Thursday, September 17, 2015

Krebs on Security: Tracking a Bluetooth Skimmer Gang in Mexico

Tracking a Bluetooth Skimmer Gang in Mexico

-Sept. 9, 12:30 p.m. CT, Yucatan Peninsula, Mexico: Halfway down the southbound four-lane highway from Cancun to the ancient ruins in Tulum, traffic inexplicably slowed to a halt. There was some sort of checkpoint ahead by the Mexican Federal Police. I began to wonder whether it was a good idea to have brought along the ATM skimmer instead of leaving it in the hotel safe. If the cops searched my stuff, how could I explain having ultra-sophisticated Bluetooth ATM skimmer components in my backpack?

The above paragraph is an excerpt that I pulled from the body of Part II in this series of articles and video essays stemming from a recent four-day trip to Mexico. During that trip, I found at least 19 different ATMs that all apparently had been hacked from the inside and retrofitted with tiny, sophisticated devices that store and transmit stolen card data and PINs wirelessly.

Security researcher, Brian Krebs, has been writing extensively about ATM and credit card skimming devices. Typically, these are devices attached to the outside of a terminal - they record card data for later retrieval by criminals. This scam, however, is different. It is installed inside the ATM, and the data is retrieved wirelessly. And it would appear that the crime ring responsible has compromised nearly every ATM in the tourist regions of Mexico.

If you're planning a trip to Mexico, bring all the cash you need in advance. After reading these articles, I wouldn't use my ATM/debit card anywhere in that country. Pay cash where possible. Use credit (preferably with a chip-and-PIN card or something encrypted like Apple Pay) everywhere else. It's clear to me that (at least until this crime ring is brought to justice - which might be a long time) no ATM in the country should be consider trustworthy. (To be fair, part 3 points out that all the compromised machines were standalone machines. ATMs owned and operated by banks appeared to be clean.)

There are currently three parts to this article:

No comments: