Computer scientists have crafted a new weapon in the war against credit card and debit card skimmers at gas pumps. Unfortunately, cybercrooks keep dreaming up ways to dodge even the latest anti-skimming technology. Read on to learn more about the Bluetana app.
Unfortunately, cybercrooks keep dreaming up ways to dodge even the latest anti-skimming technology.
The computer scientists’ invention, a smartphone app called Bluetana, detects the Bluetooth “signature” of skimmers at gas stations without needing to open a gas pump to physically hunt for these devices.
Criminals attach skimmers to gas pumps to steal customers’ information from the magnetic stripes on credit and debit cards; they capitalize on this data to buy goods online or produce new cards, or they sell the data to other crooks.
Bluetooth connectivity lets a crook quickly and covertly download stolen data while he’s sitting in a car situated near a skimmer-equipped gas pump.
Pump inspectors using Bluetana to root out skimmers
Nishant Bhaskar, a doctoral student in computer science at UCSD who helped design Bluetana, says that as of mid-October 2019, government-employed pump inspectors using the Android app at gas stations in Arizona and California had uncovered 50 Bluetooth-enabled skimmers.
Before government agencies in those two states rolled Bluetana into their anti-skimming programs, Bhaskar and fellow researchers who were furnished with Bluetana uncovered 64 Bluetooth-based skimmers at 1,185 gas stations in Arizona, California, Maryland and Nevada; this effort lasted 19 months.
According to a study co-authored by Bhaskar, one skimmer can capture data from 30 to 100 credit cards per day, and each card can generate $500 for a crook. A skimmer costs $20 or less.
Bhaskar and his fellow researchers say Bluetana works better than similar smartphone apps due to its accuracy. From October 2018 to June 2019 in Arizona, Bluetana falsely detected the presence of a skimmer just 6% of the time, according to Bhaskar. Other anti-skimming apps record higher error rates, the researchers say.
How does Bluetana work?
Bluetana, which the U.S. Secret Service helped create, depends on an algorithm to distinguish skimmers from legitimate Bluetooth devices. (The Secret Service regularly investigates gas pump skimming.)
Only gas pump inspectors who work for government agencies can use Bluetana; it’s not available to the public. Consumers can download apps like Skim Plus and Card Skimmer Locator to check for Bluetooth-aided skimmers at gas pumps and ATMs.
A crook needs to install skimmers at only a few gas stations to turn a hefty profit, Bhaskar says. And the field for skimming is fertile, with more than 100,000 gas stations operating in the U.S. and their gas pumps often unattended.
“This makes it a needle-in-a-haystack problem for inspection agencies,” Bhaskar says. “For example, even though Bluetana makes it easier to detect if there is a skimmer at a particular station, inspectors still need to go to every gas station.”
See related: Skim Reaper: The death of card skimmers?
Not all skimmers use Bluetooth
While he praises the Bluetana app as helpful in the fight against skimming, cybersecurity expert Steve Weisman, a senior lecturer at Bentley University in Waltham, Massachusetts, and founder of the Scamicide.com blog, says it’s not a cure-all. That’s because many skimmers aren’t armed with Bluetooth technology, he says.
Nonetheless, David Gafford, co-founder of Shift Processing, a credit card processing company, thinks Bluetooth detection is one of the best approaches to combating skimmers, which he says remains the most common tool for grabbing consumers’ data from point-of-sale terminals (including gas pumps) and ATMs.
It takes Bluetana an average of three seconds to locate a Bluetooth-equipped skimmer, the app’s developers say. During manual inspections, though, it can take an average of 30 minutes to ferret out a skimmer.
That speediness is hardly enough to thwart skimming, however.
“We have been focused on detecting Bluetooth-based skimmers,” Bhaskar says, “but criminals have started using other wireless technologies to retrieve data from skimmers. As a result, we always need to evolve our detection methods to keep up with the criminals.”
Criminals adapt as gas stations shift to EMV
Propelling that evolution is a looming change in how gas pumps accept card payments. U.S. gas stations face an October 2020 deadline imposed by Mastercard and Visa to switch to EMV chip-based payment systems.
“The migration to chip card readers in most retail stores has dramatically reduced the amount of credit card fraud, and it will do so on gas pumps when they are incorporated into the pump,” Weisman says. “More implementation of chip card readers would [help] eliminate the dangers posed by skimmers, as the one-time code created with the chip card at each transaction is worthless to a thief.”
But, Bhaskar says, criminals already are adapting their skimmer designs to exploit chip readers. “As such, we don’t believe skimming will completely come to an end,” he says.
Complicating matters is that it’s hard for cops to catch crooks who carry out skimming schemes. Even when authorities come across a skimmer, there’s little evidence to tie the device to a specific person, Bhaskar says.
“Skimmers are simple electronic systems that use commonplace design techniques and present little identifying information,” he says.
Furthermore, skimming thieves often enlist couriers to head to gas stations to download stolen data from pumps, thereby diminishing the primary crook’s connection to the crime, Bhaskar says.
On top of that, small, rather unsophisticated criminal groups frequently undertake skimming scams, meaning it can be hard to track down all of the culprits, says “ethical hacker” Jason Glassberg, co-founder and managing principal of cybersecurity company Casaba Security.
Despite tools like Bluetana, skimming remains hard to stop
Glassberg says two technology trends are making it even more difficult to stop skimming:
- Shimmers, which are hard-to-identify devices that pilfer data from EMV chip-equipped cards. EMV technology is designed to beef up payment security.
- Digital skimmers, which are the electronic version of physical skimmers.
In addition, Glassberg says, crooks are becoming more clever when it comes to using pinhole cameras at gas pumps and other point-of-sale terminals to swipe card numbers and PINs without relying on skimmers.
Also, malware that causes massive data breaches is “an ongoing problem for retailers,” he says, “and will continue to be for years to come.”