First Bluetooth card skimming arrest case in US

News by Steve Gold

"It's so lucrative that you arrest a couple of people - then there are a couple of people right behind them that do the same thing."

More than a year after the first Bluetooth-enabled card skimmers started causing problems for petrol stations – and drivers - on the West Coast of America, the first arrest of a gang alleged to have been involved in the growing practice of Bluetooth-enabled petrol pump skimming has taken place.

According to leading security researcher Brian Krebs, New York officials yesterday announced the arrest and indictment of 13 men accused of running "a multi-million dollar fraud ring that allegedly installed Bluetooth-enabled wireless gas pump skimmers at filling stations throughout the southern US."

Krebs says that the 13-strong gang reportedly generated more than $2.1m (£1.25 million) from their activities. 

The accused then allegedly used the credentials and PINs to create counterfeit payment cards, which were then used to draw cash from ATMs and fed into legitimate bank accounts.

The first Bluetooth-enabled card skimmers started appearing in US petrol stations, where unmanned card-operated pumps are now the norm, in the fourth quarter of 2012.

In a report on a spate of incidents at the time, KRCA News revealed that criminals were using standard pump keys to install the skimmers, which interfaced with the pump's power supply, and harvested the card credentials - including PIN codes – before relaying them to cyber criminals using a laptop up to 100 yards away.

In the KRCA news report, Detective Eric Pahlberg of the Sacramento High-Tech Crimes Force said:

"These guys will install the skimmer in a pump stay on for a few days and take it off. You would never know it was there.

"Its so lucrative that you arrest a couple of people then there are a couple of people right behind them that do the same thing.”

Krebs says that the attacks seem to take place at weekends and in the early hours of the morning, presumably to minimise the chance of detection.

Although the Bluetooth-enabled card skimming petrol pump problem is confined to the US, the criminal modus operandi could be used in the UK.

Since UK-issued cards must still feature the legacy three-track magnetic stripe technology which is commonplace on North American cards, this means that a cloned card - without a smart card chipset - can easily be counterfeited and then used by criminals in stores and automated vending machines, including certain 24-hour petrol forecourts.

Commenting on the emerging US court case, Professor John Walker, a Visiting Professor with the Nottingham-Trent University Faculty of Engineering, said that the fundamentals of this scam is the promiscuous nature of 'air-based' trusted communications.

Professor Walker - who is also CTO of IT security consultancy Integral Security Xssurance - says that the issue of promiscuous protocols is not just limited to Bluetooth, but almost all air-bound and close-proximity 'trusted' protocols upon which we all rely.

"Of course this is also about the ingenuity of the criminal mind, looking for those gaps which have entered into the security planning stage, which may allow the injection of their malicious attack, circumvention of, say card-based security, which in turn delivers a profitable outcome to the miscreant acts," he said, adding that promiscuous protocols also offer that special opportunity which allows the external attacker to intercept and view the operability, and the associated interlaced interfaces.

This, he told, is unlike the wired environments which are protected by perimeter devices and applications.

Citing an example of an audit on global security company in Central London, Walker says that, when the firm's security manager was invited to identify the localised 802.x footprints, the manager listed a rogue Access Point that the Professor had installed earlier.

"After a very quick audit, I discovered the network was completely infiltrated with malicious programmes, back door access, and a whole host of trojanised applications, tools, and malware, running from TCP/IP and UDP Port 1, right up to the very top of the scale," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews