Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories »

Channels

Security Regulation & Compliance
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Pay-at-the-Pump Skimming Using Bluetooth

Skimming data off of debit and credit cards has been happening at ATMs, gas pumps and electronic funds transfer point of sale terminals for quite some time.

When criminals plant skimming devices, they have to physically attach a skimming device that fits over the face of the ATM’s card slot. Then they install a small camera that shoots video of your pinpad which extracts user PIN codes. The camera is often housed inside of a brochure holder or little box that may have a mirror glued to its face. The mirror is made to loom like a security feature preventing shoulder surfing.

Once the criminals attach the devices they have to wait it out for someone to then use the ATM or gas pump before they can remove the device and download the data. It is in the best interest of the criminal to leave the skimmer on the machine for as long as possible to skim as many cards as possible. Because every time the skimmer is removed and replaced it becomes another opportunity for the thief to get caught or for something to go wrong.

In Utah a group of criminals one-upped other ATM scammers by installing Bluetooth enabled skimming devices that broadcast the skimmed data to a nearby storage devise, probably a laptop. Bluetooth’s range can be just a few feet to as much as a city block. So the criminals had to be in a car nearby.

What made these devices even more sophisticated is they skim the card data and grab the PIN code via the all-in-one combo skimmer and PIN pad device affixed to the face of the pump that allowed the financial transaction to occur.

This entire process allows the criminal to steal “data-on-demand” and immediately turn it into cash. Further, it provides the criminal with the freedom to decide whether or not they want to retrieve the skimming device thereby lessening their chances of being caught.

You can’t protect yourself from this kind of skimmer by covering your pin due to the fact that the device is the pinpad. So if you use a device like this you are screwed. Ultimately, you must pay close attention to your statements. Also, pay close attention to details, and look for anything that seems out of place. Refute unauthorized transactions within 60 days. Check with your bank to determine what their timeframe is to refute unauthorized withdrawals. In some cases it can be as early as a week.

Protect your identity.

4447

Channels

Security Regulation & Compliance
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (0)

Join the discussion
Robert Siciliano

Robert Siciliano

Security Analyst

Safr.me

Member since

04 Feb 2009

Location

Boston

Blog posts

841

Comments

62

More from Robert

Community
See all blogs »
Banking Strategy, Digital and Transformation 

How financial services organisations can protect valuable data in the age of ransomware

Mark Nutt

Mark Nutt

Payments strategies 2015-2020-2030 

Open-loop EMV standard Fleet and Mobility Payments – Convenience, Security and the Road Ahead

Jonathan Hancock

Jonathan Hancock

Fintech 

How innovation in encryption is helping secure the credit card approval process

Ghazi Ben Amor

Ghazi Ben Amor

Operational Risk Management 

DORA – Navigating the EU’s Operational Resilience Landscape

Antony Fung

Antony Fung

Now hiring

See more