-Sept. 9, 12:30 p.m. CT, Yucatan Peninsula, Mexico: Halfway down the southbound four-lane highway from Cancun to the ancient ruins in Tulum, traffic inexplicably slowed to a halt. There was some sort of checkpoint ahead by the Mexican Federal Police. I began to wonder whether it was a good idea to have brought along the ATM skimmer instead of leaving it in the hotel safe. If the cops searched my stuff, how could I explain having ultra-sophisticated Bluetooth ATM skimmer components in my backpack?
The above paragraph is an excerpt that I pulled from the body of Part II in this series of articles and video essays stemming from a recent four-day trip to Mexico. During that trip, I found at least 19 different ATMs that all apparently had been hacked from the inside and retrofitted with tiny, sophisticated devices that store and transmit stolen card data and PINs wirelessly.
In June 2015, I heard from a source at an ATM firm who wanted advice and help in reaching out to the right people about what he described as an ongoing ATM fraud campaign of unprecedented sophistication, organization and breadth. Given my focus on ATM skimming technology and innovations, I was immediately interested.
My source asked to have his name and that of his employer omitted from the story because he fears potential reprisals from the alleged organized criminal perpetrators of this scam. According to my source, several of his employer’s ATM installation and maintenance technicians in the Cancun area reported recently being approached by men with Eastern European accents, asking each tech if he would be interested in making more than 100 times his monthly salary just for providing direct, physical access to the inside of a single ATM that the technician served.
One of my source’s co-workers was later found to have accepted the bribes, which apparently had only grown larger and more aggressive after technicians in charge of specific, very busy ATMs declined an initial offer.
My source said his company fired the rogue employee who’d taken the bait, but that the employee’s actions had still been useful because experts were now able to examine the skimming technology first-hand. The company tested the hardware by installing it into ATMs that were not in service. When they turned the devices on, they discovered each component was beaconing out the same Bluetooth signal: “Free2Move.”
Turns out, Free2Move is the default name for a bluetooth beacon in a component made by a legitimate wireless communications company of the same name. I also located a sales thread in a dubious looking site that specializes in offering this technology in mini form for ATM PIN pads and card readers for $550 per component (although the site claims it won’t sell the products to scammers).
The Bluetooth circuit boards allegedly supplied by the Eastern Europeans who bribed my source’s technician were made to be discretely wired directly onto the electronic ATM circuit boards which independently serve the machine’s debit card reader and PIN pad.
Each of the bluetooth circuit boards are tiny — wafer thin and about 1 cm wide by 2 cm long. Each also comes with its own data storage device. Stolen card data can be retrieved from the bluetooth components wirelessly: The thief merely needs to be within a few meters of the compromised ATM to pull stolen card data and PINs off the devices, providing he has the secret key needed to access that bluetooth wireless connection.
Even if you knew the initial PIN code to connect to the Bluetooth wireless component on the ATM —the stolen data that is sent by the bluetooth components is encrypted. Decrypting that data requires a private key that ostensibly only the owners of this crimeware possess.
These are not your ordinary skimming devices. Most skimmers are detectable because they are designed to be affixed to the outside of the ATMs. But with direct, internal access to carefully targeted cash machines, the devices could sit for months or even years inside of compromised ATMs before being detected (depending in part on how quickly and smartly the thieves used or sold the stolen card numbers and PINs).
Not long after figuring out the scheme used by this skimmer, my source instructed his contacts in Cancun and the surrounding area to survey various ATMs in the region to see if any of these machines were emitting a Bluetooth signal called “Free2Move.” Sure enough, the area was blanketed with cash machines spitting out Free2Move signals.
Going to the cops would be useless at best, and potentially dangerous; Mexico’s police force is notoriously corrupt, and for all my source knew the skimmer scammers were paying for their own protection from the police.
Rather, he said he wanted to figure out a way to spot compromised ATMs where those systems were deployed across Mexico (but mainly in the areas popular with tourists from Europe and The United States).
When my source said he knew where I could obtain one of these skimmers in Mexico firsthand, I volunteered to scour the tourist areas in and around Cancun to look for ATMs spitting out the Free2Move bluetooth signal.
I’d worked especially hard the previous two months: So much so that July and August were record traffic months for KrebsOnSecurity, with several big breach stories bringing more than a million new readers to the site. It was time to schedule a quasi-vacation, and this was the perfect excuse. I had a huge pile of frequent flier miles burning a hole in my pocket, and I wasted no time in using those miles to book a hotel and flight to Cancun.
CANCUN
There are countless luxury hotels and resorts in Cancun, but it turned out that the very hotel I picked — the Marriott CasaMagna Hotel — had an ATM in its lobby that was beaconing the Free2Move signal! I had only just arrived and had potentially discovered my first compromised ATM.
However, I noticed with disappointment that for some reason all of my Apple devices — an iPhone 5, a late-model iPad, and my Macbook Pro — had trouble reliably detecting and holding the Free2Move signals from one of the two ATMs situated in the hotel lobby.
I decided that I needed a more reliable (and disposable) phone, so I hopped in the rental car for a quick jaunt down the road to the local TelCel store (TelCel is Mexico’s dominant mobile provider and a company owned by the world’s second-richest man — Carlos Slim). After perusing their phones, I selected a Huawei Android phone because — at around USD $117 — it was among the cheapest smartphones available in the store. Also, the phone came with plenty of call minutes and a semi-decent data allowance, so I could now avoid monstrous voice and data roaming charges for using my iPhone in Mexico.
Nearby the TelCel store was Plaza Caracol — a mall adjacent to a huge tourist nightlife area that is boisterous and full of Americans and Brits on holiday. The car parked in the mall’s garage, I pulled out my new Huawei phone and turned on its bluetooth scanning application. The first ATM I found — a machine managed by ATM giant Cardtronics — quickly showed it was beaconing two Free2Move signals.
Returning to the Marriott hotel, I found that the two Free2Move bluetooth signals showed up consistently and reliably on my new phone’s screen after about 5 seconds of searching for nearby bluetooth connections. The compromised ATM in the hotel also was a Cardtronics system.
At this point, I went to the front desk, introduced myself and asked to speak to the person in charge of security at the CasaMagna. Before long, I was speaking with no fewer than six employees from the hotel, all of us seated around a small coffee table overlooking the crystal-blue ocean and the pool. I explained the situation and everyone seemed to be very concerned, serious, asking smart questions and nodding their heads.
A man who introduced himself as the hotel’s loss prevention manager disclosed that Marriott had recently received complaints from a number of guests at the hotel who saw fraud on their debit cards shortly after using their ATM cards at the hotel’s machine. The loss prevention guy said the company responsible for the ATM — Cardtronics — had already sent someone out to review the integrity of the machine, but that this technician could not find anything wrong.
[SIDE NOTE: That technician may have only inspected the exterior of the machine before giving it a clean bill of health. Another explanation is that the technician that was sent to find skimming devices didn’t report their presence because he was the one who installed them in the first place!]
That same day, I phoned Giovanni Locandro, senior vice president of North American business development at Cardtronics. He told me the company conducts periodic “sweeps” in Mexico to look for skimming devices on its machines and that it was in the process of doing one at the moment down there, although he didn’t acknowledge whether he was familiar with the exact scheme I was describing.
“We are doing another sweep as we speak down there,” Locandro said. “We do random sweeps, especially in tourist areas to check for those devices. But we haven’t heard of any cards being cloned. Any devices we receive we take those to our internal security folks, and then we contact the authorities.”
I showed the hotel folks the bluetooth beacons emanating from the ATMs in the lobby, and showed them how to conduct the same scans on their phones. Everyone roundly agreed that the technician had to be called again. But there were two ATMs in the lobby — one dispensing Mexican Pesos and another dispensing only dollars. How to know which ATM is compromised, they asked? Unplug them one by one, I replied, and you’ll see very quickly which cash machine is hacked because the bluetooth beacon would shut off.
Despite more head nods and a round of verbal agreement from the hotel staff that this was a good idea, to my surprise nobody at the hotel bothered to touch the machine for two more days. I watched countless people withdraw money from the hacked ATM; some of those I warned while in the lobby were appreciative and seemed to grasp that perhaps it was best to wait for another ATM; others were less receptive and continued with their transactions.
The next morning — after verifying that the hotel’s ATM was still compromised and trying in vain to hail the security folks again at the hotel — I headed out in the rental car. I was eager to visit some of the other more popular tourist destinations about an hour to the south of Cancun, including Playa del Carmen, Tulum and Cozumel. I wanted to see how many of those towns were hacked by this same skimming crew.
I was about to learn that the true scope of this scam was far larger than I’d imagined.
If you haven’t already done so, please check out Part II and Part III of this investigative series:
I have been living in Mexico full time for the last 14 years. For the very reason mentioned in this article I have never used a credit card in Mexico for a purchase be it a restaurant, store and definitely never an ATM. As a B&B owner I also advise my guests against using their cards in Mexico. This scam has been going on forever. It’s just getting more and more sophisticated.
Hi MexiJeeper,
Just curious what you do recommend your guests to use for money when they are in Mexico on vacation. It is dangerous to carry large amounts of cash with you that you would need for long stays when you are travelling and most guests would not have accounts at mexican banks.
We come to Mexico (Puerto Vallarta area) yearly for 5 weeks and have started bring mainly pesos for our vacation from Canada but still have to go to bank ATM’s the last couple of weeks of our holiday as I do not want to carry $5000 canadian on me. We started doing this after our debit cards were compromised a couple of years ago.
Any suggestions on how to bring money or get it while in Mexico would be great!
Thanks, Melanie
I would recommend using your beaver.
Setup a second, temporary, bank account where you can put travel funds. then when you get back close the account.
Ryan,
If you set up a Travel account then close the account when you get back… the other side of this coin is that the closed bank account will be reported to credit bureau… whether you closed it or the bank did.
I would go to a bank and buy a Visa Travel Card and load the card with up to $5000. The funds you don’t spend can be taken out at any ATM and redeposited to you Bank account.
Brian,
Great work on this subject! Question: Do you know why your iPhone Bluetooth was not able to pick the signal from the ATM machine in Mexico. You mentioned that you had to pick up a cheap $100 phone while you were down there and that phone was able to detect the signal. Just curious.
Thank you for you work on this.
TCaz
Wish I knew, Tony. It wasn’t just the iPhone. Couldn’t pick them up reliably on my iPad either.
iPhone 5 should be able to read Bluetooth classic and Bluetooth Low Energy (AKA BLE or Bluetooth Smart). But iPhone’s BLE implementation is kind of proprietary and uses Apple’s own iBeacon standard. So it’s possible that the device is using a generic form of BLE that isn’t readable by iPhone but is readable by Android.
You would have to use a Bluetooth Classic or BLE sniffer to analyze the packets. You’d have to use something like an Ubertooth One.
Great article. I live in Mexico and use the ATM’s, as the banks here are insanely crowded and time consuming. Wondering if you could email me or do a quick post on how to scan ATM’s for bluetooth beacons. Or do you just turn on Bluetooth and look for devices?
I’ve googled it and am getting a lot of very techinical stuff. Iphone 4s…
Looking forward to part 2.
Thanks
Me too please!!
Turn on the bluetooth on your device (phone/tablet), then search for a bluetooth signal while being close to the ATM… if your phone shows a ‘bluetooth’ signal that reads ‘Free2Move’, well, there’s a good chance the ATM is compromised.
It’s very simple. Virtually every smart phone — Android or iOS — has a bluetooth scanner built-in. You just go to your settings page for the device, and look for a listing called “Bluetooth.” There should be a “scan” button. Click that.
Do you feel the skimmers will now move to unannounced bluetooth networks?
hi, so i was all over these areas dec 15 thru 25th of 2013 and my account was under my parents name and i had close to 150k dollars and between january 2014 and august 2014 my atm was cloned and i was cleaned out and my parents were supposed to monitor the account for me and knew i would spend no more then 2k a month 3k max anyway my parents also treated my money like it was there own and paid lots of personal bills off as well as having a second atm card that they used accross the world to take money when needed. anyway i dont care about what my parents stole or used but i cant get them to swallow their pride and just admit that they used my account for personal bills and lets catch the real criminals who looted me for all my money because by august of 2014 my parents told me i had no money left and i almost had a heart attack on the spot i was living in california at the time and was in and out of hospitals and didnt even have access to use atm as i had no use for money for most of the time in 2014. my parents cant see reason that they need to call the bank and have them investigate all of the atm withdrawls in mexico as i know for certainty that my card was cloned and being used fraudelently well they never swallowed their pride and not only did i not get refunded the money stolen by these criminals but the money they took for personal bills either. parents are dead to me
Civic-minded geeks might want to try the same kinds of scans in the USA, to see if any of their local ATMs are similarly infected. This seems simple enough to do, that high school kids could do it.
Someone could offer a prize to whoever finds the largest number of them in a month.
I’m not a tech person but after my husband told me about your article, I asked “why can’t the machine block the Bluetooth signal?” He said a small jamming device might work and to send you an email
We just returned from the Netherlands and were totally dependent on ATM so I really appreciate what you are doing
A small jamming device would possibly be removable from an ATM, and would also serve as an extreme annoying to people reliant on Bluetooth headsets and hearing aids. It could probably be limited, somehow, but jamming Bluetooth signals sounds like putting duct-tape on a steel pipe to stop it from leaking — impractical in the long run.
*annoyance
Actually this could be solved by making the outside of the ATM a Faraday cage. No electronic signal can get through.
It is (very near) impossible to make a faraday cage that blocks all electronic signals – certainly as the shell of an ATM it would be very problematic. Generally a given cage only blocks a certain frequency range, and it would be a design challenge (and additional operational cost, given that you would have to provide a not-insignificant charge for any effectiveness). You could (maybe) block say bluetooth and wifi, but someone could move down to a very low power lower frequency radio that would pass through without any difficulty.
Even “blocking” something like bluetooth or wifi would be difficult – all a faraday cage does to radio waves is cause significant signal attenuation, so if you were operating an inch from your transmitter (e.g. directly on the other side of the enclosure), it would be difficult to completely block that signal.
Jamming or a Faraday cage wouldn’t prevent your card from being skimmed, it would just make it more difficult for the thieves to extract the information. The Bluetooth is used to download the data from the scanner in batches, it’s not a real-time transmission as the card is scanned.
The criminals should have done a challenge/response system: send a specific message broadband that activates the download so the BT beacon isn’t being constantly sent, but then you give up your 1x2cm form factor.
The BT beacon is probably the easiest way to do things, you could sit down in a hotel lobby or on a bench on the street and inconspicuously download multiple compromised ATMs.
Hi I am also at Cancun, would likes to talk about other suspect in copyng crédit cards info. You have my mail.
Excellent article. …
Great article, is there a published list of known “skimmer” Bluetooth IDs like Free2Move? I know it is easy to change it but not in all cases.
Great articles Brian. I’ve read all three but chose to comment here because this is where you mentioned going to hotel security and letting them know their ATM’s were being skimmed. Don’t you think, if they had been bribed by the bad guys, you might have been putting your life in danger by letting them know you had come upon the scam? You’re a smart guy, but I hope not too naive on occaison. Be careful!
Investigative reporting carries some risk, and there is little way to avoid that. I judged the risk to be minimal in this case, in part because if anything happened to me there the hotel would likely suffer a pretty big hit in terms of tourism. But that’s part of the reason why I included so many different staff members from the hotel. The more people involved, the greater the chance that if someone was on the take that they’d be in the loop, but also generally speaking the more people who know about it the safer it is for the reporter of the problem.
As long as you weighed the risks Brian. You were operating in a country where Law Enforcement can be corrupt which can put you at grave risk. Keep the stories coming!
Are these Bluetooth skimmers able to obtain PIN information? I have always covered my hand when entering the PIN under the belief a small camera had to be used in addition to the skimmer in order to obtain the PIN.
I spend a good deal of time in Brasil, and must call my bank each time I am going to use an ATM. A lot of recent ATM theft incidents have been of the brute force type, using a backhoe to physically break open the ATM, gather the cash, then run. But, a Bluetooth skimmer was found at the international airport a few months ago, and I suspect they will spread quickly as the Olympics approach.
Just read Part2 of this series, and see that you have covered how the PIN is obtained using a separate Bluetooth device. Thanks.
Is any additional technical info available ie: power requirements, Encryption specs, power output, specific frequencies, exact size, etc. Based on some of the technical info you presented about passwords and encryption it sounds like you had some engineering assistance. Can you provide any additional info you have on the technical analysis or point us to whoever assisted in the reverse engineering so we can work on an automatic detection system or some type of jamming system for these types of devices?
Thanks,
Jack
Hi Jack,
I might be able to assist you with that. Perhaps Brian can send you my email address.
Does the phone have to be running on a local (Mexican) network for this to work? i.e. I probably just can’t switch my US phone to discovery mode and see the bluetooth networks show up?
Thanks.
Phone does not have to be connected to any network to work – You just have to have Bluetooth enabled and searching for devices. 99% of all cheap phones Windows or Android based should be able to detect the Bluetooth signal. Apple devices do have varied results in detecting…
I’m wondering if we know whether ‘skimming’ is present on ATMs in Merida or Valladolid? Has anyone tested them? If so, which ATMs were found to be safe?
I visit there every year and some hotels require cash payment, which leads me to use local ATMs.
An alternative would be to bring sufficient cash from the US to pay my hotel bills, but that means carrying around lots of money — not a good idea.
Thanks in advance,
Harold Sims
My family and I stayed at the CasaMagna Marriott in Cancun a few months ago, in mid-May of this year, and I used that EXACT ATM to withdraw local Mx currency on a couple of occasions. You can imagine my shock and dismay in reading your article & seeing your video. I thankfully don’t recall any bogus charges or withdrawals on the debit card I used…I receive an email with each transaction so I’m pretty sure that one didn’t fall through the cracks.
On one occasion a few years back an unauthorized withdrawal was made at an ATM in Panama using my European credit card data (I’ve never even been to Panama)…so I guess that I was a victim of a skimmer as a PIN was needed to make that unauthorized transaction. Thankfully my bank honored my fraud report and replaced the funds stolen.
I’m glad I came across your website through a post on facebook, very informative! Thanks for doing what you do.
Hi Peter,
If you have any concerns about your card potentially being compromised I strongly recommend that you contact your bank and request a new card. Sometimes card skimmers hold onto the card data for a long period of time before using the info just to throw people off their trail.
Banks will almost always replace your card for free if you suspect fraud.