Credit card thieves have taken their efforts to collect card information to the next level, as shown in recent reports of card skimming devices that have been uncovered in Utah and Florida. In the past, ATM machines were targeted, causing banks to increase the security around their machines, and collecting stolen card information on storage media inside the machines increased the risks that the thieves had to take to profit from their schemes. Now, as the fraud arms race escalates, the card skimming criminals have embedded Bluetooth or cell phone transmitters inside targeted machines so that the stolen information can be relayed to them without necessarily visiting each machine. We covered some practical suggestions for gas stations, but now let’s look at the details and how this could guide us in defending our borderless networks.
Why Rob Gas Stations?
As Willie Sutton might say, “because that’s where the money is.” Or perhaps more accurately, because that’s where the payout is. Sure, ATMs have lots of cash, and lots of people swiping their debit cards and entering their PINs, but the banks are on top of security and tightly controlling these sites. Getting in and out of a bank that has properly secured its 24-hour walk-up ATMs is now quite risky.
Gas stations, on the other hand, probably have many more customers during a given day than even a high-traffic ATM, and much lower security overall. They are designed to defend against their typical threat scenario — someone with a gun trying to get into the cash register. It’s not uncommon to see gas stations with attendants protected behind bulletproof glass, with money exchanged from customer to attendant through a drawer. But the credit card readers on the pumps are in the open air, twenty-four hours a day, often with readily available master keys that are common to the pump manufacturer or model. With an appropriate diversion, or if the station is closed overnight, it might be difficult to see a skilled attacker briefly open a machine and install a card skimmer. Police have been quoting skilled installation in under 30 seconds.
Bluetooth Doesn’t Make Sense — Criminals Would Have to be 3 Feet Away
As card skimming, including gas pump skimming, becomes more widely reported on technical news sites, the limitations of Bluetooth are a common discussion theme. Most users are familiar with short-range, class 3 Bluetooth applications, where range is generally considered to be about one meter. This fits with their common usage — on cell phones, headsets and the like, class 3 BT is all that’s needed. But class 2 (10 meters) and class 1 (100 meters) transmitters can be found in USB dongles (or similarly-sized electronics) without external antennas.
And what about proximity? Wouldn’t the crook need to be camped out nearby — even 100m away? From the looks of these cases, such as the Florida case that cited nearly 180 gas stations, that’s probably not the case. What’s more likely is that the crooks aren’t doing real-time dumps of siphoned data, but instead it’s store-and-forward. With a small local storage capacity, something like a MicroSD card, huge amounts of data could be cached, waiting on the crooks to stop by and download it via the Bluetooth connection.
This has an advantage over SMS: decentralization. The data dumps aren’t tied to a particular set of phone numbers, so there is no monitoring at the wireless company, or disabling the number to prevent receipt of the pilfered information. In fact, at “pick up” time, the bad guy might not even have to enter the gas station — with enough range and careful placement, they might just stop at a red light at the station’s intersection, pull down the most recent data, and drive away. And even if they did have to get out of their car and fill up with gas to avoid suspicion and be close enough to a skimming pump, receiving Bluetooth information wouldn’t look any different from working on a smartphone.
Comprehensive Security for Borderless Networks
Card skimming has unfortunately not run dry as a profitable enterprise for thieves. They have moved from ATMs to gas stations, but have also tried their hand at tampering with PIN pads at grocery checkouts. When returning to each site to collect the stored card data became too risky, they moved to transmitting via SMS or Bluetooth store-and-forward.
Security professionals should see a number of challenges in these accounts, and understand that even if they are not responsible for securing banks or gas stations, that these techniques represent real risk to their networks and information assets. Not only are users looking for ways to make work portable and available in the environments of their choice and on the devices of their choice, but thieves will also be looking for where that data can be found — just like they selected gas stations as the next-best target for credit card skimming after ATMs became too high-risk.
Not only will administrators of borderless networks have to defend flexible environments that include any device, any network, or any application, they will also have to consider defending the air-gap. How will an organization defend against hardware-based keystroke loggers that transmit their stored information over Bluetooth to passersby tapping away on their smartphones? With data more readily available, will users be relying on their smartphones to work with sensitive information in places they wouldn’t have before — perhaps places more suited to thieves watching what they’re doing?
Defenders will also have to consider that attacks might come in a form that isn’t “ideal” but simply works. Just as technology enthusiasts dismissed Bluetooth as ineffective for thieves, a closer examination showed us that while it may not be “ideal,” it has significant advantages over other alternatives — advantages that are clear to the crooks, but perhaps unorthodox or unusual to those considering common usage. We must not let ourselves adopt tunnel vision to solutions or threats, especially as the surface area that must be controlled increases and moves further away from strong centralization.
Just as card skimming miscreants have readily identified the weak spots in payment card transactions and struck where they could get the most benefit, be aware that electronic adversaries will do the same for the borderless network. Security pros should continue to stay up-to-date on the latest attacks, constantly asking themselves whether there are any similarities between these new attacks and how their users access sensitive information. Will that newest threat make the leap into their environment? And if so, what could they do to mitigate it before it strikes? Best not to be like the gas station — fortified against yesterday’s attacks, watching through bullet-proof glass while thieves siphon credit cards as they drive by.