.  Consumers should consider using credit cards instead of debit cards when possible.  Credit cards offer a much greater level of protection should the credit card data be skimmed or exposed.

This entry was posted in Ethical Hacking, Hacking and tagged , , , , , . Bookmark the permalink.

Comments are closed.