A new app can detect Bluetooth credit card skimmers on gas pumps

A team of computer scientists has built a new app that can wirelessly detect credit card skimmers, often found discreetly placed on gas pumps and bank ATMs.

Gone are the days where entire card skimmers would take over the front facade of an entire cash machine. Credit card skimmers are tiny, almost invisible — and many contain Bluetooth wireless capabilities, meaning skimming operators can install their credit card data-stealing skimmers just once and never have to take apart a gas pump again. Instead, criminals can just pull up in their car and wirelessly download the stolen card data.

Skimmers are also often connected to the magnetic stripe reader or the keypad, not only to steal your credit card number but also your PIN and ZIP codes.

This new app, dubbed Bluetana, developed by researchers at the University of California, San Diego and the University of Illinois Urbana-Champaign, can detect Bluetooth-enabled skimmers without having to dismantle vulnerable gas pumps.

By detecting Bluetooth signatures, the app aims to find more skimmers without flagging false positives, like speed-limit signs and fleet tracking systems, said Nishant Bhaskar, a PhD student and one of the researchers. Many skimmers use the same components, which when detected can indicate the presence of a skimmer. The prefix of the Bluetooth device’s unique MAC address is then compared to a hit list of prefixes known to be used by skimmers recovered by law enforcement. The app also uses signal strength as a “reliable way” to determine if a Bluetooth skimmer device is located near a gas pump.

The app was developed after field testers obtained scans of 1,185 Bluetooth gas pump skimmers in six U.S. states.

It’s a new technique aimed at improving on existing efforts designed to detect these tiny, inconspicuously installed skimming devices. Bluetooth skimmers are popular among scammers and fraudsters, not least because they offer a high return on investment. A single device can cost $20 to develop and can be used to steal thousands of dollars, depending on where the skimmer is located.

So far, the Bluetana app has detected 64 Bluetooth-based skimmers that had evaded other, existing scans, according to the researchers, and cuts down detection time to just a few seconds rather than minutes.

But don’t expect the app to come to consumers any time soon. The app is currently in use by U.S. law enforcement. Currently the app is in use in several U.S. states, the researchers said.