Facebook hoax? Can you sniff out gas station card skimmers using Bluetooth?

There’s a “helpful tip” making the Facebook rounds, and it’s a little bit helpful but a lot not so much.

It’s about using Bluetooth to detect credit card skimmers at gas stations:

Here is a helpful tip:
When you pull up to a gas station to fill your car. Search your phone for Bluetooth devices. If a sequence of letters and a sequence of numbers shows up in your device list do not pay at the pump. One of the pumps have a card reader installed. All card readers are bluetooth.

The post refers to a card “reader,” but what it means is card “skimmer.”

The first is a legal way for you to pay, while the latter is a piece of thief-ware, be it a plastic gadget clumsily glued on to the face of an ATM or gas pump or technology that’s installed internally.

Credit card skimmers are devices that capture details from a payment card’s magnetic stripe, then (sometimes) beam them out via Bluetooth to nearby crooks.

The “sometimes” is just one thing that makes this viral post less than helpful.

Security journalist Brian Krebs has cataloged all sorts of skimmers, including some that send information to fraudsters’ phones via text message.

So convenient! …and so not Bluetooth.

From a thief’s point of view, Bluetooth has limitations, notably that Bluetooth has limited range, so any thief who uses a Bluetooth-enabled skimmer needs to hang around nearby.

It also means that anybody else using Bluetooth in the vicinity could get an eyeful of “Oooo, payment card details up for grabs!”

That includes, of course, all of us law-abiding, viral-post-reading phone users.

So yes, the post is correct in saying that the Bluetooth sensor on a mobile phone can indeed be used to detect some card skimmers, but it’s incorrect because these sensors can’t detect them all.

As Naked Security’s Paul Ducklin points out, some skimmers use Wi-Fi, some use the mobile phone network, and others just store their data quietly on an SD card that the crooks come back for later on.

But that’s only one thing that makes this viral post less than helpful.

Bluetooth names tell you “everything and nothing”

Your phone may well pick up on nearby Bluetooth devices, but the names alone don’t really help, Paul says:

Just doing a scan for nearby Bluetooth device names tells you everything and nothing. You might as well decide if a gas station is crooked based on whether the fuel price ends in an odd or an even number of cents per gallon, and here’s why: sniffing or skimming devices might not show up at all, or they could have innocent-sounding names like “Car radio” or “My iPhone”.

On the other hand, the perfectly harmless video game that the kid in the next car is playing might be announcing itself with some sort of scary-looking autogenerated name like “AF09E856”.

Two green tips that really do flummox skimmers

If you want to stop skimmers dead in their wireless/texted messages/stored-SD-card-enabled tracks, there’s an age-old technology that the thieves haven’t yet managed to crack remotely – it’s called cash:

If you think that the chance of being skimmed is lower if you go to the cashier and pay, then simply do that every time. If you’re worried about gas station skimming in general, you can always use cash — as it says on the bill, ‘This note is legal tender for all debts, public and private.’

Using sweet green cash (that’s the color in the US, at any rate!) is one way to avoid getting your payment card skimmed at the gas pump.

Here’s another green technology that blocks gas-stop skimmers: a bike!

That’s Paul’s solution:

Switch to a bicycle, like I did, and laugh in the face of gas stations for ever.


(Watch directly on YouTube if the video won’t play here.)