1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tracking Bluetooth Skimmers in Mexico, Part II

Discussion in 'KrebsonSecurity' started by RSS, Sep 15, 2015.

  1. RSS

    RSS New Member Member

    I spent four days last week in Mexico, tracking the damage wrought by an organized crime ring that is bribing ATM technicians to place Bluetooth skimmers inside of cash machines in and around the tourist areas of Cancun. Today’s piece chronicles the work of this gang in coastal regions farther south, following a trail of hacked ATMs from Playa Del Camen down to the ancient Mayan ruins in Tulum.

    As I noted in yesterday’s story, the skimmers that this gang is placing in hacked ATMs consist of two Bluetooth components: One connected to the card reader inside each machine, and another attached to the PIN pad. Both components beacon out a Bluetooth signal called “Free2Move.” The thieves can retrieve the purloined card and PIN data just by strolling up to the hacked ATM with a smartphone, entering a secret passcode, and downloading all of the collected information.

    Having found two hacked ATMs in Cancun — including one in the lobby of my hotel (the Marriott CasaMagna) — I decided to check out other tourist destinations in the region. On the way to Tulum, I dropped in at the Barcelo, a huge, all-inclusive resort. The security guards at the front gate at the resort initially prevented me from entering the complex because I didn’t have reservations.

    After 10 minutes of Googling on my phone and a call to the front desk, the guards seemed satisfied that I was interested in buying a day pass to the hotel’s various facilities. The gate lifted and I was let in. Five minutes later, the very first ATM I stopped at was found to be emanating the telltale Free2Move Bluetooth signals indicating a compromise.

    No sooner had I finished documenting that hacked ATM than a security guard rode up on a motorcycle and asked if I was having trouble finding the day-pass desk. I replied that I’d be headed that way shortly.

    The Barcelo security guard followed me closely as I returned to my rented Jetta and drove to a different building in the complex. Multiple security guards were beginning to shadow me at a respectful distance. I decided it was best to at least demonstrate that I had an intention of buying a day pass.

    The Barcelo reception desk said the price would be USD $80 per person. Feigning shock over the hefty pricetag, I declared loudly that I had to hit the hotel’s ATM to withdraw more cash in order to pay such exorbitant prices. That ATM also was beaconing the Free2Move Bluetooth signal, but the ATM itself returned errors stating that it was temporarily offline and unable to dispense cash.

    That outage turned out to be the perfect excuse to visit a third ATM in the complex, as I again loudly explained to the security guy following a few paces behind. By this point, a much more stern and beefy guard began following me around on foot, his walkie-talkie buzzing periodically as I crossed the hotel campus. The third and final ATM I checked also was compromised. While I was sure there were more ATMs I hadn’t checked in other areas of the resort, I decided not to press my luck, and hopped back in the Jetta and resumed my journey to Tulum.


    Halfway down the southbound four-lane highway from Cancun to the ancient ruins in Tulum, traffic inexplicably slowed to a halt. There was some sort of checkpoint ahead by the Mexican Federal Police. I began to wonder whether it was a good idea to have brought along the ATM skimmer I’d received from a source instead of leaving it in the hotel safe. If the cops searched my stuff, how could I explain having ultra-sophisticated Bluetooth ATM skimmer components in my backpack?

    A sign across the street from the police department in Tulum.

    After several nervous minutes of creeping traffic, I was waived on through the checkpoint and immediately felt silly for having gotten so worked up about it. However, upon my arrival 20 minutes later in Tulum — a popular tourist destination due to its proximity to the Mayan ruins — I would have a much closer encounter with the police.

    As I pulled into the area where tour buses normally drop off passengers by the hundreds each hour, a number of men stood waiving pamphlets and offering “Cheap!” parking that was anything but (or at least I thought at the time). Each was trying to direct me to park the Volkswagen in one of several large, dusty lots.

    “I’ll just be about five minutes,” I said, stupidly putting the vehicle in park on the main street right in front of the tourist lot. The attendants just shook their heads and began hailing other newcomers.

    The Tulum visit yielded another three ATMs within a few hundred meters of each other that were all emanating the FreetoMove signal. But unfortunately, that jaunt took more than five minutes: When I returned to the Volkswagen, I found a parking ticket on the windshield and the parking attendants smirking, gleefully shouting in Spanish that I should have listened to them and parked in their lot.

    The ticket wasn’t for that much money. More concerning, the license plate had been removed from the front of the car. At first I thought someone had stolen it, but one of the locals explained that this was a common practice used by Mexican police to ensure people actually pay quickly and — more importantly for them — locally, for their parking and traffic fines (and then some). The removal of the plates from the rented vehicle necessitated a stop at the police station at the entrance to the ruins; 20 minutes and the equivalent of $200 later, I was back in possession of the car’s front plate and headed back toward Cancun.


    Yours Truly, in front of a hacked ATM in Playa Del Carmen.

    My next stop was Playa Del Carmen, another tourist destination popular with Americans but quite a bit less rowdy than the Plaza Caracol nightclub area in Cancun. A lengthy and sweaty stroll down Playa del Carmen’s leafy 5th Avenue revealed five more compromised ATMs pulsing out the Free2Move bluetooth signals.

    After a late and thankfully enormous lunch at a local Argentinian steakhouse, I was feeling refreshed enough to continue to the third leg of the journey. With twilight approaching and colorfully lit signs blazing to life along the main tourist boulevard, a steady breeze set in and mercifully tamed the otherwise sticky and oppressive heat. It was time to board the hourly ferry to Cozumel.


    This speedy cruiser takes riders on a 45-minute ride to Cozumel, an island whose surrounding deep green-blue clear water makes it an immensely popular spot for scuba divers and tourists alike. By this time, the fitness tracker on my arm tapped my wrist to report that I’d massively overachieved my daily fitness goal: I’d walked almost 13 miles at that point, and I hadn’t even strolled around Cozumel yet.

    A compromised ATM in Cozumel.

    Once off the ferry in Cozumel, I commenced about two more kilometers of walking the main commercial road adjacent to the ferry dock. I found four more apparently hacked ATMs that were blasting out the telltale bluetooth signals.

    I was physically drained, but very happy with the results of my reconnaissance missions, and glad to have been able to see so many places on the coast in such a short time.

    I arrived back at the CasaMagna Marriott after midnight, exhausted but also interested in stopping by the ATM to see if any action had been taken. To my astonishment, someone had finally unplugged the Cardtronics peso machine that was stealing card data and PINs from users. With the power to the hacked ATM unplugged, the Free2Move beacons were no longer transmitting.

    Unfortunately, I had to catch a flight home the next morning. But as the taxi dropped me off in front of the airport, I decided to check all of the cash machines in the terminal. The first one I found just inside the check-in area was clean (at least it didn’t appear to be beaconing bluetooth signals). The second ATM, however — situated next to an escalator and a currency exchange shop but before the security screening checkpoint — was broadcasting the now familiar bluetooth signal.

    This woman raced ahead of me as I was filming this compromised ATM. She was successful dissuaded from using it.

    As I prepared to document the compromise on my GoPro camera, an apparently American woman raced ahead of me and beat met to the ATM. Before she could enter her PIN, I turned off the camera and explained who I was. The traveler replied that she was in a great hurry. I told her that the ATM she was about to use would soon cause her checking account to be hijacked and drained.

    The woman looked at me in what seemed to be exasperation for a moment, before withdrawing her card from the machine and heading wordlessly across the airport lobby to the other ATM.

    Packing my camera gear back into its case, I carefully peered around the backside of the ATM. I noticed it was plugged into the wall facing the escalator.

    As I rode the escalator up to the security gates and gazed down over the handrail, I could no longer see the darkened screen of the ATM, but somehow neither was the power cord still attached to the wall. Pulling out my new Hauwei phone for the last time, I smiled as the Bluetooth scanner tried in vain to find any beacons.

    In case you missed it, please see the first installment in this series: Tracking a Bluetooth Skimmer Gang in Mexico.


    Continue reading...

Share This Page