The Russian mafia is stealing millions of dollars from tourists on Cancun beaches by rigging ATM machines with the ‘most advanced data-stealing hardware ever’ which can easily be bought online for just $550, warns a security expert.
The disturbing claims follow an investigation into the tourist hot spot of Cancun – visited by around five million holidaymakers every year – which welcomed around five million holidaymakers last year – which found that 19 separate cash machines had been fitted with the technology.
Brian Krebs, a distinguished cyber-security journalist, claims gangsters are bribing poorly-paid ATM technicians to let them hide tiny devices inside the card slot and the PIN pad.
These steal the card’s data and store it on special Bluetooth devices which have also been installed inside the cash machines.
Cyber thieves use their phones to connect to this device – which can hold the data of around 32,000 people – and use the stolen information to empty their victims’ bank accounts.
Krebs recently spent four days investigating the compromised cash machines down Mexico’s Caribbean coast.
He told MailOnline the fraudulent ATMs are linked to the Russian mafia, preying on the vast number of holidaymakers in Mexico’s most popular resorts.
Krebs added: ‘This is certainly the most advanced bank machine fraud technology I’ve ever seen.’
To access the data, the cyber thief simply walks to within a few metres of the machine, connects through a passcode to the Bluetooth beacon, and downloads the data.
This library of information is then sold to online fraud organisations, which make bogus charges to the card.
As much as $5million a month is fraudulently stolen from visitors to Cancun who have used independent (non-bank) ATMs with these data stealing systems installed, Krebs claimed.
Krebs said that this new technology far outstrips any ATM data that has come before it.
‘When you think that traditional ATM skimmers rely on hidden camera technology and false PIN pads, then this is a huge leap forward in cyber theft,’ he said.
‘Hidden cameras need to be replaced and recharged every 12 hours because they’re filming continuously,’ he said.
‘These Bluetooth beacons can sit gathering data for months, and it takes only five seconds to wirelessly access all of that information without ever touching the ATM.’
Krebs, whose website tracks the latest trends in cyber crime, says that the only way for an ATM to be compromised is the complicity of the technician who looks after it.
‘There have been reports of men with Eastern European accents approaching technicians and offering them over 100 times their salary for access to the inside of the ATMs they supervise’, Krebs told MailOnline.
The Russian mafia on Mexico’s Caribbean coast is a well-known criminal organisation.
‘These ATM technicians earn very little, so a couple of thousand dollars is hard for them to turn down, although organised crime in the Cancun region is very brutal.
‘It would be just as easy for them to send them a picture of their child as a threat’, he said. ‘That wouldn’t surprise me at all’.
‘We know the technicians are complicit because only they have access to the manufacturers’ security keys’, he said. ‘It’s only them that can install these devices to the keypad and inner circuitry’.
The compromised ATMs that Krebs found transmitted a Bluetooth network signal which appeared as ‘Free2Move’.
A closed network needing a passcode to access it, Brian found the same signal at 19 separate stand-alone ATMs throughout Cancun, Playa del Carmen, Tulum and Cozumel, the most popular resorts along Mexico’s Caribbean coast.
He even found a compromised ATM inside the Marriott hotel where he stayed in Cancun, the first port of call on his trip, he claimed.
He said he found three others in the $600-per-night exclusive Barcelo resort, multiple in the resort’s popular Caracol shopping centre, and even one in Cancun’s international airport.
A spokeswoman for the Barcelo Costa Cancun resort stated that ‘the hotel is unaware of any wrongdoing connected with their ATMs.’
He added: ‘We the staff have used these cash machines for years and never encountered any fraudulent activity on our bank statements.’
‘We have a tendency to think badly about Mexico because of these kind of unchecked security breaches,’ Krebs told MailOnline, ‘But this could just as easily occur in the United States.
‘For a stand-alone ATM to be profitable it needs around 500 transactions per month.
‘If you can compromise just one machine and charge each additional card with the average $500, then you’ve made a quarter of a million.’
‘So how hard can it be to bribe a single technician when you’ve got multiple ATMs collecting your data?’
MailOnline found a website specialising in ATM skimming technology, which sells the same equipment that Brian Krebs found being used in Mexico.
For just $550 one website sells equipment that has allowed Mexican cyber thieves to steal millions risk-free.
A legitimate Swedish company of the same name produces the ‘Free2Move’ Bluetooth beacon used in the ATM skimming technology.
Cyber thieves reprogram the hardware to store card data once inside the ATM.
‘The best advice I can give to people wanting to avoid these scammers is to always use ATMs inside banks,’ says Brian.
‘Bank-owned machines have dedicated staff supervising them, while independent stand-alone machines like the ones you find in hotels, supermarkets and shopping malls have a single and much more corruptible technician who supervises a network of them.’
‘Either that or always use your credit card.’
Many travel companies warn tourists of the rampant scams that abound in Cancun. USA Today claims that ‘while most local criminals are not looking to hurt you, they do want to take money from unsuspecting tourists.’
Other common Cancun scams include petty thieves dressing as hotel staff and demanding additional fees, dressing as police officers and demanding bribes of rental car-driving tourists or shining shoes while another picks a client’s pocket.
The Cancun District Attorney’s Office refused to reply to MailOnline’s repeated requests for comment. The Casa Magna Cancun Marriott declined to comment.
Krebs’ three-part investigation into ATM-skimming in the world’s most popular resort is serialised on his website.