US prosecutors have charged 13 members of a gang accused of stealing $2 million from gas station customers using Bluetooth-enabled skimmers hidden inside pump ATMs.
Prosecutors said that the after stealing the data from Raceway and Racetrac forecourts in Texas, Georgia, and South Carolina using the undetectable devices, the cards were cloned to allow the accused to withdraw money from ATMs in other states.
Between March 2012 and March 2013, gang members stole $2.1 million (£1.25 million) from ATMs in Manhattan, California and Nevada, making sure that each transaction was under the $10,000 level beyond which fraud control might kick in. Money was deposited into 70 different bank accounts as part of an attempt to launder the proceeds.
Four of the 13 defendants have been picked out as particular importance, Garegin Spartalyan, 40, Aram Martirosian, 34, Hayk Dzhandzhapanyan, and Davit Kudugulyan, 42. Despite surnames with origins in the Caucasus, the indictment states that most of the 13 were US-born.
"By using skimming devices planted inside gas station pumps, these defendants are accused of fueling the fastest growing crime in the country," said New York County District Attorney, Cyrus R. Vance Jr.
"Cybercriminals and identity thieves are not limited to any geographic region, working throughout the world behind computers. In this case, the defendants are charged with stealing personal identifying information from victims in southern states, used forged bank cards on the East Coast, and withdrew stolen proceeds on the West Coast.
"My Office's Cybercrime and Identity Theft Bureau also operates across borders, and will continue to track and prosecute identity thieves here in Manhattan and around the world," he said.
Card skimmers have been a standard way of stealing debit and credit card data for years but the innovation of adding a Bluetooth interface allowed the gang to record the data without removing the devices. This might explain why the attack appears to have gone undetected for so long despite the skimmers having been placed on a small group of ATMs.
The second interesting aspect of the crime is that the criminals allegedly placed them not on bank ATMs - generally now monitored by CC TV camera - but at less well-defended gas stations. These are more common in the US than in countries such as the UK.
Physical bank attacks of this ilk can look like a forgotten type of crime. Last year, several banks in the UK almost fell prey to attacks using KVM devices rigged up to wireless cards. Probably the most ingenious ATM crime of recent times was the gang in San Francisco that glued down the 'enter', 'cancel' and 'clear' keys as a way of tricking users into leaving their cards in ATMs just after they entered the PIN number.