6 Things We Learned About Bluetooth ATM Skimmers In Mexico

If you took a summer vacation this year, you may have spent it on a beach, on a boat, or at a theme park. Security journalist Brian Krebs spent his summer vacation doing something that sounds super-fun to us: hunting down compromised ATMs in Mexico. He found quite a few, and also learned who might be behind all of his fraud.

Check out the whole series of stories: they have handy photos and videos, and will give you a healthy dose of paranoia before the next time you travel internationally.

  • An ATM is only as secure as the employees who have access to it. A source in Mexico explained to Krebs that men with Eastern European accents offered ATM technicians impressive amounts of money to allow them access to the innards of the machines they maintained. One person said yes, and the devices they found inside compromised machines provided clues about how to find other compromised ATMs.
  • They’re easy to find. Simply scanning the area for Bluetooth devices would turn up ATMs giving off a telltale signal: Bluetooth beacons that were part of the scheme bore the name of the non-criminal manufacturer that made them.
  • You can’t just wander by and harvest the data from a Bluetooth skimmer: the bundles of customer data are locked up with a code that only the criminals have.
  • Compromised devices were thick on the ground. Once Krebs knew what to look for, he found compromised ATMs everywhere. There were some in the airport. One of the ATMs in the hotel in Cancun where he stayed was compromised. Sometimes there was more than one telltale Bluetooth signal visible from where he was standing.
  • It’s hard to find anyone to tell when you do find a compromised machine. By the time tourists notice fraudulent withdrawals, they’ve already gone home. Hotel employees seemed concerned at first, but the Bluetooth signal kept on signaling until he left town.
  • There’s no one to tell. The criminal justice system in Mexico can easily be manipulated with bribes, and someone with a cash-extracting business has lots of money to pay bribes. Compromised ATMs belonged to independent ATM-servicing companies, not banks.
  • The ATM you’re using might not dispense money at all. Some ATMs didn’t have Bluetooth beacons, but “malfunctioned” and wouldn’t spit out a receipt when used. It’s possible that there are fake ATMs on the ground that just capture your account information, and in a tourist town it’s possible that no one would notice.
  • In summary, always travel internationally with large wads of cash. But that isn’t safe, either, so don’t do that.

    Tracking a Bluetooth Skimmer Gang in Mexico [Krebs On Security]
    Tracking Bluetooth Skimmers in Mexico, Part II [Krebs On Security]
    Who’s Behind Bluetooth Skimming in Mexico? [Krebs On Security]