Seek Out Scammers With Skimmer Scanner

Last week we reported on some work that Sparkfun had done in reverse engineering a type of hardware card skimmer found installed in gasoline pumps incorporating card payment hardware. The device in question was a man-in-the-middle attack, a PIC microcontroller programmed to listen to the serial communications between card reader and pump computer, and then store the result in an EEPROM.

The devices featured a Bluetooth module through which the crooks could harvest the card details remotely, and this in turn provides a handy way to identify them in the wild. If you find a Bluetooth connection at the pump bearing the right identification and with the right password, it can then be fingered as a skimmer by a simple response test. And to make that extra-easy they had written an app, which when we reported on it was available from a GitHub repository.

In a public-spirited move, they are now calling upon the hardware hacker and maker community to come together today, Monday, September 25th, and draw as much attention as possible to these devices in the wild, and with luck to get a few shut down. To that end, they have put a compiled version of the app in the Google Play Store to make it extra-easy to install on your phone, and they are asking for your help. They are asking for people to first read their tutorial linked above, then install the app and take it on the road. Then should any of you find a skimmer, please Tweet about it including your zip code and the #skimmerscanner hashtag. Perhaps someone with a bit of time on their hands might like to take such a feed of skimmer location data and map it.

It would be nice to think that this work might draw attention to the shocking lack of security in gas pumps that facilitates the skimmers, disrupt the finances of a few villains, and even result in some of them getting a free ride in a police car. We can hope, anyway.

Gasoline pump image: Michael Rivera [CC BY-SA 3.0].

39 thoughts on “Seek Out Scammers With Skimmer Scanner

  1. I’m guessing it *may* say it on the linked site (not read it yet) but do not remove the scanner – instead contact enforcement who can do so.

    You’re dealing with criminals, who while they will likely do a runner the moment they notice someone has spotted their scanner, they may also act in undesirable ways – and you’d make any evidence invalid by interfering with it also.

    1. Oh and I should say in the UK at least, you’re going to get shouted at if you’ve got your phone out, and start waving it around the pump. While unlikely, it is possible it could spark (especially if you dropped it and the battery comes out) causing an explosion if there’s fumes/split fuel.

      1. There’s very little credible evidence that cell phones are the culprits of pump fires rather than static electricity from the driver or passengers. Unless you use your phone next to the fuel port, and even then, you’re gonna have a lot of trouble starting a fire.

          1. Leithoa, maybe you should inform the European criminal organizations, cause they seem to have missed the memo. Skimming attacks have been decimated at the very least. There currently are no known practical attacks on pure EMV systems. All criminals are doing at the moment is skimming old magstripe data and try to use it in area’s that have not made the transition yet.

          2. @Leithoa

            What “shimmers” do, is skimming magstripe data from the chip. They simply use this magstripe data at locations using magstripe.
            Of course it will be processed as a magstripe transaction, and the bank can of course take action and refund skimmed customers.

            So once the legacy systems are discontinued, both magstripe, and “magstripe data” on the EMV card, all “shimming” and “skimming” problems will disappear, in an instant.

            The magstripe data on the chip however, contains a iCVV, a dynamic CVV that is a counter encrypted with the bank’s key, so the transactions must be in order. So if a criminal skims the chip magstripe data, he must use it before the legit card owner uses the card at a another location.

      2. I’m old enough to remember where this particular piece of hysteria came from. The CB craze, when people started having radio transmitters on cars. And here we are, nearly 40 years later…

  2. “In a public-spirited move, they are now calling upon the hardware hacker….”
    They being Sparkfun?

    Preferable or in addition to using the hashtag, call your local weights and measures regulators / auditor to alert them to the compromise. Perhaps even notify the local police (if it’s a big city, the FBI/Secret Service) or gas station so they can prevent people from being scammed.

  3. For an in-depth baseline about Skimmers see this aggregated “All About Skimmers” link-list by Brian Krebs:

    https://krebsonsecurity.com/all-about-skimmers/

    Note: This SparkFun app seems to only sniff for type-specific “HC-05” skimmers that are deployed with default login settings. This detection method has been known from quite some time. Those deploying this skimmers know this too, and mitigation is trivial.

    This means the real effectiveness of the SparkFun app is likely very small – especially since it seems they released this app in a way to gain large media coverage.

    I smell a Marketing ploy here: SparkFun releases a next to useless skimmer detector app, and gets HUGE free press coverage from the “Technically Clueless Mainstream-Media”.

    Unfortunately, it seems HaD is caught-up this time in the “Technically Clueless Mainstream-Media” category with this post. No background information on skimmers provided, no critical analysis of the worth of the SparkFun app. Sigh…

    1. Hey, I’m still fending off a zillion spammers a day with greylisting, and the mitigation for that is trivial, too. You could be completely right in your skepticism, but I imagine it will take a new revision in the “supply chain” before most of the mitigation takes place. Not every crook is a mastermind.

    2. It may have also just been a move on Sparkfun’s side to show cooperation to authorities who constantly pressure them to give out information of costumers who buy certain parts from their site to build such devices.

    3. As the SparkFun article points out, these skimmers seem to be made for people who aren’t too tech-savy. On the three devices they got their hands on, the main board was soldered in a very clean way (using stencils and everything) but it was clear the cable was soldered on by someone else who didn’t know what they were doing.
      So it seems the ones deploying the boards are simply users (and again, they point this out in their writeup) that get the boards and some app to use it. Changing the ID and password will only complicate things for them. Plus, by making the boards more unique you might be putting yourself at risk: if you’re a suspect and you have the app on your phone, including specific IDs, that could be proof. Otherwise you could maybe say you just downloaded this app out of curiosity or something like that..

      I’m sure SparkFun won’t mind the publicity, but saying it’s a marketing ploy seems a bit harsh. Sure, the app might not work on all devices, but hey, it’s a start and at least people get to know about these kind of tricks.

  4. Better than taking the skimmer would be an app that silently alters the firmware in the scanner such that it scrambles up the stored data, as well as anything written to it in the future such that it’s useless. Not corrupts it, but mixes the data up such that it appears valid, but is useless, like putting John Doe’s PIN with Mary Jane’s card number and Joe Blow’s name, either that or some sort of malware that will lie dormant on the skimmer until the data is downloaded from it, at which point it packs up relevant data from the scammer’s PC along with collected data, and sends it to the local FBI office.

  5. Just glanced through the article didn’t know if It said anything about chip readers??
    Or does it matter whatever goes through the credit card reader stripe or chip will it read them both

  6. The article says we should all contact our representatives to pass a bill fining gas stations $100 for every swiped credit card found on a skimmer. So, gas station owners will find a skimmer, and then will have the choice of paying thousands of dollars in fines… or just throwing away the skimmer. Which do you suppose they will do?

    The reality is that merchants need to be forced to stop accepting swiped transactions. EMV shifted the cost of a fraudulent swiped transaction to the merchant, but that’s not enough — lots of merchants are willing to absorb the occasional cost of your $9 coffee and croissant, if it means paying by card takes a quarter of the time. Instead, make that $9 plus a $1000 fine! Merchants will upgrade, and mag stripes will be worthless.

    Gas pumps are a target because merchants don’t get charged back for fraudulent transactions — it’s on the banks. The deadline was moved from Oct 2017 to Oct 2020 apparently because gas pumps are too hard/expensive to convert. And also, banks make a lot of money from gas station transactions…

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.