Self-Checkout Skimmers Go Bluetooth

Brian Krebs has explained how an overlay skimmer equipped with Bluetooth technology allows thieves to snarf swiped card data and PINs wirelessly using nothing more than a mobile phone. Lamar Bailey, Sr. Director, Security R&D at Tripwire commented below.

Lamar Bailey, Sr. Director, Security R&D at Tripwire:

The idea of a Bluetooth skimmer is neat but it has Pros and Cons.

“Cons:

Effective Bluetooth range is around 30ft and in a retail setting with lots of interference it is likely much shorter. Given the range the criminal would have to stand around to collect the data, they would be very suspicious for any security personnel. If the criminal is a store employee that will be in the area like someone monitoring self-checkout lanes or a cashier it will make it much less suspicious. The other option is using a burner phone as the receiver and hiding it within range, this could work if there is a good place to hide it without being too suspicious or leaving it somewhere that it may be discovered. These skimmers are also battery powered so adding a Bluetooth radio reduces battery life when the goal is to harvest as many card numbers as possible.

Pros:

The real pro is speed, if the phone collecting the data has an internet connection the harvested numbers could be relayed in near real time. This allows the criminals to use the card numbers quickly and try to steal as much as possible before the alerts are triggered.

This becomes very useful in the ‘forgot something’ scam where two charges are done at the same store in a short period of time. Charge one is legit and charge two is done by criminals, if done right this generally does not trigger credit card alerts because it looks like the customer forgot some items and went back to get them or made their larger purchase of a TV or computer separate from smaller items.

Deploying wifi, cellular, and Bluetooth blockers around the checkouts can cut down on these attacks.”