Network Management Strategies for the CIO
Can you suggest tools to detect Bluetooth-based card skimming devices?
Requires Free Membership to View
Credit or ATM card skimming occurs during a legitimate payment transaction, when someone handling your card takes the opportunity to surreptitiously swipe the card's magnetic strip, then visually observe the PIN you enter into a point-of-sale device. It may also happen when an imposter device (e.g., a phony ATM machine) is used to trick you into swiping your card, perhaps accompanied by a pinhole camera used to record PIN entry. There are two ways that Bluetooth can enter this picture:
- Some mobile point-of-sale terminals swipe cards in the usual fashion, but then transmit that payment data over wireless to a nearby Bluetooth access point. If a payment transaction were to be conducted without Bluetooth or higher-layer encryption (e.g., SSL), card data sent over Bluetooth might be eavesdropped upon.
- Some "contactless" payment systems use mobile phones with Bluetooth technology to conduct purchases over wireless without physically swiping a credit card. In this case, an unsecured or vulnerable Bluetooth interface might be exploited to grab ("snarf") stored card data from the mobile phone.
Neither threat appears to be common. A merchant using a Bluetooth point of sale terminal should encrypt anything sent over wireless, and most new contactless payment systems use RFID rather than Bluetooth. Merchants might still be concerned about fraudulent card readers that use Bluetooth to upload skimmed data for storage/use elsewhere. But in all cases, there are tools that could alert you to the repeated/frequent presence of the same, unknown, rogue Bluetooth device.
One way to detect Bluetooth rogues is to run a Bluetooth discovery program on a laptop. For example, freely-available Bluetooth scanners for Windows XP are available from AirMagnet and Network Chemistry. However, like Wi-Fi stumblers, these discovery programs just periodically sample the airwaves. Continuous Bluetooth rogue detection over a larger area requires a Bluetooth-aware IDS solution like Red-M's Red-Alert PRO.
Bear in mind that plenty of unknown Bluetooth devices will probably come and go over time, as strangers carrying Bluetooth phones and Bluetooth headsets and other Bluetooth peripherals pass through any business establishment. However, Bluetooth discovery and IDS tools can help you spot an unknown Bluetooth device that always seems to be hanging around, and help you determine the type of device and its approximate location.
This was first published in July 2007
Join the conversationComment
Share
Comments
Results
Contribute to the conversation