There’s a “helpful tip” making the Facebook rounds, and it’s a little bit helpful but a lot not so much.
It’s about using Bluetooth to detect credit card skimmers at gas stations:
Here is a helpful tip:
When you pull up to a gas station to fill your car. Search your phone for Bluetooth devices. If a sequence of letters and a sequence of numbers shows up in your device list do not pay at the pump. One of the pumps have a card reader installed. All card readers are bluetooth.
The post refers to a card “reader,” but what it means is card “skimmer.”
The first is a legal way for you to pay, while the latter is a piece of thief-ware, be it a plastic gadget clumsily glued on to the face of an ATM or gas pump or technology that’s installed internally.
Credit card skimmers are devices that capture details from a payment card’s magnetic stripe, then (sometimes) beam them out via Bluetooth to nearby crooks.
The “sometimes” is just one thing that makes this viral post less than helpful.
Security journalist Brian Krebs has cataloged all sorts of skimmers, including some that send information to fraudsters’ phones via text message.
So convenient! …and so not Bluetooth.
From a thief’s point of view, Bluetooth has limitations, notably that Bluetooth has limited range, so any thief who uses a Bluetooth-enabled skimmer needs to hang around nearby.
It also means that anybody else using Bluetooth in the vicinity could get an eyeful of “Oooo, payment card details up for grabs!”
That includes, of course, all of us law-abiding, viral-post-reading phone users.
So yes, the post is correct in saying that the Bluetooth sensor on a mobile phone can indeed be used to detect some card skimmers, but it’s incorrect because these sensors can’t detect them all.
As Naked Security’s Paul Ducklin points out, some skimmers use Wi-Fi, some use the mobile phone network, and others just store their data quietly on an SD card that the crooks come back for later on.
But that’s only one thing that makes this viral post less than helpful.
Bluetooth names tell you “everything and nothing”
Your phone may well pick up on nearby Bluetooth devices, but the names alone don’t really help, Paul says:
Just doing a scan for nearby Bluetooth device names tells you everything and nothing. You might as well decide if a gas station is crooked based on whether the fuel price ends in an odd or an even number of cents per gallon, and here’s why: sniffing or skimming devices might not show up at all, or they could have innocent-sounding names like “Car radio” or “My iPhone”.
On the other hand, the perfectly harmless video game that the kid in the next car is playing might be announcing itself with some sort of scary-looking autogenerated name like “AF09E856”.
Two green tips that really do flummox skimmers
If you want to stop skimmers dead in their wireless/texted messages/stored-SD-card-enabled tracks, there’s an age-old technology that the thieves haven’t yet managed to crack remotely – it’s called cash:
If you think that the chance of being skimmed is lower if you go to the cashier and pay, then simply do that every time. If you’re worried about gas station skimming in general, you can always use cash — as it says on the bill, ‘This note is legal tender for all debts, public and private.’
Using sweet green cash (that’s the color in the US, at any rate!) is one way to avoid getting your payment card skimmed at the gas pump.
Here’s another green technology that blocks gas-stop skimmers: a bike!
That’s Paul’s solution:
Switch to a bicycle, like I did, and laugh in the face of gas stations for ever.
FOR MORE INFORMATION: WATCH OUR NAKED SECURITY LIVE VIDEO
(Watch directly on YouTube if the video won’t play here.)
anant
Funny article, solution: Cash and bike :D
Shawn
love it!!
Pingu
There is just one problem with cash – you have to insist on a formal receipt (and check it). With a card payment you should get a receipt from the system (and your payment is recorded at your credit card supplier).
Why is this important? An even older scam. Cashiers pocketing cash payments. They then make the “tills balance” by claiming that YOU drove away without paying. CCTV shows you filling up but there is no record of you paying. You then get stopped by the police and have to prove that you did pay.
Paying by credit card is an easy way to avoid most of these problems (unless the whole set-up is designed to defraud); the receipt is produced automatically and there is no agro with the cashier in getting a receipt (and exasperated sighing from those behind you in the queue)
Paul Ducklin
I think that the scam you are proposing is highly unlikely. If the CCTV shows you filling up then it will, almost certainly, also show you driving away without paying. Except it won’t. It will show you walking into the shop. And the CCTV in the shop will show you at the till. And the cashier’s lie will be laid bare. In my experience, a cashier who comes up short has the shortfall docked from their pay, and that’s one of the crummy things about being a cashier. All the responsibility, all of the risk, all for rubbish pay.
ubaDemo
Whatever “old” scam he is speaking of is billed by the fact we prepay for gas now. Still an inconvenience to have to over pay to fill up, then return to inside the store to get your change.
0laf
There are usually cameras above the cashiers to cover till dipping as well as the sort of fraud you describe
MrGutts
“others just store their data quietly on an SD card” They know scanners are out there and have been busted by them, so they went to a sand box system that they need to physically swap out. This is what has been going on in Georgia recently. Mostly from sketchy gas stations that are highly likely getting a cut of the action.
Paul Ducklin
In my exerience, non-wireless skimmers came first. The crooks would install the device while pretending to do a transaction, then return some time later – days, weeks even – and retrieve it, full of stolen data. Wirelessness came later, mainly because banks and other skimming victims got good at spotting the devices (and taught customers how to recognise and report them), so [a] there often was no data to come back for because the device had been removed or neutralised and [b] returning to unfasten the skimmer was risky because the victim already knew to be on the lookout for whoever was sent to fetch the gizmo.
UbaDemo
Just Incase you are super worried about this. Check your local gas station. Some chains have started putting taper evident seals over the top of the keyholes that allow entry to the readers. Basically, don’t use if seal is broken.
Bryan
@UbaDemo That’s a nice idea, but crooks could have their own tape printed. How would Average Joe recognize the real stuff from a slightly different forgery?
Walt Waltyface
Because a scammer would never be clever enough to carry fresh stickers around…
delayedthoughtengineering
Personal experience: After having read about scanning for bluetooth devices at my local gas station, I tried it, but was defeated. Not because I didn’t find any bluetooth devices. No. I found too many! There must have been at least 10 there. Mostly MAC addresses. Any one of them could have been a skimmer. I could have been picking up five different skimmers around me. Or maybe they were all cars and phones. There’s no real way to tell. It’s not like the skimmers would say “ev1lk00lsk1mm3r”. They’d probably just leave it with a MAC address. And I’m not about to write them all down and go hunt for manufacturers, which might lead nowhere. (Just because a manufacturer sells bluetooth chips, doesn’t mean that a skimmer is going to happen to use it.) All those bluetooth devices were probably benign; there were no broken hardware tape seals that I could see, and I do look for that.
Bill
Cash? What’s that?
Thomas Mallory
3D printed cryptocurrency. Very retro.
Paul Ducklin
Cash is cool in the way that vinyl is cool – it’s a great canvas for art!
kevpft
Good information and advice. Though you’re probably more likely to have your bike stolen than your credit card skimmed.
Paul Ducklin
The trick is to find bike-friendly coffee shops and cafes that let you take your bike indoors (or park it securely out the back).
Bryan
OR… you could tow your car behind–and when you arrive, you’ll always have something heavy to chain it to.
bonus: cardio cardio cardio
Paul Ducklin
Going downhill would be, ah, interesting.
David
I live in WA state. I had my Visa card skimmed at a local gas pump twice before I figured out that was where it was occurring. The 1st time they used a pointless security sinkhole called “Zelle” to steal $1000 in cash. Got that card replaced, the 2nd time they used the new card data to order some food deliveries 5 states away via Uber . The skimmer was INSIDE the pump. Doing some research, I found out MANY pumps in the US use THE SAME MASTER KEY, which is easily available to ANYONE online. Consumers need to press for 1) the elimination of these master key pump locks 2) requiring ALL card transactions, including gas pumps, use chip readers. Not perfect, but much more secure. Also, as consumers we need to not immediately FALL FAR unnecessary, very insecure “services” such as Zelle, simply because some business weasel at the bank decides they can make $$$$ out of the process.
Bob Ducfo
mine found at least 3 Blu Tooth devices..
letters and numbers
xx:xx:xx:xx:xx:xx
yy:yy:yy:yy:yy:yy
zz:zz:zz:zz:zz:zz
All with the blu tooth symbol in front. I do not think its a scam.
Paul Ducklin
The items in the format you show here (I redacted them) are actually just the low-level network numbers of the Bluetooth devices in hexadecimal notation, not the user-friendly names of each device (which is what the Facebook warning is about).