Pierluigi Paganini August 18, 2019

Bluetana App allows detecting Bluetooth card skimmers installed at the gas pumps to steal customers’ credit and debit card information in just 3 seconds on average.

Bluetooth card skimmers continue to be one of the favorite tools in the arsenal of crooks that attempt to steal credit and debit card information.

In recent years, law enforcement reported many cases of gas stations where cyber criminals have installed Bluetooth card skimmers.

In 2014, a criminal organization hit gas station ATMs located in South America using Bluetooth-enabled skimmers to steal 2 million dollars from customers.

The Bluetooth card skimmers are undetectable devices that are able to capture credit card data, this information was used to clone customers’ payment cards and use them to draw cash from ATMs in other states.

The skimmers are usually installed internally ATMs and were not detectable by visual inspection, criminals used Bluetooth channel to receive the stolen card information. 

The devices could capture payment card information, including credit card holder’s card number, expiration date, and the full name.

Crooks are installing Bluetooth card skimmers at gas pumps bacause they are less protected.

The good news is that a team of researchers from UC San Diego and the University of Illinois has developed a mobile app, named Bluetana, that allows state and federal inspectors, and customers at gas pumps, to detect Bluetooth card skimmers installed by crooks.

The Bluetana app scans Classic and Bluetooth Low Energy (BLE) nearby Bluetooth devices every 5 seconds using Android’s Bluetooth API. When a potential skimmer is detected by the app the users is alerted.

“The app, called Bluetana, detects the Bluetooth signature of the skimmers, and allows inspectors to find the devices without needing to open up the gas pumps.” reads the post published by the researchers.

Bluetana was developed with technical input from the United States Secret Service, it implements an algorithm that is able to differentiate skimmers from other Bluetooth devices,

Below the procedure implemented by the researchers:

• If “Class-of-Device” is uncategorized, Bluetana saves its data for later analysis.
• It checks is the device’s MAC prefix match one of the entries into a list of prefixes used in skimming devices that was shared by law enforcement.
• If the device has a MAC that is not on the list, the app highlights the record Yellow.
• If the device MAC is present in the list, but the “Device Name” matches a common product, it is unlikely to be a card skimmer and the record highlights in Orange.
• If a device’s MAC prefix is present in the list, Class-of-Device is categorized, and Device Name is not common, Bluetana highlights the record in Red to warn of the presence of the skimmer.

According to the researchers, it will not be available to the general public, currently, the Android app used by agencies in several US states.

The Bluetana is very effective, it was able to detect two skimmers that were installed in gas pumps and that were not discovered for six months.

“We equipped 44 volunteers in six U.S. states with smartphones running Bluetana. Our volunteers have collected scans at 1,185 gas stations, where they observed a total of 2,562 Bluetooth devices,” read a paper published by the team of researchers.

“In these scans, Bluetana detected a total of 64 skimmers installed at gas stations in Arizona, California, Nevada, and Maryland, and it was the sole source of information that led law enforcement to find 33 skimmers.”

The results of the tests conducted by the experts are excellent, the median time to detect Bluetooth card skimmers was 3 seconds, and 80% of the skimmers were detected within one minute.

This represents a 99% decrease in search time compared to the average of 30 minutes that inspectors take to check a gas pump station for skimmers.

“As new skimmer detection tools gain popularity, criminals will adapt skimming designs to evade detection. We expect future skimmers will use techniques such those described in Section 5. Similar to Bluetana, future work in this area should emphasize designing easy-to-deploy systems for detecting skimmers, and evaluating their effectiveness with large-scale studies.” concludes the paper.

Pierluigi Paganini

(SecurityAffairs – Bluetana app, hacking)

[adrotate banner=”5″]