Authorities in New York on Tuesday announced the indictment of thirteen men accused of running a multi-million dollar fraud ring that allegedly installed Bluetooth-enabled wireless gas pump skimmers at filling stations throughout the southern United States.
According to documents released by Manhattan District Attorney Cyrus R. Vance, Jr., the accused stole more than $2.1 million in the scheme. Investigators say the men somehow gained access to pumps at Raceway and Racetrac gas stations throughout Georgia, South Carolina and Texas and installed skimming devices like the one pictured below.
These devices connect directly to the pump’s power supply, and include a Bluetooth chip that enables thieves to retrieve the stolen data wirelessly — just by pulling up to the pump and opening up a laptop. The defendants allegedly then encoded the stolen card data onto counterfeit cards, and armed with stolen PINs withdrew funds from victim accounts at ATMs. The defendants then allegedly deposited the funds into accounts in New York that they controlled, after which co-conspirators in California and Nevada would withdraw the cash in sub-$10,000 increments to avoid triggering anti-money laundering reporting requirements by the banks.
This blog has featured several stories about gas-pump skimmers that were Bluetooth enabled. What’s remarkable is how common these attacks have become (Google News and Twitter are full of local news reports of apparent gas pump skimmer attacks, like this one at a Pilot station in Tennessee last week).
Last year, I received some information from a police officer in California who is tasked with chronicling many of these incidents (this seems to have become something of a full-time job for him). He sent me some pictures of a few several more common gas pump skimmers that show up at filling stations in his state, including the devices show above right and below left.
The incident reports he filed on the devices pictured below indicates that thieves involved in this type of crime have a typical playbook. These crimes, as with attacks on regular bank ATMs, tend to occur on weekends, often in the early morning hours. From his report:
“M.O.: Two or three suspects exit vehicle, look around for people watching them, then pretend to pump gas by placing the dispenser into the gas tank. One suspect will eventually enter the store, pay cash to purchase a small amount of gas or a drink to distract attention away from the pump. Meanwhile, another suspect places a skimming device inside the pump by opening the front with a universal key. Time to install/remove is between 5 – 10 minutes.”
I don’t worry too much about gas pump skimmers; there is virtually no way for the average consumer to tell if a pump has been compromised. But I would urge readers to avoid paying at the pump using a debit card. While debit cards have the same zero-liability protection afforded to credit cards, having your checking account emptied of cash can be a huge hassle and create secondary problems (bounced checks, for instance).
More information about the indictments in the New York case can be found in this press announcement (PDF).