Please pay inside: Evaluating bluetooth-based detection of gas pump skimmers

Nishant Bhaskar, Maxwell Bland, Kirill Levchenko, Aaron Schulman

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Gas pump skimming is one of the most pervasive forms of payment card attacks in the U.S. today. Gas pump skimmers are easy to install and difficult to detect: criminals can open gas pump enclosures and hide a skimmer in internal payment wiring. As a result, officials have resorted to detecting skimmers by performing laborious manual inspections of the wiring inside gas pumps. In addition, criminals can also avoid being caught using skimmers: many gas pump skimmers have Bluetooth connectivity, allowing criminals to collect payment data safely from inside their car. In this work, we evaluate if the use of Bluetooth in skimmers also creates an opportunity for officials to detect them without opening gas pumps. We performed a large-scale study where we collected Bluetooth scans at 1,185 gas stations in six states. We detected a total of 64 Bluetooth-based skimmers across four U.S. states-all of which were recovered by law enforcement. We discovered that these skimmers were clearly distinguishable from legitimate devices in Bluetooth scans at gas stations. We also observed the nature of gas station skimming: skimmers can be installed for months without detection, and MAC addresses of skimmers may reveal the criminal entity installing or manufacturing them.

Original languageEnglish (US)
Title of host publicationProceedings of the 28th USENIX Security Symposium
PublisherUSENIX Association
Pages373-388
Number of pages16
ISBN (Electronic)9781939133069
StatePublished - Jan 1 2019
Event28th USENIX Security Symposium - Santa Clara, United States
Duration: Aug 14 2019Aug 16 2019

Publication series

NameProceedings of the 28th USENIX Security Symposium

Conference

Conference28th USENIX Security Symposium
CountryUnited States
CitySanta Clara
Period8/14/198/16/19

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'Please pay inside: Evaluating bluetooth-based detection of gas pump skimmers'. Together they form a unique fingerprint.

  • Cite this

    Bhaskar, N., Bland, M., Levchenko, K., & Schulman, A. (2019). Please pay inside: Evaluating bluetooth-based detection of gas pump skimmers. In Proceedings of the 28th USENIX Security Symposium (pp. 373-388). (Proceedings of the 28th USENIX Security Symposium). USENIX Association.