Bluesnarfing: newest card fraud at gas pumps, ATMs
With skimmers, Bluetooth technology, crooks intercept payment data
Expert on fraud, travel and debt.
You likely have heard of skimmers that steal your card data at gas pumps, ATMs and payment terminals. Now, your card data can be stolen via Bluetooth technology by a fraudster sitting in a nearby vehicle.
The new fraud trend is called bluesnarfing, or blue skimming, and gasoline stations from Texas to Pennsylvania to North Carolina have reported being hit in recent weeks.
“Card theft is like water or energy. It changes form,” says Gray Taylor, executive director at Connexus, which provides technology advice to NACS – the Association for Convenience and Fuel Retailing, and others in the industry.
How bluesnarfing works: Fraudsters insert a skimming device on the outside or inside of a gasoline pump, ATM or payment terminal and then use Bluetooth technology to intercept your credit or debit card information during the payment transaction.
How bluesnarfing differs from traditional skimming: Instead of placing a skimmer at a gas pump and later retrieving that device with the stolen card data, crooks using Bluetooth can sit 100 yards away and the credit card information is transmitted to their laptop.
How to cut bluesnarfing risk
- Don’t use Bluetooth. Also, reject any connection requests from unknown devices, and keep your phone software up to date.
- Use credit, not debit. Credit cards offer greater protection – usually, zero liability – in cases of fraud. With debit, your liability is greater, and the fraudster has access to your bank account.
- Check for skimmers. Jiggle the card insert slot at a gas station or ATM to make sure it is secure and doesn’t seem as though it has been tampered with. When fueling up, look for a sticker near the card reader. If the seal is broken, use another pump. In general, if anything seems or feels odd, use a different fuel pump or ATM.
- Pay inside. It’s harder for a crook to place a skimmer inside a store than it is to do it at a gas pump. People coming and going and security cameras on the registers make it difficult to install an in-store skimmer.
- Check bank statements, sign up for fraud alerts.
“Thieves are always going to be innovative,” Taylor says.
Innovative indeed. Skimmers can be put on the outside or inside of a gas pump or ATM, and a little jiggling might alert you to the device. In May, our “The new card skimming is called ‘shimming” story detailed how a skimmer – in this case a shimmer – can be placed inside the card slot itself to intercept data off your credit or debit card’s EMV chip.
Now add bluesnarfing to the fraud mix.
Bluesnarfing “a low-touch crime”
“One smart guy can make it [a new skimmer] out of very basic parts,” which can be bought at a local electronics store, says police Lt. Craig Joel in Chattanooga, Tennessee. Skimmers also can be purchased on the dark web.
Because the new skimmers are hidden inside a gas pump, rather than affixed to the outside of the pump, gas station employees don’t know customers’ information is being swiped, says Joel. In February, Joel’s department arrested two Florida men who were part of a multistate blue skimming ring. These rings are “well-funded and well-heeled,” he says.
The pair was caught by chance, when a police officer saw them “elbow-deep inside a gas pump,” Joel says. The two tried to flee but were stopped by police. There was a laptop in their vehicle, and the investigation found the pair was part of a ring operating throughout the Southeast.
“Catching these guys is akin to being struck by an asteroid,” Joel says.
It has always been difficult to catch fraudsters with skimmers. And it’s getting harder with skimmers placed deeper in the payment terminal and now card data stolen via Bluetooth.
Originally, crooks used skimmers at bustling gas stations, such as those near interstates, to “make sure they were getting the maximum number of cards,” Taylor says. An average fuel pump has less than 100 credit card or debit transactions per day, but busy stations can have 400 transactions each day at one pump.
After they began being hit by skimmers, management at busy service stations began changing the locks at their gas pumps or affixing security tape that a bad guy would have to break to access the inside of the pump.
That prompted crooks to turn their attention to stations that aren’t as busy and where security might be laxer. In the Chattanooga bluesnarfing case, skimmers were found at three stations that were “off the beaten path,” Joel says.
Crooks who steal your credit card or debit card information will sell it on the dark web, or use the stolen information to make counterfeit credit cards, Taylor says.
“It’s a low-touch crime,” Taylor says.
New ATMs are designed to be skimmer-proof
Skimmer fraud at ATMs continues to increase. Bluesnarfing is just the latest tool fraudsters are using to steal customers’ debit card or credit card information.
The number of payment cards compromised at U.S. ATMs and merchants monitored by FICO rose 70 percent in 2016. The number of hacked card readers at U.S. ATMs, restaurants and merchants rose 30 percent in 2016. The number of compromises recorded in 2016 set a new high for the FICO Card Alert Service, which reported a 546 percent increase in compromised ATMs from 2014 to 2015.
To deal with the increase in skimmers at ATMs, “financial institutions have become more secure by putting in anti-skimming devices,” says Ashley McAlpine, a fraud prevention manager at CO-OP Financial Services, which provides network and payment services to credit unions.
GTE Financial Credit Union, based in Tampa, Florida, is taking the fight even further by installing what it calls “skimmer-proof ATMs.”
The credit union had been planning to replace all of its 61 ATMs when it was hit with several skimming incidents in recent months, says Chad Burney, chief information and operating officer.
With the new ATMs, which the credit union began installing in June, debit cards are inserted horizontally rather than vertically. Switching the way cards are inserted makes them unable to be read by skimmers now being used by bad guys, Burney says. The new ATMs also are on the lookout for skimmers. When an ATM senses someone is trying to insert a skimmer, it flashes red and shuts down.
The new ATMs cost about $35,000 each – about $3,000 more than a traditional ATM, he says.
With Bluetooth, your identity can be stolen.
If bluesnarfing isn’t scary enough, even if you’re not using an ATM or paying at the pump, the Bluetooth on your mobile device makes you vulnerable to identity thieves.
How Bluetooth can be used to snatch personal info: Most often, Bluetooth is used to share files, says Joe Gervais, security director at LifeLock, an identity theft protection company. If you have Bluetooth turned on, anyone can find your device and try to connect to it, he says.
“It really takes very little for someone to steal your identity,” Gervais says.
Gervais, who recently ran a test while on a commercial flight, was able to tap into a fellow passenger’s computer and access the person’s name, address, phone number, signature and social media accounts.
If you keep a copy of your tax return on your computer, the crook could access your Social Security number, date of birth, signature and income. “With that, I’m off to the races. Everything else is so easy to find,” Gervais says.
“Constantly running Bluetooth is an open invitation to your device,” says Jeannie Warner, a security strategist with WhiteHat Security.
“Don’t have Bluetooth on if you don’t need it,” Warner says. If you need it to transfer a file, she advises that you turn your Bluetooth on long enough to make the transfer, then turn it off again.
Warner says in bluesnarfing skimming cases and Bluetooth identity theft cases, crooks are “looking for crimes of easy opportunity.”
“The only way to be 100 percent safe is to turn it off,” Gervais says.
- Credit freezes are now free – but do you need one? – Credit freezes, which keep lenders and other companies from viewing your credit, are now free. We compared them to other credit protection tools, including locks and monitoring services. Here's how to use them all to protect yourself ...
- Employer credit checks: Who does them, how they work and what laws apply – If you're applying for a new job, a credit check could determine your fate, depending on the position and where it's based. Here's how they work and what to expect ...
- My card issuer of 25 years suddenly wants to know more about me – Under the Patriot Act, banks are required to verify the identities of their customers and maintain accurate information on them. But my bank's demand to know how I earn my income is an invasion of my privacy ...