Cyberthieves Using Bluetooth To Steal Gas Station Credit Card Data

When cyberthieves plant skimming devices inside POS PIN pads, they typically have one of two headaches. First, they have to return to the scene of the crime to retrieve the device and its stolen data, which is dangerous. If the thieves use the device to wirelessly phone the data to one of their own, it's safer initially. But if that data is detected and examined, it could lead law enforcement right to the culprits—a.k.a., problem number two.

But one group of cyberthieves in Utah—as yet uncaught—has hit about 200 gas stations in that state with a toothy tweak: Bluetooth-y, to be precise. By arming their skimmers with a Bluetooth transmitter, the stolen card data was beamed out indiscriminately to anyone nearby—make that very nearby—who happened to choose to listen for it. When such a device is found by law enforcement, it reveals nothing to point to the thieves' location—past or present—and nothing to even indicate how long it's been there. The devices in the Utah case had no local storage whatsoever, police said; they simply grabbed the data and instantly beamed it away.

Each device had a PIN pad tied into its motherboard, a PIN pad that fit precisely behind the real PIN pad. When a customer pushed the 6 button, that pressure activated the 6 button on the device, which Bluetoothed it out to whomever, said Sgt. Troy Arnold of Utah's Sandy Police Department.

Depending on how high-powered the Bluetooth device is, transmission distance ranges from a few dozen feet to a maximum of perhaps a city block. But the confiscated devices were "very low powered," Arnold said, adding that the receiving end of the transmission "couldn't have been more than 50 feet" away.

That fact leaves police with a few theories. Because the devices couldn't retain any data, a drive-by approach—where a car drives by, stops at a traffic light and downloads all the accumulated data—wouldn't work. That means that some type of receiving device—most likely a laptop—had to have been hidden nearby.

Arnold's best guess is that the Utah thieves used a crew driving different cars, each with a laptop in the backseat, probably covered by a blanket or coat. One crew member would pull up to the gas station and park, probably while shopping in the adjacent convenience store. That thief would hang around for as long as he/she could without drawing too much attention. The thief would likely have an upper limit tied into the laptop's battery.

At the end of a shift, a new thief would drive up, relieving the first. Even if the device was unmonitored for several hours, the crew would simply lose the data stolen during that time. A small price to pay for relative safety.Such a plan is hardly without risks, though. Video surveillance of the parking lot—as well as the observations of employees—could identify the suspects and the cars they use. The smart approach would be to capture the card data and then battle the clock. The longer the thieves wait to use the data, the better the chance that security footage may be overwritten or otherwise deleted.

But there's pressure on the other end. Stolen credit and debit cards—including ATM cards—have a notoriously short shelf-life. Expiration dates roll around and cards are changed, so a cyberthief needs to use the stolen card as quickly as possible.

And as soon as the first stolen card information is used, it's critical for the thieves to use as many of the other cards as possible as quickly as possible. Depending on the situation, it may be only a matter of hours after the first bulk use before many of the cards are deactivated; it will happen as soon as software identifies the common point of purchase.

One wireless security expert, Joshua Wright, a senior instructor at the SANS Institute, questioned Arnold's conclusion that the device had no local storage.

"I find that scenario very unlikely. I think it is much more likely that they did store the credit cards, perhaps with non-persistent storage, such as local RAM on the circuitboard, and the thieves drove by to collect them," Wright said.

Wright made an interesting observation after watching video of police showing the captured devices.

"Looking at the low-resolution video pictures of the skimming device, I believe the [device included] a right-angle SMA external antenna connector, intended to extend the range of the Bluetooth device," he said. But Wright then estimated the boosted range as barely 50 feet, which is exactly what Arnold had estimated.

These scenarios suggest a few things that retailers can do to try and protect their data, including longer retention of parking lot surveillance, making sure cameras are positioned to capture license plates as well as drivers, and watching out for parked cars with blankets covering items in the backseat. Then again, the laptops could be hidden in trunks or in backpacks worn by the thieves. They might even be hidden in bushes near the collectors.

The only advantage that retailers have is the extremely short transmission distance of Bluetooth today. Maybe IT and LP should paraphrase the oft-quoted advice: Keep your friends close and your cyberthieves closer.