BlueTooth is said to be at the heart of a gas station credit-card scam in the Southeast
Thieves are stealing credit-card numbers through skimmers they secretly installed inside pumps at gas stations throughout the Southeast, using Bluetooth wireless to transmit stolen card numbers, according to law enforcement officials.
“We’ve sent detectives out to every gas station within a mile of Interstate 75,” says Lt. Steve Maynard, spokesman for the Alachua County Sheriff’s Office
I suspect the “mile of Interstate” alludes to how the attackers are collecting the data.
It could be a dead-drop architecture instead, however. An attacker would come to a station and pickup all the numbers stored in the skimmer.
One of the biggest problems with payment card readers is how different they are from the surface of the device they are installed into. If the device had a flush/smooth surface it would be far easier to detect a skimmer or other device placed over the reader.
This attack shows how even a smooth and secure surface appearance may be bypassed. The attackers are said to have keys to get to the inside of the pump.
Maynard says criminals wanting to hide the credit-card skimmers in gas pumps must have a key to the pump, but in some cases, a single key will serve to get into many gas pumps. It’s not known whether the gas-pump skimming operation involves insiders. Law enforcement is encouraging gas-station operators to train video surveillance they may use on the pumps.
The need for monitoring capabilities is much higher when keys are non-unique. The device should notify the owner the date/time it has been opened. Surveillance of an area accepting payment is also a step to consider. These two combined would significantly assist an investigation.
Another good idea would be to start to require wireless monitoring around payment systems. This could be tricky at a pump station, since so many other BlueTooth devices could be present. My guess is a signal would still appear as too consistent to be payment related; it would be detected through off-peak or closed hours.
Wireless monitoring is not far-fetched. It is already required for anyone who needs to be PCI compliant. ATMs are increasingly wireless devices, so the technology is already being installed. They simply need to have detection capabilities added, and monitoring of course.