Menu

Connected Devices: If Only They Would Use Their Power for Good Instead of Evil

Connected Devices: If Only They Would Use Their Power for Good Instead of Evil
Posted: May 25, 2017
Comments: 0
Author: Lou Grilli

Data thieves turn to Bluetooth technology at the gas pump.

Going old school for a moment to copy an expression used by Maxwell Smart, Agent 86 for Control, who ended most shows by lamenting about the bad guys: “If only they had used their powers for good instead of evil”. And so it goes in the case of the internet of things.

Skimmers have been a source of breached credit and debit cards since before 2010. Primitive skimmers were bulky and unreliable. Later skimmers that were inserted behind the cover of the gas pump or the ATM were not easily detected. Having security tape with a warning “Please report any broken seals to the cashier“ puts the burden on the customer to be wary of, and alert for skimmers, and put a damper on the rapid growth of skimmers at the pump – that is, until the internet of things came into popularity.

Skimmers “eavesdrop” on data

The internet of things is loosely defined as the interconnection of connected devices. As Tom Davis, VP of Technology at CSCU explained, any device that has power, can be given sensors, intelligence, and communications capability to become a connected device. In the case of skimmers, the sensors are eavesdropping on the data on the mag stripe as its being swiped, the intelligence is storing the data and uploading it on command, and the real breakthrough is the communications capability, namely adding Bluetooth to skimmers. Prior to adding Bluetooth, the fraudsters would need to sneak the skimmer in, and later come back to retrieve the data. That doubled their chance of getting caught. And once they retrieved the skimmer, they usually would grab it and take off quickly, ending the skimming attach at the location.

But with the addition of Bluetooth to the skimmer, the fraudsters can park nearby (across the street from the gas pump), remotely retrieve the data, and leave the skimmer in place to keep doing its nefarious job until caught. And catching these skimmer devices is getting incredibly difficult due to remarkable designs. This picture from noted cybercrime and computer security expert Brian Krebs, of KrebsOnSecurity, shows an external skimmer on a gas pump that went unnoticed for several weeks, due to its ingenious design.

 

Source: Krebs on Security. The pump on the right is the one with the skimmer. 

Paying inside is not necessarily a solution

Experts suggest that one of the ways to keep from getting your card caught by one of these clever devices is to go inside to pay. Unfortunately, the fraudsters have beat you to the inside terminal as well. Krebs reports on skimmers that are overlays for several popular in-store terminals. The photo below shows the amazingly hidden overlay for the very popular Ingenico terminal found at many merchant locations, including supermarkets, big box retailers, convenience stores, and yes, inside the gas station where is was supposed to be safe. The PIN pad overlay collects numeric entry and correlates it to the swipe that just occurred, and stores until requested over Bluetooth – a connected device whose only purpose is evil, not good.