Bluetooth-Enabled Credit Card Skimming on the Rise
February 21, 2015 - InfraGard
Criminal hackers are increasingly using Bluetooth-enabled technology in card skimming operations. Bluetooth-enabled skimming devices allow thieves to wirelessly retrieve captured credit card data, negating the need for repeated physical access to retrieve data. Criminal hackers are most vulnerable to discovery during the installation and retrieval of the skimming device, which takes approximately 5-10 minutes. These devices are nearly impossible to detect once installed and are available for purchase online.
Bluetooth is a low-power, short-range wireless connection technology. In its most common implementation, such as mobile devices, it has a range of 30 feet, which can be extended to 300 feet depending on the Bluetooth device class.
In late January 2014, criminal hackers were charged with stealing banking information from gas station customers by using Bluetooth-enabled skimmers concealed within gas pumps at many locations throughout the US.
The Bluetooth-enabled skimmers allowed the criminals to retrieve the harvested data wirelessly by simply pulling up to the pump and downloading the data onto a laptop. The criminals then encoded the stolen data onto forged cards, and between March 2012 and March 2013, used the forged cards to withdraw $2.1 million from automated teller machines (ATMs).
In October 2012, security research firm Trustwave Spiderlabs analyzed a Bluetooth-enabled device found on several point-of-sale devices at an unidentified major US retailer. The firm found that unlike most other skimming devices, this device was capable of encrypting data, both while stored on the device and during transmission, making it difficult to quantify damages and identify victims.