Sophos Cloud Optix
Thirteen people have been indicted for installing Bluetooth-enabled, banking-data-gobbling skimmers at gas stations in the Southern US, Manhattan District Attorney Cyrus R. Vance, Jr. said in a statement released on Tuesday.
The defendants allegedly forged bank cards using the banking details from victims in the southern states; used the cards to deposit, withdraw and thereby launder $2.1 million (£1.27 million) through ATMs and banks in New York City; and withdrew part of the stolen money on the West Coast.
All in all, the countrywide crime spree involved more than 70 different bank accounts.
The four lead defendants are accused of installing card skimming devices to copy credit and ATM numbers, and PINs used by customers at Raceway and RaceTrac gas stations throughout Texas, Georgia, and South Carolina.
The devices were impossible for gasoline-buying customers to detect, given that the skimmers were installed internally, the DA said.
It’s a heck of a lot easier to detect thieves’ attempts to get at your credit card when they’ve done something like clumsily glue a card catcher onto the front of an ATM, of course, and then made it even more obvious by hanging around the machine waiting for a victim to give up on getting her card back, as happened to Jamillah Knowles, who wrote about her catch of a card catcher for Naked Security in June.
ATMs are usually made of molded plastic and have to be attached onto cash machine hardware. The color and texture could well not match, the fit likely won’t be exact, and the skimmer could be slightly loose.
In fact, when Australian detectives warned about skimmers during the holiday season back in 2012, the advice we passed on was to grab whatever device you’re putting your card into and give it a good wiggle.
That, obviously, is no help here, given the internally installed skimmers used, but I pass it on because it’s good advice in other skimmer scenarios.
At any rate, having Bluetooth-enabled devices made it easy for thieves to get at the stolen data without having to physically remove the skimming devices.
Not that wireless-enabled credit card skimmers are new, mind you. Security journalist Brian Krebs has cataloged all sorts of skimmers, including some that even send information to fraudsters’ phones via text message.
So convenient!
With their Bluetooth-enabled card skimmers, the defendants in this case allegedly spent just over a year – between 26 March 2012 and 28 March 2013 – using the forged cards at ATMs in Manhattan, siphoning funds out of their victims’ accounts in increments under $10,000.
Keeping the withdrawals under $10,000 avoided cash transaction reporting requirements.
They then allegedly deposited the stolen money into their own bank accounts in New York.
Others in the crime ring are alleged to have promptly withdrawn the money at banks in California or Nevada.
The four lead defendants are Garegin Spartalyan, 40; Aram Martirosian, 34; Hayk Dzhandzhapanyan, 40; and Davit Kudugulyan, 42.
Originally arrested and charged on 21 March, 2013, the four lead defendants are now facing a 426-count indictment with felony charges of money laundering, criminal possession of stolen property, grand larceny, criminal possession of a forgery device, and criminal possession of forged instruments.
The earlier arrests sparked an investigation that eventually led the police to nine other defendants.
Those nine – Azat Aramyan, 25; Norayr Aramyan, 25; Argine Ananyan, 34; Rosa Unusyan, 24; Sona Minasyan, 51; Armen Abroyan, 36; Hasmik Miribian, 64; Artur Pogosyan, 31; and Rose Vardui Pndlyan, 47 – have been charged with two felony counts of money laundering, either in the second or third degree.
Image of man at gas pump and credit cards courtesy of Shutterstock.
At least on ATM / cash machines the bank should have a picture of what the slot and keypad look like on the screen. Then you know what to check for, and someone can’t just stick something over it with the added part.
How did they get internal access? Station employees, manufacturer access?
Probably not that hard to open, possibly even “one key fits all” situation, like the old soda machines were… come by after closing, install your hardware and test it… drive up get gas and download your haul.
The obvious questions were not answered. How did they install the devices internally without getting caught? How did they ever get caught? How does a comsumer avoid getting ripped off by a device like this? I guess only use cash is one answer but it has its risk too.
In many places, they use a non unique key to unlock the pumps to replace the paper. (I work in a gas station). Some places have a “unique” key, but I wouldn’t lay odds on how unique it is. While we’re told to always keep it in the store (fireable offense if you take it home, etc.) that may not stop a bad actor…
The DA didn’t give details on how the device was installed (I assumed it was an inside job), so that leaves conjecture on our part or informed input from somebody like you, Anonymous Clerk, so thank you for the input.
They intercepted the bluetooth transmission from the payment terminal at the gas pump to the merchant terminal inside the gas station.
Were the cards chip cards (more secure) or magstripe cards (less secure). An important point, I think.
Anyone else notice that nearly all of the last names for these 13 people end in yan. Why is that?
Would you feel better if the names ended in “man” or “son”?
Apparently they all share some ethnic linkage, if not direct family ties. The other names end in “ian”, essentially the same thing.
That’s why I prepay for gas with cash. It’s silly to think your credit/debit card details are safe if you use it frequently.
Lisa wrote: “With their Bluetooth-enabled card skimmers, the defendants in this case allegedly spent a year and two days – between 26 March 2012 and 28 March 2013 – using the forged cards at ATMs in Manhattan, siphoning funds out of their victims’ accounts in increments under $10,000.”
Uhhh, that’s a year and three days. 26 March 2012 to 25 March 2013 is a year; the 26th, 27th, and 28th constitute three additional days.
This is now fixed. Thanks for pointing it out 🙂
My bad. Thanks for pointing out the error.
Google the yan name ending it is a Russian Armenian similar to the ian Armenian ending.