8/18/2019 Ioana Patringenaru, University of California San Diego
Written by Ioana Patringenaru, University of California San Diego
A team of computer scientists at UC San Diego and the University of Illinois has developed an app that allows state and federal inspectors to detect devices that steal consumer credit and debit card data at gas pumps. The devices, known as skimmers, use Bluetooth to transmit the data they steal.
“All criminals have to do is download the data from the comfort of their vehicle,” said Nishant Bhaskar, a Ph.D. student in computer science at the University of California San Diego and the study’s first author.
The app, called Bluetana, detects the Bluetooth signature of the skimmers, and allows inspectors to find the devices without needing to open up the gas pumps.
Bluetana was developed with technical input from the United States Secret Service and is only available to law enforcement officials and gas pump inspectors. It will not be available to the general public. It is now used by agencies in several states.
“Our goal is to give field agents the best tools for the job available today,” said ECE ILLINOIS Associate Professor Kirill Levchenko, a computer science professor at the University of Illinois who earned his Ph.D. at the Jacobs School of Engineering at UC San Diego. “We've found that Bluetana helps agents find more gas stations with skimmers--and to find more skimmers at those gas stations.”
The researchers found that, compared to similar apps currently available for smartphones, Bluetana is likely to discover more skimmers and results in a much lower false positive rate. “Bluetooth technology used in these skimmers are also used for legitimate products commonly seen at and near gas stations such as speed-limit signs, weather sensors and fleet tracking systems,” said Bhaskar. “These products can be mistaken for skimmers by existing detection apps.”
Bluetana uses an algorithm developed by the researchers to distinguish skimmers from legitimate Bluetooth devices. The researchers designed the algorithm based on the results of a field study during which the researchers analyzed scans of Bluetooth devices taken by officials at 1,185 gas stations in six U.S. states.
“Bluetana extracts more meaningful data from the Bluetooth protocol, such as signal strength, than existing skimmer detection applications. In a few cases, our app was able to find devices missed by visual inspection,” said Maxwell Bland, a Ph.D. student in computer science at UC San Diego and study coauthor.
In one year of operation, Bluetana has led to the discovery of 42 Bluetooth-based skimmers across three U.S. states, all of which were recovered by law enforcement agents. “We were surprised that there were so many skimmers in the field that had not been discovered by other detection methods such as regular manual inspections,” said Aaron Schulman, a UC San Diego assistant professor in computer science. “We even found two skimmers that were installed in gas pumps and had evaded detection for six months.”
As more gas stations adopt payment systems exclusively for credit and debit cards with chips, criminals will use technologies to capture information from these types of cards. Researchers will have to follow suit. Visa and MasterCard are mandating that all gas stations in the United States use the chip-based systems by October 2020.
“Bluetana is not the last word,” Levchenko said. “As criminals evolve, our techniques will need to evolve also.”
Writer: Ioana Patringenaru, University of California San Diego | ipatrin@eng.ucsd.edu
Read more about this research at KrebsonSecurity, Fast Company, Slash Gear, Claims Journal, and TechCrunch.