15
Sep 15

Tracking Bluetooth Skimmers in Mexico, Part II

I spent four days last week in Mexico, tracking the damage wrought by an organized crime ring that is bribing ATM technicians to place Bluetooth skimmers inside of cash machines in and around the tourist areas of Cancun. Today’s piece chronicles the work of this gang in coastal regions farther south, following a trail of hacked ATMs from Playa Del Camen down to the ancient Mayan ruins in Tulum.

As I noted in yesterday’s story, the skimmers that this gang is placing in hacked ATMs consist of two Bluetooth components: One connected to the card reader inside each machine, and another attached to the PIN pad. Both components beacon out a Bluetooth signal called “Free2Move.” The thieves can retrieve the purloined card and PIN data just by strolling up to the hacked ATM with a smartphone, entering a secret passcode, and downloading all of the collected information.

Having found two hacked ATMs in Cancun — including one in the lobby of my hotel (the Marriott CasaMagna) — I decided to check out other tourist destinations in the region. On the way to Tulum, I dropped in at the Barcelo, a huge, all-inclusive resort. The security guards at the front gate at the resort initially prevented me from entering the complex because I didn’t have reservations.

After 10 minutes of Googling on my phone and a call to the front desk, the guards seemed satisfied that I was interested in buying a day pass to the hotel’s various facilities. The gate lifted and I was let in. Five minutes later, the very first ATM I stopped at was found to be emanating the telltale Free2Move Bluetooth signals indicating a compromise.

No sooner had I finished documenting that hacked ATM than a security guard rode up on a motorcycle and asked if I was having trouble finding the day-pass desk. I replied that I’d be headed that way shortly.

The Barcelo security guard followed me closely as I returned to my rented Jetta and drove to a different building in the complex. Multiple security guards were beginning to shadow me at a respectful distance. I decided it was best to at least demonstrate that I had an intention of buying a day pass.

The Barcelo reception desk said the price would be USD $80 per person. Feigning shock over the hefty price tag, I declared loudly that I had to hit the hotel’s ATM to withdraw more cash in order to pay such exorbitant prices. That ATM also was beaconing the Free2Move Bluetooth signal, but the ATM itself returned errors stating that it was temporarily offline and unable to dispense cash.

That outage turned out to be the perfect excuse to visit a third ATM in the complex, as I again loudly explained to the security guy following a few paces behind.  By this point, a much more stern and beefy guard began following me around on foot, his walkie-talkie buzzing periodically as I crossed the hotel campus. The third and final ATM I checked also was compromised. While I was sure there were more ATMs I hadn’t checked in other areas of the resort, I decided not to press my luck, and hopped back in the Jetta and resumed my journey to Tulum.

TULUM

Halfway down the southbound four-lane highway from Cancun to the ancient ruins in Tulum, traffic inexplicably slowed to a halt. There was some sort of checkpoint ahead by the Mexican Federal Police. I began to wonder whether it was a good idea to have brought along the ATM skimmer I’d received from a source instead of leaving it in the hotel safe. If the cops searched my stuff, how could I explain having ultra-sophisticated Bluetooth ATM skimmer components in my backpack?

A sign across the street from the police department in Tulum.

A sign across the street from the police department in Tulum.

After several nervous minutes of creeping traffic, I was waved on through the checkpoint and immediately felt silly for having gotten so worked up about it. However, upon my arrival 20 minutes later in Tulum — a popular tourist destination due to its proximity to the Mayan ruins — I would have a much closer encounter with the police.

As I pulled into the area where tour buses normally drop off passengers by the hundreds each hour, a number of men stood waving pamphlets and offering “Cheap!” parking that was anything but (or at least I thought at the time). Each was trying to direct me to park the Volkswagen in one of several large, dusty lots.

“I’ll just be about five minutes,” I said, stupidly putting the vehicle in park on the main street right in front of the tourist lot. The attendants just shook their heads and began hailing other newcomers.

The Tulum visit yielded another three ATMs within a few hundred meters of each other that were all emanating the Free2Move signal. But unfortunately, that jaunt took more than five minutes: When I returned to the Volkswagen, I found a parking ticket on the windshield and the parking attendants smirking, gleefully shouting in Spanish that I should have listened to them and parked in their lot.

The ticket wasn’t for that much money. More concerning, the license plate had been removed from the front of the car.  At first I thought someone had stolen it, but one of the locals explained that this was a common practice used by Mexican police to ensure people actually pay quickly and — more importantly for them — locally, for their parking and traffic fines (and then some). The removal of the plates from the rented vehicle necessitated a stop at the police station at the entrance to the ruins; 20 minutes and the equivalent of $200 later, I was back in possession of the car’s front plate and headed back toward Cancun.

PLAYA DEL CARMEN

Yours Truly, in front of a hacked ATM in Playa Del Carmen.

Yours Truly, in front of a hacked ATM in Playa Del Carmen.

My next stop was Playa Del Carmen, another tourist destination popular with Americans but quite a bit less rowdy than the Plaza Caracol nightclub area in Cancun. A lengthy and sweaty stroll down Playa del Carmen’s leafy 5th Avenue revealed five more compromised ATMs pulsing out the Free2Move bluetooth signals.

After a late and thankfully enormous lunch at a local Argentinian steakhouse, I was feeling refreshed enough to continue to the third leg of the journey. With twilight approaching and colorfully lit signs blazing to life along the main tourist boulevard, a steady breeze set in and mercifully tamed the otherwise sticky and oppressive heat. It was time to board the hourly ferry to Cozumel.

COZUMEL

This speedy cruiser takes riders on a 45-minute ride to Cozumel, an island whose surrounding deep green-blue clear water makes it an immensely popular spot for scuba divers and tourists alike. By this time, the fitness tracker on my arm tapped my wrist to report that I’d massively overachieved my daily fitness goal: I’d walked almost 13 miles at that point, and I hadn’t even strolled around Cozumel yet.

A compromised ATM in Cozumel.

A compromised ATM in Cozumel.

Once off the ferry in Cozumel, I commenced about two more kilometers of walking the main commercial road adjacent to the ferry dock. I found four more apparently hacked ATMs that were blasting out the telltale bluetooth signals.

I was physically drained, but very happy with the results of my reconnaissance missions, and glad to have been able to see so many places on the coast in such a short time.

I arrived back at the CasaMagna Marriott after midnight, exhausted but also interested in stopping by the ATM to see if any action had been taken. To my astonishment, someone had finally unplugged the Cardtronics peso machine that was stealing card data and PINs from users. With the power to the hacked ATM unplugged, the Free2Move beacons were no longer transmitting.

Unfortunately, I had to catch a flight home the next morning. But as the taxi dropped me off in front of the airport, I decided to check all of the cash machines in the terminal. The first one I found just inside the check-in area was clean (at least it didn’t appear to be beaconing bluetooth signals). The second ATM, however — situated next to an escalator and a currency exchange shop but before the security screening checkpoint — was broadcasting the now familiar bluetooth signal. 

This woman raced ahead of me as I was filming this compromised ATM. She was successfully dissuaded from using it.

This woman raced ahead of me as I was filming this compromised ATM. She was successfully dissuaded from using it.

As I prepared to document the compromise on my GoPro camera, an apparently American woman raced ahead of me and beat me to the ATM. Before she could enter her PIN, I turned off the camera and explained who I was. The traveler replied that she was in a great hurry. I told her that the ATM she was about to use would soon cause her checking account to be hijacked and drained.

The woman looked at me in what seemed to be exasperation for a moment, before withdrawing her card from the machine and heading wordlessly across the airport lobby to the other ATM.

Packing my camera gear back into its case, I carefully peered around the backside of the ATM. I noticed it was plugged into the wall facing the escalator.

As I rode the escalator up to the security gates and gazed down over the handrail, I could no longer see the darkened screen of the ATM, but somehow neither was the power cord still attached to the wall. Pulling out my new Hauwei phone for the last time, I smiled as the Bluetooth scanner tried in vain to find any beacons.

In case you missed it, please see the first installment in this series: Tracking a Bluetooth Skimmer Gang in Mexico. Later this week, we’ll take a look at the shadowy organization that appears to be responsible for this crime spree.

canair

If you haven’t already seen them, please check out the other two stories in this three-part series:

Tracking a Bluetooth Skimmer Gang in Mexico

Who’s Behind Bluetooth Skimming in Mexico?

Tags: , ,

138 comments

  1. A few years back my banking card was skimmed in Playa del Carmen at an ATM next to the “big arches”restaurant on 5th ave. The got my card # and PIN. I didn’t notice until 3-4 months post my trip there had been some cash withdrawals from various places in mexico from my account. I search my account history and I found a pattern of small withdrawals each time moving up to higher and higher amounts. The last withdrawal amount was around $250. I finally noticed and contacted my bank. Not sure why my bank Citibank did not notice this anomalous activity. I live in Chicago making transactions every day and at the same time there were cash withdrawals in Mexico….Any way, Citibank reversed all the charges and got my monies back.

  2. I’ve long recommended sticking to credit cards other than at the bank, for the simple fact that it separates transactions from cash. Skimmers in ATMs make this advice all the more relevant. I’d have thought though that hotels and resorts would have almost as much incentive as the banks themselves to ensure the integrity of their ATMs. Thanks for proving me wrong 🙂

    Great investigative work as always.

    I’d be very curious whether there is enough data to weigh the relative risks of ATM fraud versus carrying sufficient cash for a trip.

    • This has been a concern of mine for some time. Could someone provide a definitive answer – are CC’s more immune to skim/scam than ATM cards?

      • It isn’t that your Credit Card can’t be skimmed.

        a. the hazards of skimming your Credit Card are more minor than having your Debit/ATM Card skimmed (you don’t risk overdraft on your bank account, they can’t attack other connected bank accounts).
        b. Credit Cards issuers are better positioned to detect fraud and reissue your card.

        for (b), at least, American Express and Discover are. the same (a) should apply to Visa/MasterCard cards, although technically those are issued by the same banks as your Debit/ATM Cards, so (b) is probably less applicable.

        • The crucial reason to use a CC rather than a Debit Card is that for several decades the maximum amount you are liable for is $50. And most banks guarantee you will lose nothing. (My wallet was stolen with my CC and I lost nothing but it’s somewhat of a hassle.) Debit cards are different in that you can be held for the entire loss, although my bank advertises they will reimburse you.

    • Yes, but acceptance of credit cards is much less common in Mexico than the US. Especially at the less touristy places. 😉

  3. Brian; thank you, very eye opening.
    How long before the criminals change the bluetooth “Free2Move” to another less suspicious name that looks legitimate? (or is this something hardwired into the BT chip?)
    Thanks Brian, love your book

  4. Brian – the more I read your stuff the more I feel this is an unwinnable war. The criminals always seem to be several steps ahead.

    • The story is a familiar one. People like the convenience of an ATM (I am old enough to remember having to get to the bank before they closed to get cash). And the banks liked them too – they didn’t need to pay tellers – they could just let the machines do the work.

      For many years it kind of worked, but the criminals become increasingly sophisticated as time goes on, and my own theory is that many of the unattended ATM machines will just go away.

      It isn’t that much different with the myiad of bugs that afflict various versions of Windows or Adobe flash. At the core, there are features that people like, and new whizbang features are far more compelling than something that has fewer features but is more secure.

      • > the criminals become increasingly sophisticated as time goes on, and my own theory is that many of the unattended ATM machines will just go away.

        This! There are simple workarounds for the gangs to continue to evolve the ‘Bluetooth’ ATM siphon link in ways that are increasingly undetectable.

        Ultimately, people will want to use their phone with the equivalent of Apple Pay, but paying with micro-payments. Still not ideal because of malware on Smartphones though.

        • Even worse than malware – there is no router firewall between your cell phone and the rest of the world. At least on your home computer, there’s usually a router (even if the router has a telco back door).

          • Here in Australia, the IP we get from our telco(Telstra) is NAT’d, we have internal 10.0.0.0/8 IP, and external facing IP’s.

            • This probably explains why we haven’t had to switch to IPv6 everywhere yet. Although I don’t know how the rest of the telco world work with IP addresses

  5. Thanks for this very informative series.

    What proportion of the ATMs you approached were compromised?

  6. Last summer I visited the Yucatan, driving from Merida to Tulum, Playa del Carmen, Cozumel and back over the course of a week. I use a particular debit card only when traveling to contain risk if my card is stolen, and of course used this card during that week to withdraw money from ATMs. I used ATMs on 5th Ave in Playa del Carmen, an ATM at a bank near the ferry dock in Cozumel to pay for a snorkeling tour, an ATM on the main street of Tulum, etc.

    Two months later my card had been copied and used in the UK at an HSBC. My bank notified me within 15 minutes of the fraudulent transaction, but the thieves got away with 200 Euro (which my bank reimbursed).

  7. Excellent work once again. What do you recommend as a preventative solution?

    • 1. Expect to get skimmed when traveling!
      2. Don’t use/travel with a debit card (just use a credit card).
      3. Do plan to review your next three billing statements very carefully (you should take detailed notes about which merchants you’ve paid — this could be receipts, or digital photos of receipts, or something else).
      4. Find out if there are places where you can overpay by credit card and collect cash back. In the USA, grocery stores tended to allow this. In restaurants, if you manage to go with a group of people and some pay cash, those people work (you pick up their cash and put their bill on your card). It’s possible that you can get money from a hotel (not the hotel’s ATM — which probably is infected, but from the hotel itself) — remember, they have a business relationship with you and want to grow it, a small commission to them in exchange for you getting cash that doesn’t increase your risk factor is pretty good (they already swiped your card once).

      5. You could take the approach of declaring your card lost upon returning from your trip. (I haven’t seen anything in any fine print about this, but you would want to ask your issuer if there’s anything wrong with doing this before doing it monthly…)

      One approach would be to have one credit card that you don’t take with you on your trip (leave it in a safety deposit box at home). — When you return, retrieve that card, declare the traveling card as lost. You’ll get a new one in a couple of days. — Obviously, if you do this, don’t assign any recurring transactions to your travel card, since you’ll have to untangle them.

      6. Remember that you aren’t generally liable for fraudulent charges to your credit card if you catch them promptly (roughly when you review your billing statement). The problem is that you have to spend time either carefully reviewing your statement, or waiting for a replacement card (neither of which are particularly fun).

  8. Brian,
    I get a lot out of your articles, have purchased your book, and appreciate your work.

    That having been said, it would be nice to be able to keep enjoying your work. You should have renamed this series:

    “I Couldn’t Find a Building to Jump Off of, So I Went to Mexico to Explore Organized ATM Crime”.

    If I were you, I would postpone the trip to expose compromised ATMs in Syria.

    • Mexico is *not* dangerous for tourists (who aren’t high), particularly the “Mayan Riviera” area that Brian explored.

      • @Al:

        “Mexico is *not* dangerous for tourists (who aren’t high), …”

        Agreed. I’ve been to Cabo and Cancun in recent years… as a tourist.

        Brian was tracking the exploits of potentially dangerous criminal organizations that make a lot of money from the exploits he was investigating- In a country where police have often been found to collaborate with these organizations and to receive (rely upon?) income from them.

        Not the same thing.

  9. You better watch out
    You better not route
    You better not spy
    I’m telling you why
    Brian Krebs is coming to town

    He scans ATMs when you’re sleeping
    He scans ATMs when you’re awake
    He knows if they transmit “Free2Move”
    So stop skimming for goodness sake

  10. fascinating, we had a timeshare in Cancun, Cozumel & Playa so I’ve been to all of these places and watched Mexico security guards, police and military in action. You really were outside a comfort zone for me…they can be very unforgiving down there and even though you have a program (can see their uniforms) you just don’t know whose team people are playing for.

  11. Just wondering……… wouldn’t a good precaution be to change your PIN after returning home from travel?

  12. Crazy. Me and another guest both stayed at the CasaMagna last January, we both used the Lobby ATM, and a couple months ago we both got hit with withdrawals. Thanks for getting to the bottom of it, I knew that ATM was compromised.

  13. Looks like the fun never ends….. here is another ATM issue/ malware;

    http://www.net-security.org/malware_news.php?id=3098

    snip;

    This particular sample can read all the credit/debit card track data and data from the card’s chip (if the card has one), retain or eject the inserted card on demand, and can be controlled by the attackers via the ATMs PIN pad.

    The malware is also capable of disabling the ATMs door, alarm and proximity sensors to prevent malicious activities from being detected.

  14. @Elizabeth: Great idea!

    While vacationing in Costa Rica, I visited a Bank of America and used my bank card a single time. I covered/obscured the pinpad and withdrew my money, but nonetheless, within two days into the trip, I received several fraudulent charges originating from Mexico City.

    I always assumed it was an inside job as I notified my bank (call center) that I was going on vacation, but a compromised ATM now sounds much more possible.

  15. The parking guys probably called parking enforcement on you after you skipped their lots.

    Do banks offer burner debit cards with unique time/money limits as a service to travelers?

    • I am not aware of a ‘burner’ debit card, but you can go out and buy a Visa gift card for whatever amount. If the crooks get the number, there is a hard and fast limit as to how much they can steal.

      • > Visa gift card

        But if you lose that card there’s a much bigger chance you’ll lose that money, and you’ll spend a possibly significant chunk of it anyway to card fees. Tradeoffs!

  16. This may sound a little simple-minded, but for those of us who don’t use smart phones on a regular basis, how exactly do you scan for the free2move beacon?

    • Richard Engelmann

      From your settings menu, look for “bluetooth” and turn it on. A list will appear of devices that are ready to pair up with your phone, if you know the code (most folks never use a code when they link up with their Bose Soundlink or their car entertainment system).

      If one of the available Bluetooth devices is Free2move, then do not use that ATM.

  17. So how likely is it this bluetooth attack could be pulled off in the US? Are ATM maintenance people inherently less bribe-able in the states? or are the machines harder to attach the device to?

    Have you ever seen an ATM with a bluetooth signal for legitimate reasons? or should we just avoid any machine with a bluetooth signal?

    • http://www.transparency.org/cpi2014/infographic/compare

      United States / Score 74 / Rank 17
      Mexico / Score 35 / Rank 103

      Anything is possible, but places that are more corrupt are more likely to have such problems than places that where people are less corruptible.

      Also, your risk is going to vary based on how wealthy, secured, and frequented an area is. A tourist trap is much more likely to have lots of risk (e.g. of pick-pockets), than a small town that gets a handful of poor visitors annually. I.e. Don’t consider “Mexico” or the “USA” as a whole, consider where in the country you are.

  18. Thank you. I live in Playa del Carmen. You are a hero to me!

  19. perhaps , it may be , can be ,conceivable , conceivably , could be ,credible ,feasible , imaginably , it could be , might be , obtainable , maybe ,possibly .

    God Bless America .

    Just switch the Bluetooth transmitter from always ON to Timer .BK will never find that .

  20. Hi Krebs, I bet you know this better than all of us your readers, many dangerous guys that before was drug dealing, now are moving to crimes like this kind. What you are doing, can be dangerous, you can be at risk anytime one of this gangs start looking for you, I’m sure any of those guys who swatted you, would give your address with pleasure. Not afraid about that?

  21. Is their ever a legitimate reason fo have a Bluetooth signal emanating from an ATM. If not, then any signal means the ATM is compromised

    • 1. Some people think it’s a good idea to support Bluetooth for ATMs: http://www.wirelessdevnet.com/channels/bluetooth/features/bluetooth2.html
      2. Wireless communication is generally radial/spherical and not directional. If you’re standing at a certain point, there will be lots of things all around you that are able to/sending you radio waves. The range of these radio waves is usually well over 2′, so it isn’t necessarily trivial to identify their source. You can do something called triangulation, but it can involve some amount of walking + math.

      It sounds like these transmitters were designed to leach power from their host ATMs, but that isn’t required — they could have batteries (previous generations of Bluetooth skimmers certainly did).

      Brian was lucky* in that there is a fairly standardized Bluetooth ID being used by all of these skimmers (which is broadcasting in the public, …). In the future, all of these things could be different (the id, that the device is “visible”, the HID class, that it doesn’t require a Knock protocol, that it doesn’t have a rechargeable battery making it immune to someone unplugging the ATM).

      * luck isn’t really the right word, he was given a tip with sufficient information for him to do the research he did. When these variables change, he’d need a more advanced tip in order to do a similar investigation.

  22. Brian, I’m of no threat but you show most of your face in the pic above.
    I live in Annandale also.

  23. We are heading to Mexico in two weeks…..Richard Englemann’s suggestion above sounds sensible – will this work? Perhaps taking more cash and a number of cards, including an over-the-counter for emergencies might minimise the pain if it happens!

  24. I spent Jan to July 2015 in Merida, Cancun, Playa, Tulum, Cozumel, Bacalar and points in between. I *always* (always)… did I mention always?… used official bank ATMs that were physically part of a real bank, and I never got skimmed. But I knew people who did, and it was usually one of those standalone ATMs that was the culprit. You can also use a cc, but only in restaurants or nice shops.

    It’s a beautiful place to visit, but you have to remember that most people there are poor, and not American Poor, but really poor, and US people that can afford a trip to Mexico are vastly wealthier than them by a long shot. You’ll always be a target to some extent.

    • I also used only official bank ATM’s in that area in 2011 and I got skimmed. I didn’t find out about it until more than 6 months later when money was withdrawn from my checking account. So I wouldn’t trust any ATM down there.

    • I think most of the criminals doing this skimming are not poor mexicans. It has started once eastern block countries began visiting mexico. There are numerous organized crime groups working in mexico that pay their “fee” to police and zetas

  25. You only mention public ATM’s. I am curious to know if you found any issues with the ATM’s at the banks? We were in Tukum for 6 months and used the ATM at the local HBC many times and never had any issues. Also used the ATM’s at the Chedraui

    • None of the compromised ATMs were bank ATMs. They were all free-standing ATMs not directly associated with a bank.

    • Not all ATMs at banks are actually owned and operated by the bank. CiBanco for instance hires an oitside company to operate their ATM’s. I wouldn’t trust any of them for the moment.

  26. My initial reaction is to think that practically everyone in Mexico is on the make and on the take (especially with people following your around) and combined with the drug cartel problem with the tens of thousands of people who have died in Mexico in the last 10 years because of drug violence, I keep asking, “Why bother going to Mexico?” ( Obviously, I am in the minority because many people go every year.)

    • Then why go to Europe? Plenty of crime happens there too… as well as in all the states of the good ol’ USA – as we all know.

  27. I found this story entertaining and informative. I have used ATMS abroad and one could always be more vigilant. Being skimmed while paying ATM fees could be considered insult to injury. Anyway, I consider this an evolution of street level crimes. Also wondering if this is occurring in North America and/or other locals.

  28. Brian,

    You never offer a theory on the culprit organization, any theories?

  29. I assume ATM cards with chips (like the ones used in the rest of the world) are not susceptible … Am I wrong ?

  30. Brian,

    Great article. This is a bit off topic, but I’m curious about your phone itself? Can it be used in both the U.S. and the Caribbean? If so, could you advise the model and carrier? I travel down that way and would appreciate having a phone that works there AND here!

    Thanks!