Last week we reported on some work that Sparkfun had done in reverse engineering a type of hardware card skimmer found installed in gasoline pumps incorporating card payment hardware. The device in question was a man-in-the-middle attack, a PIC microcontroller programmed to listen to the serial communications between card reader and pump computer, and then store the result in an EEPROM.
The devices featured a Bluetooth module through which the crooks could harvest the card details remotely, and this in turn provides a handy way to identify them in the wild. If you find a Bluetooth connection at the pump bearing the right identification and with the right password, it can then be fingered as a skimmer by a simple response test. And to make that extra-easy they had written an app, which when we reported on it was available from a GitHub repository.
In a public-spirited move, they are now calling upon the hardware hacker and maker community to come together today, Monday, September 25th, and draw as much attention as possible to these devices in the wild, and with luck to get a few shut down. To that end, they have put a compiled version of the app in the Google Play Store to make it extra-easy to install on your phone, and they are asking for your help. They are asking for people to first read their tutorial linked above, then install the app and take it on the road. Then should any of you find a skimmer, please Tweet about it including your zip code and the #skimmerscanner hashtag. Perhaps someone with a bit of time on their hands might like to take such a feed of skimmer location data and map it.
It would be nice to think that this work might draw attention to the shocking lack of security in gas pumps that facilitates the skimmers, disrupt the finances of a few villains, and even result in some of them getting a free ride in a police car. We can hope, anyway.
Gasoline pump image: Michael Rivera [CC BY-SA 3.0].
I’m guessing it *may* say it on the linked site (not read it yet) but do not remove the scanner – instead contact enforcement who can do so.
You’re dealing with criminals, who while they will likely do a runner the moment they notice someone has spotted their scanner, they may also act in undesirable ways – and you’d make any evidence invalid by interfering with it also.
Oh and I should say in the UK at least, you’re going to get shouted at if you’ve got your phone out, and start waving it around the pump. While unlikely, it is possible it could spark (especially if you dropped it and the battery comes out) causing an explosion if there’s fumes/split fuel.
There’s very little credible evidence that cell phones are the culprits of pump fires rather than static electricity from the driver or passengers. Unless you use your phone next to the fuel port, and even then, you’re gonna have a lot of trouble starting a fire.
That and the UK doesn’t use stripe, so any MitM attack is several orders of magnitude more difficult and costly.
EMV has been broken for quite some time. Shimmers are well known and easily acquired by criminal organizations or tech savvy crooks.
* citation needed
https://krebsonsecurity.com/tag/emv/
Unlike mag stripe attacks, holes in EMV, especially against skimming attacks, get plugged.
Leithoa, maybe you should inform the European criminal organizations, cause they seem to have missed the memo. Skimming attacks have been decimated at the very least. There currently are no known practical attacks on pure EMV systems. All criminals are doing at the moment is skimming old magstripe data and try to use it in area’s that have not made the transition yet.
@Leithoa
What “shimmers” do, is skimming magstripe data from the chip. They simply use this magstripe data at locations using magstripe.
Of course it will be processed as a magstripe transaction, and the bank can of course take action and refund skimmed customers.
So once the legacy systems are discontinued, both magstripe, and “magstripe data” on the EMV card, all “shimming” and “skimming” problems will disappear, in an instant.
The magstripe data on the chip however, contains a iCVV, a dynamic CVV that is a counter encrypted with the bank’s key, so the transactions must be in order. So if a criminal skims the chip magstripe data, he must use it before the legit card owner uses the card at a another location.
Leithoa is right on EMV.
https://www.csoonline.com/article/3114245/cyber-attacks-espionage/crooks-are-selling-a-skimmer-that-works-on-all-chip-card-readers.html
Right now it’s taking advantage of static data but it’s only a matter of time before before they can even break those without it.
I seen people say something is unhackable many times before and in the end it gets broken.
Mythbuster did their best and couldn’t get any cell phone to start the fire.
I remember this one as well. They had trouble getting a spark plug to detonate the vaporous-gasoline environment.
I’m old enough to remember where this particular piece of hysteria came from. The CB craze, when people started having radio transmitters on cars. And here we are, nearly 40 years later…
If you attempt to remove skimmer yourself you will probably end up as a suspect.
You are seriously worried that we would consider breaking into gas pumps if we saw a hc-05 announcing their presece in the vicinity of a gas station? Thanks for the confidence.
I know that people have found faceplates on ATM machines over here, and removed them… which has prompted issues with the people who were watching said ATM machines.
“In a public-spirited move, they are now calling upon the hardware hacker….”
They being Sparkfun?
Preferable or in addition to using the hashtag, call your local weights and measures regulators / auditor to alert them to the compromise. Perhaps even notify the local police (if it’s a big city, the FBI/Secret Service) or gas station so they can prevent people from being scammed.
Check out https://twitterfall.com/ you can search for your area and any hashtag(s) you want. Get updated info for your area.
I found the link to share
https://twitterfall.com/?trend=%23skimmerscanner%21%231F3547
Not a single one showing up at ^ $date right now
For an in-depth baseline about Skimmers see this aggregated “All About Skimmers” link-list by Brian Krebs:
https://krebsonsecurity.com/all-about-skimmers/
Note: This SparkFun app seems to only sniff for type-specific “HC-05” skimmers that are deployed with default login settings. This detection method has been known from quite some time. Those deploying this skimmers know this too, and mitigation is trivial.
This means the real effectiveness of the SparkFun app is likely very small – especially since it seems they released this app in a way to gain large media coverage.
I smell a Marketing ploy here: SparkFun releases a next to useless skimmer detector app, and gets HUGE free press coverage from the “Technically Clueless Mainstream-Media”.
Unfortunately, it seems HaD is caught-up this time in the “Technically Clueless Mainstream-Media” category with this post. No background information on skimmers provided, no critical analysis of the worth of the SparkFun app. Sigh…
Hey, I’m still fending off a zillion spammers a day with greylisting, and the mitigation for that is trivial, too. You could be completely right in your skepticism, but I imagine it will take a new revision in the “supply chain” before most of the mitigation takes place. Not every crook is a mastermind.
@WJCarpenter, Who the heck are you?! What does your post actually mean?
It may have also just been a move on Sparkfun’s side to show cooperation to authorities who constantly pressure them to give out information of costumers who buy certain parts from their site to build such devices.
What do people in costumes have to do with anything?
As the SparkFun article points out, these skimmers seem to be made for people who aren’t too tech-savy. On the three devices they got their hands on, the main board was soldered in a very clean way (using stencils and everything) but it was clear the cable was soldered on by someone else who didn’t know what they were doing.
So it seems the ones deploying the boards are simply users (and again, they point this out in their writeup) that get the boards and some app to use it. Changing the ID and password will only complicate things for them. Plus, by making the boards more unique you might be putting yourself at risk: if you’re a suspect and you have the app on your phone, including specific IDs, that could be proof. Otherwise you could maybe say you just downloaded this app out of curiosity or something like that..
I’m sure SparkFun won’t mind the publicity, but saying it’s a marketing ploy seems a bit harsh. Sure, the app might not work on all devices, but hey, it’s a start and at least people get to know about these kind of tricks.
So can you spoof this and cause FUD at the pumps?
Yep.
Cool concept, but surely the first priority upon finding one is to call the police instead of tweeting about it?
Does anybody have plans that I can use to build an HC-05 throwie?
B^)
Better than taking the skimmer would be an app that silently alters the firmware in the scanner such that it scrambles up the stored data, as well as anything written to it in the future such that it’s useless. Not corrupts it, but mixes the data up such that it appears valid, but is useless, like putting John Doe’s PIN with Mary Jane’s card number and Joe Blow’s name, either that or some sort of malware that will lie dormant on the skimmer until the data is downloaded from it, at which point it packs up relevant data from the scammer’s PC along with collected data, and sends it to the local FBI office.
Just glanced through the article didn’t know if It said anything about chip readers??
Or does it matter whatever goes through the credit card reader stripe or chip will it read them both
has anyone actually found one? I visited about a dozen stations myself, with no hits, and the twitter tag doesn’t seem to have any positive hits whatsoever marked….
Now we wait until someone comes up with the idea to push malware (tracker ?) onto the skimmers device when he collects the data (blueborne anyone ?).
I expect such thing to be come common as more people start paying with their phone unless people wake up and realize there is a risk that comes with the convenience.
The article says we should all contact our representatives to pass a bill fining gas stations $100 for every swiped credit card found on a skimmer. So, gas station owners will find a skimmer, and then will have the choice of paying thousands of dollars in fines… or just throwing away the skimmer. Which do you suppose they will do?
The reality is that merchants need to be forced to stop accepting swiped transactions. EMV shifted the cost of a fraudulent swiped transaction to the merchant, but that’s not enough — lots of merchants are willing to absorb the occasional cost of your $9 coffee and croissant, if it means paying by card takes a quarter of the time. Instead, make that $9 plus a $1000 fine! Merchants will upgrade, and mag stripes will be worthless.
Gas pumps are a target because merchants don’t get charged back for fraudulent transactions — it’s on the banks. The deadline was moved from Oct 2017 to Oct 2020 apparently because gas pumps are too hard/expensive to convert. And also, banks make a lot of money from gas station transactions…
I used to work on ATMs. One particular unit had a problem that a certain deputy would pull out cash, but if he used his police radio, the EMF would fry the main circuit board and the ATM was out of service until we replaced the board.
Is “Rob” your name, or what you do?
B^)
Both
So, is the app free of spyware/adware?