Thieves skim card data from US gas stations via Bluetooth-enabled devices

Filed Under: Data loss, Featured

Gas pump. Image courtesy of ShutterstockThirteen people have been indicted for installing Bluetooth-enabled, banking-data-gobbling skimmers at gas stations in the Southern US, Manhattan District Attorney Cyrus R. Vance, Jr. said in a statement released on Tuesday.

The defendants allegedly forged bank cards using the banking details from victims in the southern states; used the cards to deposit, withdraw and thereby launder $2.1 million (£1.27 million) through ATMs and banks in New York City; and withdrew part of the stolen money on the West Coast.

All in all, the countrywide crime spree involved more than 70 different bank accounts.

The four lead defendants are accused of installing card skimming devices to copy credit and ATM numbers, and PINs used by customers at Raceway and RaceTrac gas stations throughout Texas, Georgia, and South Carolina.

The devices were impossible for gasoline-buying customers to detect, given that the skimmers were installed internally, the DA said.

It's a heck of a lot easier to detect thieves' attempts to get at your credit card when they've done something like clumsily glue a card catcher onto the front of an ATM, of course, and then made it even more obvious by hanging around the machine waiting for a victim to give up on getting her card back, as happened to Jamillah Knowles, who wrote about her catch of a card catcher for Naked Security in June.

ATMs are usually made of molded plastic and have to be attached onto cash machine hardware. The color and texture could well not match, the fit likely won't be exact, and the skimmer could be slightly loose.

In fact, when Australian detectives warned about skimmers during the holiday season back in 2012, the advice we passed on was to grab whatever device you're putting your card into and give it a good wiggle.

That, obviously, is no help here, given the internally installed skimmers used, but I pass it on because it's good advice in other skimmer scenarios.

At any rate, having Bluetooth-enabled devices made it easy for thieves to get at the stolen data without having to physically remove the skimming devices.

Not that wireless-enabled credit card skimmers are new, mind you. Security journalist Brian Krebs has cataloged all sorts of skimmers, including some that even send information to fraudsters' phones via text message.

So convenient!

With their Bluetooth-enabled card skimmers, the defendants in this case allegedly spent just over a year - between 26 March 2012 and 28 March 2013 - using the forged cards at ATMs in Manhattan, siphoning funds out of their victims' accounts in increments under $10,000.

Credit cards. Image courtesy of ShutterstockKeeping the withdrawals under $10,000 avoided cash transaction reporting requirements.

They then allegedly deposited the stolen money into their own bank accounts in New York.

Others in the crime ring are alleged to have promptly withdrawn the money at banks in California or Nevada.

The four lead defendants are Garegin Spartalyan, 40; Aram Martirosian, 34; Hayk Dzhandzhapanyan, 40; and Davit Kudugulyan, 42.

Originally arrested and charged on 21 March, 2013, the four lead defendants are now facing a 426-count indictment with felony charges of money laundering, criminal possession of stolen property, grand larceny, criminal possession of a forgery device, and criminal possession of forged instruments.

The earlier arrests sparked an investigation that eventually led the police to nine other defendants.

Those nine - Azat Aramyan, 25; Norayr Aramyan, 25; Argine Ananyan, 34; Rosa Unusyan, 24; Sona Minasyan, 51; Armen Abroyan, 36; Hasmik Miribian, 64; Artur Pogosyan, 31; and Rose Vardui Pndlyan, 47 - have been charged with two felony counts of money laundering, either in the second or third degree.

Image of man at gas pump and credit cards courtesy of Shutterstock.

, , , ,

You might like

16 Responses to Thieves skim card data from US gas stations via Bluetooth-enabled devices

  1. Guy · 582 days ago

    At least on ATM / cash machines the bank should have a picture of what the slot and keypad look like on the screen. Then you know what to check for, and someone can't just stick something over it with the added part.

  2. wolsonjr · 582 days ago

    How did they get internal access? Station employees, manufacturer access?

    • Probably not that hard to open, possibly even "one key fits all" situation, like the old soda machines were... come by after closing, install your hardware and test it... drive up get gas and download your haul.

  3. The obvious questions were not answered. How did they install the devices internally without getting caught? How did they ever get caught? How does a comsumer avoid getting ripped off by a device like this? I guess only use cash is one answer but it has its risk too.

    • Anonymous Clerk · 582 days ago

      In many places, they use a non unique key to unlock the pumps to replace the paper. (I work in a gas station). Some places have a "unique" key, but I wouldn't lay odds on how unique it is. While we're told to always keep it in the store (fireable offense if you take it home, etc.) that may not stop a bad actor...

      • Lisa Vaas · 581 days ago

        The DA didn't give details on how the device was installed (I assumed it was an inside job), so that leaves conjecture on our part or informed input from somebody like you, Anonymous Clerk, so thank you for the input.

    • IT Guy · 279 days ago

      They intercepted the bluetooth transmission from the payment terminal at the gas pump to the merchant terminal inside the gas station.

  4. Scott · 582 days ago

    Were the cards chip cards (more secure) or magstripe cards (less secure). An important point, I think.

    • Matt · 582 days ago

      Anyone else notice that nearly all of the last names for these 13 people end in yan. Why is that?

      • Would you feel better if the names ended in "man" or "son"?

      • Steve · 581 days ago

        Apparently they all share some ethnic linkage, if not direct family ties. The other names end in "ian", essentially the same thing.

  5. That's why I prepay for gas with cash. It's silly to think your credit/debit card details are safe if you use it frequently.

  6. Laurence Marks · 582 days ago

    Lisa wrote: "With their Bluetooth-enabled card skimmers, the defendants in this case allegedly spent a year and two days - between 26 March 2012 and 28 March 2013 - using the forged cards at ATMs in Manhattan, siphoning funds out of their victims' accounts in increments under $10,000."

    Uhhh, that's a year and three days. 26 March 2012 to 25 March 2013 is a year; the 26th, 27th, and 28th constitute three additional days.

  7. Jeff Bastian · 582 days ago

    Google the yan name ending it is a Russian Armenian similar to the ian Armenian ending.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.