Poole told us he was informed at that time that the HC-05 and HC-06 modules had been widely encountered by law enforcement in skimmers across the United States, though they were by no means the only kind of Bluetooth module used in credit card skimmers. When Poole and his colleagues worked with police in Colorado in 2017, they found that the majority of credit card skimmers that employed Bluetooth technology used Bluetooth modules called HC-05 or HC-06.
Then we would send it a serial string that we knew the answer to … Our app sends those, and if it gets a response back that is similar to, then we tell the user this is for sure a skimmer, move on to a different gas pump. What our app did, that was above and beyond that, is that if it saw a radio that we already knew was a skimmer, or suspected was a skimmer because it was the type of radio would use, then we would connect to it over the serial protocol. So in theory, you can open up your cellphone, go to “scan for Bluetooth devices” and possibly you would see the Bluetooth radio that was in the skimmer.
And with the particular skimmers that we came into contact with, we found that didn’t even change the default name or password of the Bluetooth unit. With some of these gas pump skimmers that we’ve come across, they will use a very common Bluetooth radio … and you can see it as a device that you would connect your phone to, just like a Bluetooth speaker or anything else like that. Poole explained that he and his colleagues were consulted by local law enforcement in Colorado after a wave of credit card skimmer thefts at gas stations in 2017 and were able to reverse engineer some of the skimmers removed from the pumps, adding that:
We asked Nick Poole, an electronics expert at the hobby electronics company SparkFun and co-creator of the “ Skimmer Scanner” Android app, to outline how they work. Not all credit card skimmers operate using Bluetooth technology in this way, but many do, and this use of Bluetooth technology is what leaves the skimmers vulnerable to detection.
The thieves who planted the skimmer can then return to the machine and use a Bluetooth transmitter to transfer all the stored credit card details from the skimmer to a storage device such as a mobile phone or laptop, all without having to physically remove the skimmer. When a customer inserts a card into the reader, the transaction takes place as normal and the customer’s card is debited, but the skimmer also extracts all the relevant data from the magnetic stripe on the card, including the credit card number, expiry date, and security code.
(The Facebook post confusingly referred to a “card reader” rather than a “card skimmer.”) The warning is related to a particular kind of credit card skimmer that is placed in a credit card reader at an ATM or gas station pump. This warning was a somewhat crude explanation of a real phenomenon: the Bluetooth sensor on a mobile phone can indeed be used to detect some - though by no means all - credit card skimmers at gas pumps and ATMs.