
Tracking a Bluetooth Skimmer Gang in Mexico (Part I) - dthakur
http://krebsonsecurity.com/2015/09/tracking-a-bluetooth-skimmer-gang-in-mexico/
======
tfigment
While waiting for part 2, I'm wondering if this is not a very dangerous thing
to be investigating. Working in a foreign country with criminal organizations
(though maybe less in tourist parts of Cancun) and actively and personally
interfering with a presumably lucrative funding source of said organizations
seems like a bad idea.

Is this just my US-centric view of the world saying this or is it really a
questionable move if one values their personal safety?

Anyway this is very much the topic of more than one novel I'm sure and given
he has survived to blog the tale I guess I can be less concerned about his
welfare.

~~~
lazaroclapp
Is it dangerous? absolutely. But, consider: he is just checking and fixing ATM
machines and notifying people of the hack, is not like he is pointing fingers
at anything more than "bought out" low-level technicians, and he is a
relatively well known American journalist. It is also a super touristic
destination where all parties (legit, criminal and semi-criminal) make their
money only contingent on it being known to be a "safe destination". Would a
criminal enterprise benefit of harming him? Or would it be easier to wait, let
him debug all the ATMs he wants and then get a different model of bug and
start again 1 month later with what is probably one of many revenue streams
for whomever is in charge?

Mexico is a very dangerous place for journalists and becoming more dangerous
every year, but even when we hear about _Mexican_ journalists getting
murdered, it's usually for pointing fingers much higher up than "ATM hackers"
(the most famous recent case has to do with an investigation into a Governor's
activities). One has to assume the threshold for causing an international
incident is even higher. The people being busted here are "just" scammers,
even if embedded within a larger criminal network.

p.s. My only qualification for answering this is having lived in Mexico. I
claim no knowledge of criminal structures there other than what is known from
general news and culture. I would not bet my own life on this analysis.

~~~
DanBC
> But, consider: he is just checking and fixing ATM machines and notifying
> people of the hack,

He is depriving a criminal gang of a source of income. That feels risky!

~~~
lazaroclapp
Sure. Just saying, there is risky and then there is _risky_. One wouldn't be
all that safe doing this in Detroit either. I just think there are way scarier
people out there for which "American Journalist found dead in an alley in
Cancun" in the newspapers is _not_ an acceptable mess to have to clean, not
over something like this. Not that I would bet on it, though...

------
IshKebab
Well, they weren't that sophisticated if they left the bluetooth device
transmitting. Pretty stupid if you ask me.

If it were me, I would have either:

1\. Require a secret pin to be entered in order to activate the bluetooth. 2\.
Don't use bluetooth. For example the nRF51822 chip (e.g. in this module [1]
allows you to implement your own radio protocols. You could make it impossible
to detect - it could only respond when send a secret code of some sort.

[1] [http://www.seeedstudio.com/depot/Seeed-Micro-BLE-Module-w-
Co...](http://www.seeedstudio.com/depot/Seeed-Micro-BLE-Module-w-
CortexM0-Based-nRF51822-SoC-p-1975.html)

~~~
kiproping
Criminals do not care for sophistication nor gimmicks. They use the easiest
way to get what they want. This current method has probably worked very well
for them, and if it was not for 'Krabs' maybe it would have continued for even
longer. Hindsight is 20/20\. I am sure the criminals are reading the blog post
and looking for the next slightly better method just enough to evade
discovery.

~~~
codeisawesome
I in fact wonder about the criminals who've already thought of all this, are
successfully avoiding anything like this detection and making their $$$. I
hope not to fall prey to something like this, incredible just how many risks
there are.

------
kalleboo
Why can't we get ATMs with chip slots so that we don't have to present a
skimming device with a nice long swipe?

And once more I consider scraping the mag-stripe off my debit card.

~~~
rsfern
It sounds from the blog post like this skimming device is reading the
electrical signal from the card reader, not reading the mag-stipe directly. So
it's unclear how much this would help.

I would think chip and pin should mitigate this kind of card skimming
though...

