BACK

Robert Llewellyn/ Corbis/ Getty Images

Legal, Regulatory, and Privacy Issues

New app detects Bluetooth-enabled card skimmers at gas pumps

Bluetana is already helping pump inspectors root out the fraud-enabling devices, but skimming remains an ever-present threat

Summary

Computer scientists have crafted a new weapon in the war against credit card and debit card skimmers at gas pumps. Unfortunately, cybercrooks keep dreaming up ways to dodge even the latest anti-skimming technology. Read on to learn more about the Bluetana app.

The content on this page is accurate as of the posting date; however, some of our partner offers may have expired. Please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

Computer scientists at the University of California San Diego and the University of Illinois have crafted a new weapon in the war against credit card and debit card skimmers at gas pumps.

Unfortunately, cybercrooks keep dreaming up ways to dodge even the latest anti-skimming technology.

The computer scientists’ invention, a smartphone app called Bluetana, detects the Bluetooth “signature” of skimmers at gas stations without needing to open a gas pump to physically hunt for these devices.

Criminals attach skimmers to gas pumps to steal customers’ information from the magnetic stripes on credit and debit cards; they capitalize on this data to buy goods online or produce new cards, or they sell the data to other crooks.

Bluetooth connectivity lets a crook quickly and covertly download stolen data while he’s sitting in a car situated near a skimmer-equipped gas pump.

See related:  Scammers splice skimming with spoofing to steal your credit card information

Pump inspectors using Bluetana to root out skimmers

Nishant Bhaskar, a doctoral student in computer science at UCSD who helped design Bluetana, says that as of mid-October 2019, government-employed pump inspectors using the Android app at gas stations in Arizona and California had uncovered 50 Bluetooth-enabled skimmers.

Before government agencies in those two states rolled Bluetana into their anti-skimming programs, Bhaskar and fellow researchers who were furnished with Bluetana uncovered 64 Bluetooth-based skimmers at 1,185 gas stations in Arizona, California, Maryland and Nevada; this effort lasted 19 months.

According to a study co-authored by Bhaskar, one skimmer can capture data from 30 to 100 credit cards per day, and each card can generate $500 for a crook. A skimmer costs $20 or less.

Bhaskar and his fellow researchers say Bluetana works better than similar smartphone apps due to its accuracy. From October 2018 to June 2019 in Arizona, Bluetana falsely detected the presence of a skimmer just 6% of the time, according to Bhaskar. Other anti-skimming apps record higher error rates, the researchers say.

How does Bluetana work?

Bluetana, which the U.S. Secret Service helped create, depends on an algorithm to distinguish skimmers from legitimate Bluetooth devices. (The Secret Service regularly investigates gas pump skimming.)

Only gas pump inspectors who work for government agencies can use Bluetana; it’s not available to the public. Consumers can download apps like Skim Plus and Card Skimmer Locator to check for Bluetooth-aided skimmers at gas pumps and ATMs.

A crook needs to install skimmers at only a few gas stations to turn a hefty profit, Bhaskar says. And the field for skimming is fertile, with more than 100,000 gas stations operating in the U.S. and their gas pumps often unattended.

“This makes it a needle-in-a-haystack problem for inspection agencies,” Bhaskar says. “For example, even though Bluetana makes it easier to detect if there is a skimmer at a particular station, inspectors still need to go to every gas station.”

See related:  Skim Reaper: The death of card skimmers?

Not all skimmers use Bluetooth

While he praises the Bluetana app as helpful in the fight against skimming, cybersecurity expert Steve Weisman, a senior lecturer at Bentley University in Waltham, Massachusetts, and founder of the Scamicide.com blog, says it’s not a cure-all. That’s because many skimmers aren’t armed with Bluetooth technology, he says.

Nonetheless, David Gafford, co-founder of Shift Processing, a credit card processing company, thinks Bluetooth detection is one of the best approaches to combating skimmers, which he says remains the most common tool for grabbing consumers’ data from point-of-sale terminals (including gas pumps) and ATMs.

It takes Bluetana an average of three seconds to locate a Bluetooth-equipped skimmer, the app’s developers say. During manual inspections, though, it can take an average of 30 minutes to ferret out a skimmer.

That speediness is hardly enough to thwart skimming, however.

“We have been focused on detecting Bluetooth-based skimmers,” Bhaskar says, “but criminals have started using other wireless technologies to retrieve data from skimmers. As a result, we always need to evolve our detection methods to keep up with the criminals.”

Criminals adapt as gas stations shift to EMV

Propelling that evolution is a looming change in how gas pumps accept card payments. U.S. gas stations face an October 2020 deadline imposed by Mastercard and Visa to switch to EMV chip-based payment systems.

“The migration to chip card readers in most retail stores has dramatically reduced the amount of credit card fraud, and it will do so on gas pumps when they are incorporated into the pump,” Weisman says. “More implementation of chip card readers would [help] eliminate the dangers posed by skimmers, as the one-time code created with the chip card at each transaction is worthless to a thief.”

But, Bhaskar says, criminals already are adapting their skimmer designs to exploit chip readers. “As such, we don’t believe skimming will completely come to an end,” he says.

Complicating matters is that it’s hard for cops to catch crooks who carry out skimming schemes. Even when authorities come across a skimmer, there’s little evidence to tie the device to a specific person, Bhaskar says.

“Skimmers are simple electronic systems that use commonplace design techniques and present little identifying information,” he says.

Furthermore, skimming thieves often enlist couriers to head to gas stations to download stolen data from pumps, thereby diminishing the primary crook’s connection to the crime, Bhaskar says.

On top of that, small, rather unsophisticated criminal groups frequently undertake skimming scams, meaning it can be hard to track down all of the culprits, says “ethical hacker” Jason Glassberg, co-founder and managing principal of cybersecurity company Casaba Security.

See related:  Gift card scams: What to look out for, and how to protect yourself

Despite tools like Bluetana, skimming remains hard to stop

Glassberg says two technology trends are making it even more difficult to stop skimming:

  • Shimmers, which are hard-to-identify devices that pilfer data from EMV chip-equipped cards. EMV technology is designed to beef up payment security.
  • Digital skimmers, which are the electronic version of physical skimmers.

In addition, Glassberg says, crooks are becoming more clever when it comes to using pinhole cameras at gas pumps and other point-of-sale terminals to swipe card numbers and PINs without relying on skimmers.

Also, malware that causes massive data breaches is “an ongoing problem for retailers,” he says, “and will continue to be for years to come.”

Editorial Disclaimer

The editorial content on this page is based solely on the objective assessment of our writers and is not driven by advertising dollars. It has not been provided or commissioned by the credit card issuers. However, we may receive compensation when you click on links to products from our partners.

What’s up next?

In Legal, Regulatory, and Privacy Issues

Is it legal for a bank to place a hold on my card payment?

A reader wonders why her card was declined after she paid off her entire card balance online, from her checking account, and the card issuer had even received the payment.

See more stories
Credit Card Rate Report Updated: April 1st, 2020
Business
14.07%
Airline
15.85%
Cash Back
16.16%
Reward
16.06%
Student
15.87%

Questions or comments?

Contact us

Editorial corrections policies

Learn more

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company’s business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.