Thieves skim card data from US gas stations via Bluetooth-enabled devices

library
crime | hacking | security

Thirteen people have been indicted for installing Bluetooth-enabled, banking-data-gobbling skimmers at gas stations in the Southern US, Manhattan District Attorney Cyrus R. Vance, Jr. said in a statement released on Tuesday.

The defendants allegedly forged bank cards using the banking details from victims in the southern states; used the cards to deposit, withdraw and thereby launder $2.1 million (£1.27 million) through ATMs and banks in New York City; and withdrew part of the stolen money on the West Coast.

All in all, the countrywide crime spree involved more than 70 different bank accounts.

The four lead defendants are accused of installing card skimming devices to copy credit and ATM numbers, and PINs used by customers at Raceway and RaceTrac gas stations throughout Texas, Georgia, and South Carolina.

The devices were impossible for gasoline-buying customers to detect, given that the skimmers were installed internally, the DA said.

It’s a heck of a lot easier to detect thieves’ attempts to get at your credit card when they’ve done something like clumsily glue a card catcher onto the front of an ATM, of course, and then made it even more obvious by hanging around the machine waiting for a victim to give up on getting her card back, as happened to Jamillah Knowles, who wrote about her catch of a card catcher for Naked Security in June.

ATMs are usually made of molded plastic and have to be attached onto cash machine hardware. The color and texture could well not match, the fit likely won’t be exact, and the skimmer could be slightly loose.

In fact, when Australian detectives warned about skimmers during the holiday season back in 2012, the advice we passed on was to grab whatever device you’re putting your card into and give it a good wiggle.

That, obviously, is no help here, given the internally installed skimmers used, but I pass it on because it’s good advice in other skimmer scenarios.

At any rate, having Bluetooth-enabled devices made it easy for thieves to get at the stolen data without having to physically remove the skimming devices.

Not that wireless-enabled credit card skimmers are new, mind you. Security journalist Brian Krebs has cataloged all sorts of skimmers, including some that even send information to fraudsters’ phones via text message.

So convenient!

With their Bluetooth-enabled card skimmers, the defendants in this case allegedly spent a year and two days – between 26 March 2012 and 28 March 2013 – using the forged cards at ATMs in Manhattan, siphoning funds out of their victims’ accounts in increments under $10,000.

Keeping the withdrawals under $10,000 avoided cash transaction reporting requirements.

They then allegedly deposited the stolen money into their own bank accounts in New York.

Others in the crime ring are alleged to have promptly withdrawn the money at banks in California or Nevada.

The four lead defendants are Garegin Spartalyan, 40; Aram Martirosian, 34; Hayk Dzhandzhapanyan, 40; and Davit Kudugulyan, 42.

Originally arrested and charged on 21 March, 2013, the four lead defendants are now facing a 426-count indictment with felony charges of money laundering, criminal possession of stolen property, grand larceny, criminal possession of a forgery device, and criminal possession of forged instruments.

The earlier arrests sparked an investigation that eventually led the police to nine other defendants.

Those nine – Azat Aramyan, 25; Norayr Aramyan, 25; Argine Ananyan, 34; Rosa Unusyan, 24; Sona Minasyan, 51; Armen Abroyan, 36; Hasmik Miribian, 64; Artur Pogosyan, 31; and Rose Vardui Pndlyan, 47 – have been charged with two felony counts of money laundering, either in the second or third degree.