Fraud investigators say they’ve uncovered a sophisticated new breed of credit card skimmers being installed at gas pumps that is capable of relaying stolen card data via mobile text message, thereby enabling fraudsters to collect it from anywhere in the world. One interesting component of this criminal innovation is a small cellphone and Bluetooth-enabled device hidden inside the contactless payment terminal of the pump, which appears to act as a Bluetooth hub that wirelessly gathers card data from multiple compromised pumps at a given filling station.
A memo sent by the U.S. Secret Service last week to its various field offices said the agency recently was alerted to the discovery of a fraud device made to fit underneath the plastic cap for the contactless payment terminal attached to the exterior of a fuel pump. Here’s a look at the back side of that unwelcome parasite:
As we can see from the above image, it includes GSM mobile phone components, allowing it to send stolen card data wirelessly via text message. In contrast, most modern pump skimmers transmit stolen card data to the thieves via Bluetooth. The white rectangular module on the right is the mobile phone component; the much smaller, square module below and to the left is thought to be built to handle Bluetooth communications.
Bluetooth requires the fraudsters who placed the devices to return to the scene of the crime periodically and download the stolen data with a mobile device or laptop. Using SMS-based skimmers, the fraudsters never need to take that risk and can receive the stolen card data in real-time from anywhere there is mobile phone service.
Gas stations are beginning to implement contactless payments at the pump to go along with traditional magnetic stripe and chip card-based payments. These contactless payments use a technology called “near field communication,” or NFC, which exchanges wireless signals when an NFC-enabled card or mobile device is held closely to a point-of-sale device.
Because this tiny round device was found hidden inside of an NFC card reader on the outside of a gas pump, investigators said they initially thought it might have been designed to somehow siphon or interfere with data being transmitted by contactless payment cards. But this theory was quickly discarded, as contactless cards include security features which render data that might be intercepted largely useless for future transactions (or at least hardly worth the up-front investment, craftsmanship and risk it takes to deploy such skimming devices).
Mark Carl is chief executive officer at ControlScan, a company in Alpharetta, Ga. that helps merchants secure their payment card technology. Carl’s company is the one that found the skimmer and alerted local authorities, which in turn alerted the Secret Service.
Carl said his team is still trying to reverse engineer the device found inside the NFC reader at the pump, but that so far it appears its purpose is to act as a Bluetooth communications hub for other skimming devices found at the scene. Turns out, investigators also discovered traditional Bluetooth-based skimming devices attached to the power and networking cables inside various pumps at the compromised filling station.
“Based on the chipsets, and that there were other traditional skimmers in other pumps at the site, we believe this device [the round gizmo found inside the NFC reader] is likely the hub for a Bluetooth local area network,” Carl told KrebsOnSecurity. “So an attacker can install multiple skimmers in different pumps, feed all of that data to this device with Bluetooth, and then relay it all via the cellular connection.”
Many readers have asked if they should be scanning fuel pumps with their smart phones using the built-in Bluetooth component or Android mobile app like Skimmer Scanner. If this seems like fun, then by all means go right ahead, but I wouldn’t count on these methods failing to detect a Bluetooth skimmer at the pump as proof that the pump is skimmer-free.
For one thing, the skimmer detection app detects only one type of Bluetooth module used in these schemes (HC-05), and there are least three other types commonly found embedded in compromised pumps (HC-06, HC-08 and FCD_1608). And trying to do this with your mobile phone alone is not likely to yield any more conclusive results.
Better advice is to patronize filling stations that have upgraded their pumps in the past few years to add more digital and physical security features. As I wrote in last summer’s “How to Avoid Card Skimmers at the Pump,” newer and more secure pumps typically feature a horizontal card acceptance slot along with a raised metallic keypad — much like a traditional payphone keypad.
One other tip from that story: Some pump skimming devices are capable of stealing debit card PINs as well, so it’s a good idea to avoid paying with a debit card at the pump. Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).
This advice often runs counter to the messaging pushed by fuel station owners themselves, many of whom offer lower prices for cash or debit card transactions. That’s because credit card transactions typically are more expensive to process.