The Bluetooth Dilemma

This article describes how criminals have begun to integrate bluetooth technology into card reader skimmers to make it more effective for them to collect stolen card information. Josh Wright is an expert on bluetooth and wireless security in general and is a Senior Instructor at the SANS Institute, where he authored (and often teaches) the SEC-617 course on Wireless Security. Here, he discusses how criminals are using bluetooth with card reading skimmers, some bluetooth security issues and some remedies.

The Bluetooth Dilemma – [sans.org]

A few weeks ago, Visa published their regular Visa Bulletin newsletter for merchants, describing a trend in which PIN entry devices (PEDs) are being stolen from retail locations. Video surveillance information indicates that PEDs are stolen during business hours and replaced with modified versions designed to skim payment card number and PIN information in a matter of seconds. An integral component of these modified PEDs is a Bluetooth radio implanted by the criminal.

Visa is a little late in reporting this type of activity to merchants. In 2009, several victims reported fraudulent ATM withdrawals from their bank accounts from locations in Los Angeles. Subsequent analysis by the authorities indicated that the PIN and payment card information was compromised at a series of 7-Eleven stores in Utah. Upon dismantling the gas pumps in these stores, authorities identified the presence of PIN and mag-stripe skimmers with an added Bluetooth radio component, shown below.

Joshua Wright – [sans.org]

Joshua Wright is an independent information security analyst and senior instructor with the SANS Institute. A widely recognized expert in the wireless security field, Josh has worked with private and government organizations to evaluate the threat surrounding wireless technology and evolving threats. As an open-source enthusiast, Josh has developed a variety of tools that can be leveraged for penetration testing and security analysis. Josh publishes his tools, papers and techniques for effective security analysis on his website at http://www.willhackforsushi.com.

Will Hack For SUSHI – Hacking and Defending Wireless – [willhackforsushi.com]

Wireless Ethical Hacking, Penetration Testing, and Defenses – [sans.org]

SEE ALSO:
GSM Based Skimmers
ATM Skimmers

Comments are closed.