
Tracking Bluetooth Skimmers in Mexico, Part II - robin_reala
http://krebsonsecurity.com/2015/09/tracking-bluetooth-skimmers-in-mexico-part-ii/
======
orf
To the guy with the throwaway account who seems on a mission to discredit
Krebs and this story (with as little evidence as you would expect), please
stop. Your comments are ridiculous.

As for the series, it's fantastic. I've always enjoyed Kreb's writing but
never shared his fascination with skimmers, I always thought it was kind of
niche and not really much of a big deal. Seems it's a lot more widespread than
people think.

~~~
nadams
Here is my take on it - I'm skeptical. Sure I'll believe that a number of ATMs
are compromised. But it seems like every ATM he walked up to was broadcasting
this. To me this seems like an, arguably exploitable, maintenance tool than a
ring of ATM thieves. Free2Move appears to be a standard tool for serial over
bluetooth [1].

He can't possibly be the first and only person to find this - so I attempted
to google "free2move atm" and only his article shows up (about skimming).

I'm not saying this is a fake article - but to me seems amateuristic for
someone of his stature. I would have expected he would work with at least one
authority figure to show that without a doubt an ATM is compromised - along
with a tear down of the device.

Also I'm not sure how I feel about him convincing people not to use an ATM
that may or may not be compromised. If he did believe 100% it was compromised
he should have talked to someone in management to have the ATM unplugged and
serviced (that would make for an interesting article to see if they actually
take him seriously and not just plug it back in when he leaves).

My two cents...

[1] [http://www.amazon.co.uk/Cablematic-Free2Move-Bluetooth-
Seria...](http://www.amazon.co.uk/Cablematic-Free2Move-Bluetooth-
Serial-F2M01SXA/dp/B008451VYW)

~~~
mark212
read the article. He did talk to people "in management" at a couple of places
and only one took the suspect ATM offline.

demanding that he "work with at least one authority figure" is a bit naive in
Mexico.

~~~
nadams
> read the article. He did talk to people "in management" at a couple of
> places and only one took the suspect ATM offline.

I don't think we read the same article. Maybe in the first one he did - but in
the linked article all I see is him walking up and down streets looking for
the bluetooth broadcast. I won't blindly believe that each of the ATMs he
found broadcasting was exploited. I'm not saying I would use them nor would I
recommend using one in Mexico - but just seeing a bluetooth signal isn't
enough for me to assume that it's exploited. With all the sensational articles
floating on the web - I'm just skeptical that's all.

> demanding that he "work with at least one authority figure" is a bit naive
> in Mexico.

I didn't demand it - I just expected it. Even though I'm sure there are a lot
of bribes happening in Mexico - there has to be someone he can contact and
work with that may or may not care.

~~~
morsch
It was in the first one, although the second article alludes to the fact that
the hotel took the ATM offline, eventually. The first part also goes into some
detail regarding the hardware and the fact that he was approached by an ATM
firm. They'd probably know if the BT beacon was a maintenance tool.

Having an openly visible BT signal emanate from your illicit snooping device
seems amateurish on the face of it, but it does make connecting to it easier
for technically challenged criminals, who I assume don't have a bachelor in CS
or EE. They'll be happy to escalate to a harder to detect wireless signal if
it becomes necessary.

------
largote
My advice to people visiting Mexico regarding ATMs is to try to use one at an
actual bank location, or at least operated by a major bank. Even in the US I'm
skeptical of third party ATMs.

------
peterwwillis
Brian Krebs either has a death wish or balls the size of the moon. Never in a
million years would I go and actually try to track down the ATMs compromised
by well-funded, sophisticated organized crime gangs. In Latin America, no
less, where killing random people only improves your rep and buying police
protection is cheap.

~~~
timje1
He does mention in the comments that he only published the story once he was
out of the country. Certainly publishing it while in Mexico would be courting
disaster.

~~~
Apocryphon
I'd still be concerned for his safety right now. Hope he can get some
protection stateside, just in case.

------
IshKebab
It's still crazy to me that they left the BLE devices transmitting (and all
the same name!) rather than one of:

a) Don't set the name.

b) Trigger advertising when you type in a specific pin.

c) Use a custom radio protocol (much easier than you'd think - you could even
use a pre-written one like Nordic's Gazell).

~~~
rasz_pl
Its most likely a massive operation spanning few cities (if not countries),
you dont want to provide IT support for random lowlifes employed by the gangs,
this forces you to standardize on something every smartphone is capable of
doing, and simplifying the process to the point of click for bacon.

~~~
leoedin
I wonder what other protocols you could use. Perhaps a WiFi system that looks
for a WiFi hotspot with a specific name (easy to do on most smartphones) which
then connects automatically? Or just instruct your goons to set their phone's
bluetooth name to a particular value and then initiate a bluetooth send to any
phones with that name.

------
lizzard
Oh wow! This happened to me just recently; I was in Akumal and Tulum and only
used a couple of different cash machines. My card info was stolen and then
used in Mexico and Florida for withdrawals.

------
leoedin
It would be nice to know what proportion of ATMs he found were compromised. It
sounds like it was almost all of them!

~~~
mbreese
In his comments section he estimated it was a percentage in the single
digits...

[http://krebsonsecurity.com/2015/09/tracking-bluetooth-
skimme...](http://krebsonsecurity.com/2015/09/tracking-bluetooth-skimmers-in-
mexico-part-ii/comment-page-1/#comment-392856)

