September 15, 2015

I spent four days last week in Mexico, tracking the damage wrought by an organized crime ring that is bribing ATM technicians to place Bluetooth skimmers inside of cash machines in and around the tourist areas of Cancun. Today’s piece chronicles the work of this gang in coastal regions farther south, following a trail of hacked ATMs from Playa Del Camen down to the ancient Mayan ruins in Tulum.

As I noted in yesterday’s story, the skimmers that this gang is placing in hacked ATMs consist of two Bluetooth components: One connected to the card reader inside each machine, and another attached to the PIN pad. Both components beacon out a Bluetooth signal called “Free2Move.” The thieves can retrieve the purloined card and PIN data just by strolling up to the hacked ATM with a smartphone, entering a secret passcode, and downloading all of the collected information.

Having found two hacked ATMs in Cancun — including one in the lobby of my hotel (the Marriott CasaMagna) — I decided to check out other tourist destinations in the region. On the way to Tulum, I dropped in at the Barcelo, a huge, all-inclusive resort. The security guards at the front gate at the resort initially prevented me from entering the complex because I didn’t have reservations.

After 10 minutes of Googling on my phone and a call to the front desk, the guards seemed satisfied that I was interested in buying a day pass to the hotel’s various facilities. The gate lifted and I was let in. Five minutes later, the very first ATM I stopped at was found to be emanating the telltale Free2Move Bluetooth signals indicating a compromise.

No sooner had I finished documenting that hacked ATM than a security guard rode up on a motorcycle and asked if I was having trouble finding the day-pass desk. I replied that I’d be headed that way shortly.

The Barcelo security guard followed me closely as I returned to my rented Jetta and drove to a different building in the complex. Multiple security guards were beginning to shadow me at a respectful distance. I decided it was best to at least demonstrate that I had an intention of buying a day pass.

The Barcelo reception desk said the price would be USD $80 per person. Feigning shock over the hefty price tag, I declared loudly that I had to hit the hotel’s ATM to withdraw more cash in order to pay such exorbitant prices. That ATM also was beaconing the Free2Move Bluetooth signal, but the ATM itself returned errors stating that it was temporarily offline and unable to dispense cash.

That outage turned out to be the perfect excuse to visit a third ATM in the complex, as I again loudly explained to the security guy following a few paces behind.  By this point, a much more stern and beefy guard began following me around on foot, his walkie-talkie buzzing periodically as I crossed the hotel campus. The third and final ATM I checked also was compromised. While I was sure there were more ATMs I hadn’t checked in other areas of the resort, I decided not to press my luck, and hopped back in the Jetta and resumed my journey to Tulum.

TULUM

Halfway down the southbound four-lane highway from Cancun to the ancient ruins in Tulum, traffic inexplicably slowed to a halt. There was some sort of checkpoint ahead by the Mexican Federal Police. I began to wonder whether it was a good idea to have brought along the ATM skimmer I’d received from a source instead of leaving it in the hotel safe. If the cops searched my stuff, how could I explain having ultra-sophisticated Bluetooth ATM skimmer components in my backpack?

A sign across the street from the police department in Tulum.

A sign across the street from the police department in Tulum.

After several nervous minutes of creeping traffic, I was waved on through the checkpoint and immediately felt silly for having gotten so worked up about it. However, upon my arrival 20 minutes later in Tulum — a popular tourist destination due to its proximity to the Mayan ruins — I would have a much closer encounter with the police.

As I pulled into the area where tour buses normally drop off passengers by the hundreds each hour, a number of men stood waving pamphlets and offering “Cheap!” parking that was anything but (or at least I thought at the time). Each was trying to direct me to park the Volkswagen in one of several large, dusty lots.

“I’ll just be about five minutes,” I said, stupidly putting the vehicle in park on the main street right in front of the tourist lot. The attendants just shook their heads and began hailing other newcomers.

The Tulum visit yielded another three ATMs within a few hundred meters of each other that were all emanating the Free2Move signal. But unfortunately, that jaunt took more than five minutes: When I returned to the Volkswagen, I found a parking ticket on the windshield and the parking attendants smirking, gleefully shouting in Spanish that I should have listened to them and parked in their lot.

The ticket wasn’t for that much money. More concerning, the license plate had been removed from the front of the car.  At first I thought someone had stolen it, but one of the locals explained that this was a common practice used by Mexican police to ensure people actually pay quickly and — more importantly for them — locally, for their parking and traffic fines (and then some). The removal of the plates from the rented vehicle necessitated a stop at the police station at the entrance to the ruins; 20 minutes and the equivalent of $200 later, I was back in possession of the car’s front plate and headed back toward Cancun.

PLAYA DEL CARMEN

Yours Truly, in front of a hacked ATM in Playa Del Carmen.

Yours Truly, in front of a hacked ATM in Playa Del Carmen.

My next stop was Playa Del Carmen, another tourist destination popular with Americans but quite a bit less rowdy than the Plaza Caracol nightclub area in Cancun. A lengthy and sweaty stroll down Playa del Carmen’s leafy 5th Avenue revealed five more compromised ATMs pulsing out the Free2Move bluetooth signals.

After a late and thankfully enormous lunch at a local Argentinian steakhouse, I was feeling refreshed enough to continue to the third leg of the journey. With twilight approaching and colorfully lit signs blazing to life along the main tourist boulevard, a steady breeze set in and mercifully tamed the otherwise sticky and oppressive heat. It was time to board the hourly ferry to Cozumel.

COZUMEL

This speedy cruiser takes riders on a 45-minute ride to Cozumel, an island whose surrounding deep green-blue clear water makes it an immensely popular spot for scuba divers and tourists alike. By this time, the fitness tracker on my arm tapped my wrist to report that I’d massively overachieved my daily fitness goal: I’d walked almost 13 miles at that point, and I hadn’t even strolled around Cozumel yet.

A compromised ATM in Cozumel.

A compromised ATM in Cozumel.

Once off the ferry in Cozumel, I commenced about two more kilometers of walking the main commercial road adjacent to the ferry dock. I found four more apparently hacked ATMs that were blasting out the telltale bluetooth signals.

I was physically drained, but very happy with the results of my reconnaissance missions, and glad to have been able to see so many places on the coast in such a short time.

I arrived back at the CasaMagna Marriott after midnight, exhausted but also interested in stopping by the ATM to see if any action had been taken. To my astonishment, someone had finally unplugged the Cardtronics peso machine that was stealing card data and PINs from users. With the power to the hacked ATM unplugged, the Free2Move beacons were no longer transmitting.

Unfortunately, I had to catch a flight home the next morning. But as the taxi dropped me off in front of the airport, I decided to check all of the cash machines in the terminal. The first one I found just inside the check-in area was clean (at least it didn’t appear to be beaconing bluetooth signals). The second ATM, however — situated next to an escalator and a currency exchange shop but before the security screening checkpoint — was broadcasting the now familiar bluetooth signal. 

This woman raced ahead of me as I was filming this compromised ATM. She was successfully dissuaded from using it.

This woman raced ahead of me as I was filming this compromised ATM. She was successfully dissuaded from using it.

As I prepared to document the compromise on my GoPro camera, an apparently American woman raced ahead of me and beat me to the ATM. Before she could enter her PIN, I turned off the camera and explained who I was. The traveler replied that she was in a great hurry. I told her that the ATM she was about to use would soon cause her checking account to be hijacked and drained.

The woman looked at me in what seemed to be exasperation for a moment, before withdrawing her card from the machine and heading wordlessly across the airport lobby to the other ATM.

Packing my camera gear back into its case, I carefully peered around the backside of the ATM. I noticed it was plugged into the wall facing the escalator.

As I rode the escalator up to the security gates and gazed down over the handrail, I could no longer see the darkened screen of the ATM, but somehow neither was the power cord still attached to the wall. Pulling out my new Hauwei phone for the last time, I smiled as the Bluetooth scanner tried in vain to find any beacons.

In case you missed it, please see the first installment in this series: Tracking a Bluetooth Skimmer Gang in Mexico. Later this week, we’ll take a look at the shadowy organization that appears to be responsible for this crime spree.

canair

If you haven’t already seen them, please check out the other two stories in this three-part series:

Tracking a Bluetooth Skimmer Gang in Mexico

Who’s Behind Bluetooth Skimming in Mexico?


138 thoughts on “Tracking Bluetooth Skimmers in Mexico, Part II

  1. jp

    so you tried several ATM’s at random locations, I am wondering if you tested any ATM located inside a bankbranch or only those from Cardtronics are affected. Also, I am also wondering if that also happens in other parts of the country… i guess we-ll be scanning with the bluetooth…

  2. BrianKrebs Post author

    Here’s a partial breakdown of the machines I found

    Plaza Caracol (Cancun) – Cardtronics
    Marriott – Cardtronics
    Barcelo #1 – Cardtronics
    Barcelo #2 – Cardtronics
    Barcelo #3 – Cardtronics
    Tulum Ruins – CiBanco
    Tulum Ruins – Multiva (No Receipt – Communications Error)
    Tulum Hotel Zone – CiBanco
    Playa 1st Ave/12-14 St – Cardtronics (No Receipt – Clausorado)
    Playa 5th Ave/20th St – Cardtronics (No Receipt – Paper Jam)
    Playa 3rd St – Cardtronics‎ B2781C
    Playa 3rd St – CiBanco SK100048
    Playa 10th Ave Commercial – Cardtronics B2781C
    Cozumal – 3rd Street – Cardtronics
    Cozumal – 5th Street – Cardtronics
    Cozumal – Royal Village Mall – Cardtronics
    Cozumal – 2nd Street – Cardtronics

    1. Merryl Zuparko

      My daughter and I each used a Citibank debit card at an ATM machine outside a Banamex Bank in Isla Mujeres . This was in 2011. We figured it would be safe since Banamex is affiliated with Citibank. Several months later we both had large amounts of money withdrawn from our Citibank accounts. The transactions were from Santa Fe Mexico. So it appears bank ATM’s are not safe either.

    2. Erik

      Fascinating reporting. I visit Cancun often, as do several friends. I’ve never used an ATM there, but I will be certainly passing this along to friends.

      One question, though: while you list the ATMs you found that were compromised, can you give us the ratio of ones that you checked that were not? Obviously, you can’t account for every ATM in any given area, but a compromise ratio would be interesting.

  3. Dave

    Nice piece. Next stop for these criminals is Bluetooth’s undiscoverable mode though. The only way to find them then is hardware Bluetooth signal detectors or bluesniff.

    We’re all these ATM’s 3rd party ones rather than bank based ATM’s?
    Were they all from the same manufacturer too?

  4. Outer Space Guy

    Nice reporting! Now enjoy your vacation next time! 🙂

  5. TZ-Security

    Nice findings, and kinda scary at the same time.
    Wondering what is the rate of successful money refund if client’s receive unknown card charges and complain to their bank.

    “If the cops searched my stuff, how could I explain having ultra-sophisticated Bluetooth ATM skimmer components in my backpack?”
    They are cops, if is not some sort of drugs, pills or anything that looks like a bomb, they don’t care. You can say “parts for laptop” and they wouldn’t know the difference.

  6. Jorge B.

    Hi Brian,

    I’m from Merida, Yucatan not so far from Quintana Roo (Cancun, Tulum, Playa del Carmen… etc), since your reports i have been scanning all the ATM’s available on my city looking for that free2move bluetooth signal.
    My question is… if i found an ATM with that signal, who should i contact? What information should i take besides from location of the compromised ATM?

    Kindest Regards
    PS: Awesome investigation.

    1. BrianKrebs Post author

      I don’t know. I would exercise extreme caution in reporting these to anyone, unless you can do it anonymously. In these cases, the technicians responsible for servicing the machines are in on the scam, so reporting it up the chain can be dicey — especially if you live there. I didn’t run this story until I got home.

      1. Jorge B

        Well I haven’t scanned more than 5 ATMs mostly at crowded places like shopping malls and convenience stores so far nothing which I assume it’s good and means the gang hasn’t expanded beyond Quintana Roo but I haven’t check on a hotel or an airport anyway If I found something, can I send you the info? I know this is quite dangerous for me to do but m sure I will take precautions while scanning and avoid reporting to any local authority.

      1. Sam

        I’m sorry but I think I missed the part about why we could trust them?

  7. Curve

    Checked out tripadvisor for the locations you visited – lo and behold people have warned about skimmers and knowing exactly where the compromise occurred- even found an article that dates back to June’15. This has been going on for some time already:( I hope you don’t have any issues with me sharing this – need to warn folks about your finding on the evolution of ATM skimming. Anticipating syndicates will go through costly lengths to acquire this code – or even worse, this might show up as open source. This scam could work in any country. Thanks for the great work and these eye opening articles 🙂

    1. IA Eng

      HA ! Go ahead and pay for the costs of getting them there, and keeping up with Brian’s over half marathon of walking.

    2. BrianKrebs Post author

      Uh..do you have any idea how expensive that is? Also, nobody pays attention to one more tourist with a selfie stick. But the minute you start walking around with a camera crew, you’re going to attract a lot of attention, which is something I tried to avoid.

  8. Marius Lubbe

    Bought your book at Amazon, loved it. I am happy to see your crusade is continuing. I will check out ATM’s with blue tooth from now on.

    Regards,
    Marius
    Cape Town
    South Africa

  9. PHP

    Danish website has an article, 4 foreign men has for the last 9 months been selling half price holidays in their own “travel agency” in a bazar near a local getto, even using real t-shirts from the companies they were reselling for. The holidays were bought with stolen carddata, from Mexico. Many happy customers, as it usually took up to 12 weeks before the banks reported cards as stolen. So some customer stranded on Tenerife, and couldn’t get home before paying in full.

    So the cards were used all over the world. Now the real travel agencies will only accept local credit cards.

    http://www.dr.dk/nyheder/regionale/oestjylland/kreditkort-svindlere-solgte-charterrejser-til-halv-pris

  10. Diego

    Very interesting findings. So every ATM who has an Free2Move BT signal is compromised? mmhm Well in Mexico City, but gonna check around, maybe geolocate those compromised ATMs. As you said, authorities are in collusion with these gangs so it’s hard to make them solve it, but at least some prevention could be useful.

    Thanks for all your efforts

  11. foo

    So I guess the only way to use cards to withdraw cash in such areas is to set up multiple accounts with just a couple hundred dollars in each one, and for each one you just withdraw the whole amount, only using its card once, then close the account??

  12. koo-jii

    I just wonder: the last picture in this article shows a woman at an ATM. The keypad for the pin code is clearly visible from afar. Shouldn’t there be like a shelter around the machine.

  13. Sykophantes

    Fascinating articles ! It gives an image that 95% of the ATM in areas frequented by foreign tourists were compromised. 2 questions:
    1.Is there is an artefact (between your eye and ear) in the selphie photo ?
    2. you leave somewhat to be understood that you unplugged the ATM in the airport to protect future victims. What could happen to someone unplugging an ATM if it happens while someone from police or airport security was watching ? I guess no more than some questioning/explaining to do and possible a fine for “vandalizing” if you cannot convince them you did it to protect innocent victims ? Or there could be more serious risks ?

  14. Paul

    Thanks for this amazing story.

    Roughly what proportion of ATMs you checked were hacked?

    1. BrianKrebs Post author

      It’s hard to say because I don’t know if I checked them all. But it was probably in the single digits.

    1. Eric

      With an Android phone, it is just like you are pairing something like an audio headset to the phone. The specifics might depend a bit on exactly what version of Android you have, but there are good tutorials out on the web that show how you do this.

      You don’t need or want to try and pair your phone with the ATM of course – you really only need to scan for bluetooth devices and then see what turns up.

  15. Onald Ump

    It’s too bad that the security guards at the Barcelo didn’t catch those who installed the skimmers there.

    I Love Mexico!

  16. Anonymous

    You say every ATM has 2 devices, one for the card and one for the pinpad, are both beaconing free2move? You showed in the video 2 signals, were they from the same ATM or one from the Pesos ATM and one from the dollars ATM ?

  17. Andy

    This investigation is awesome. I plan to go to Cancun next year. How can I avoid being scammed? Will travellers cheques / cash be enough to keep us safe? I’m currently living in the Netherlands and we pay with cards everywhere so I’m not really used to handling large amounts of cash.

  18. John

    Brian – Thanks for this great series of articles, as well as your website’s continuous investigative posts.

    I though I was careful with my banking ATMs but your articles have continued to heighten my awareness of just how technically literate and sophisticated these theives have gotten. I’m just about ready to destroy my ATM card and go back to writing checks at the bank, when I need cash!

    40 years ago the banks promised security and convenience with these new “Money Access Cards” and terminals and claims of never needing to visit the bank tellers again. Amazing how quickly that has turned around.

    Thank you again – and keep up the Great work.

  19. Eric

    Usually I avoid ATMs in resorts like this, but mainly because of the fees. But you have now given me a new reason to be wary of these things.

    For the time being, we will all be able to use our phones to check for Bluetooth signals, and it will be interesting to see if there are reports of other compromised ATMs in other countries, or whether the conditions in Mexico are uniquely related to the amount of official corruption that exists down there.

    I expect that eventually the people that make these things will fix them to no longer be discoverable once they are installed and paired, and that will make it harder for us mere mortals to detect a compromised ATM.

  20. Randy

    I checked with a friend that I know that works for a ATM company in the Midwest. He said that they find all kinds of skimmers on most ATMs that are not on bank property.

  21. Bill

    Timely article. I’m going to Punta Cana in the Dominican Republic next week. Even though Brian was in Mexico I have to expect in places like DR that have big tourist spots could be subject to similar schemes. Maybe I’ll have to look into the old standby, travelers checks :-).

    1. BrianKrebs Post author

      I don’t know, but it’s worth noting that all of the ATMs we saw that were compromised were free-standing ATMs (i.e. not installed at a bank or in a wall).

  22. John 2.0

    Brian, do you have any plans of expanding your search into the European Countries? Because you mentioned in the first article that it was Eastern Europeans that propositioned a Mexican employee to allow them access to the machines. It would be interesting to see if this is more widespread than Mexico, and I imagine that it is easier for these criminals to probe and compromise manufacturers of these machines in impoverished nations like Mexico.

  23. George G

    “The woman looked at me in what seemed to be exasperation for a moment, before withdrawing her card from the machine and heading wordlessly across the airport lobby to the other ATM.”

    No Thank You, of course …

  24. Michael Lehman

    Great article Brian.

    As EMV takes a stronger foothold in the US, one can assume that ATM’s even in the US become more likely candidates for thieves to target. Your article should serve as a caution to many ATM’s everywhere.

  25. FB

    Great reporting and very timely, I’m heading down to Cancun in 3 weeks. I’ll plan on taking enough dollars and peso’s with me to avoid the local ATM’s. Thanks

  26. NotMe

    Gee, I would gladly go about the planet scanning for bluetooth signals should the funding become available.

    Anytime, Anywhere. No worries on the 15 miles a day I’m sure I can put aside anything else should someone want to sponsor such a discovery.

    Great work Brain!
    Always a good read, can’t wait to read the rest of the story.

Comments are closed.