In recent years, gas stations have become one of the favorite targets for thieves who are stealing customers’ credit and debit card information by installing a Bluetooth-enabled payment card skimmers at gas stations across the nation.
The media has also reported several recent crimes surrounding credit card skimmers, including:
- Gas pump skimmer found at a 7-Eleven in Pinellas County
- Credit card skimmer found at West Palm Beach gas station
- Credit Card Skimmer Found at Gas Station in Sunnyvale
- Several Gas Pump Credit Card Skimmers Found at Bay Area Stations
- Gas pump credit card skimmers found at Boerne stations
- Credit card skimmers target Anthem Circle K
For those unaware, Bluetooth credit card skimmer is a tiny sneaky device designed to stealthily capture payment card information, like credit card holder’s card number, expiration date and the full name, which nearby thieves then retrieve wirelessly over a Bluetooth connection.
Since these devices have been designed to blend in seamlessly with the machine they’re placed on, sometimes it can’t be spotted—even if you’re using your eyes, fingers and your common sense.
Skimmers are often found discreetly placed on bank ATMs, however, in recent years crooks have started targeting gas stations, where card readers for customers are far easier to tamper with than ATMs, making it easier to pull off the crime.
Well, here great news—here’s a smartphone app that could help customers at gas pumps to quickly and accurately detect these nasty Bluetooth-based payment card skimmers.
A team of cybersecurity researchers at the University of California San Diego and the University of Illinois has developed a new mobile app that can wirelessly and accurately detect card skimmers installed by criminals on gas stations or bank ATMs.
Dubbed Bluetana, the smartphone app works by scanning all nearby Bluetooth devices—both Classic and Bluetooth Low Energy (BLE)—every 5 seconds using Android’s Bluetooth API and when it detects a potential skimmer, the app indicates it to the user by highlighting the device record in Red.
That’s possible because Bluetana uses an algorithm to differentiate credit card skimmers from other common Bluetooth devices, such as sensors, smartphones, or vehicle tracking hardware, that appear in Bluetooth scans at gas stations.
How Does Bluetana Detect Card Skimmers?
As shown in the diagram, the app differentiates devices in the following procedure:
- If “Class-of-Device” is uncategorized, Bluetana saves its data for later analysis.
- It then matches the device’s MAC prefix against a list of prefixes used in skimming devices recovered by law enforcement.
- If the device has a MAC that is not on the list, it is unlikely to be a skimmer, and the app highlights the record Yellow.
- If the device MAC is on the list, but the “Device Name” matches a common product, it is unlikely to be a skimmer and the record highlights in Orange.
- If a device’s MAC prefix matches, Class-of-Device is categorized, and Device Name is not common, it indicates the device is likely to be a skimmer, and Bluetana highlights the record in Red.
Researchers said they were surprised that their Bluetana app was able to detect so many skimmers that had not been discovered by regular manual inspections or other detection methods.
Their app even detected two skimmers that were installed in gas pumps and had evaded detection for six months.
“We equipped 44 volunteers in six U.S. states with smartphones running Bluetana. Our volunteers have collected scans at 1,185 gas stations, where they observed a total of 2,562 Bluetooth devices,” researchers said in a research paper [PDF].
“In these scans, Bluetana detected a total of 64 skimmers installed at gas stations in Arizona, California, Nevada, and Maryland, and it was the sole source of information that led law enforcement to find 33 skimmers.”
According to their study, Bluetana takes just 3 seconds on average to detect a credit card skimmer—far less than manual inspections by law enforcement officials that can take 30 minutes on average.
Bluetana researchers worked closely with the United States Secret Service. For the time being, the app is only available to official gas pump inspectors in several U.S. states and is not expected to go mainstream for consumers anytime soon, the researchers noted.