Seriously, Is It That Easy To Skim Cards?

We’ve all heard of card skimmers, nefarious devices that steal the identity of credit and debit cards, attached to ATMs and other machines in which unsuspecting consumers use them. Often they have relied on physical extraction of data from the card itself, such as by inserting a magnetic stripe reader in a fake ATM fascia, or by using a hidden camera to catch a picture of both card and user PIN entry.

The folks at Sparkfun write about an approach they received from a law enforcement agency bearing a selection of card skimmer devices that had been installed in gasoline pumps. These didn’t rely on interception of the card itself, instead they sat as a man-in-the-middle attack in the serial line between the card reader unit and the pump electronics. Let that sink in for a minute: a serial line that is readily accessible to anyone with the pump manufacturer’s standard key, carries card data in an unencrypted form. The owner of the skimming device is the criminal, but the company leaving such a wide-open vulnerability should really be joining them in having to answer to authorities.

The Skimmer Scanner app may help keep you safe.
The Skimmer Scanner app may help keep you safe.

The device itself is quite simple and well-executed, though it appears that attachment of wires and connectors is a job left to the crook. Some boards boast excellent soldering, while others have joints that are, well, simply criminal. On the board is a PIC microcontroller, a serial Flash chip, and a commodity Bluetooth module. This last component provides the means for the miscreant to harvest their ill-gotten gains, and incidentally a handy means by which compromised pumps can be identified. The Sparkfun people have provided an Android app that interrogates any modules it encounters, and warns of any that return the signature of a skimmer.

It is sad to say that some level of crime is an inevitable feature of the human condition, and therefore it should not be an unreasonable expectation that any entity with which we trust our sensitive data such as a credit card number should take reasonable steps to ensure its security. If a bank transported customer cash through the streets as bundles of $10 bills in open handcarts it is likely that they would get into trouble very quickly, so that the pump manufacturers send card information in the clear over such a readily accessible medium should be a scandal of similar magnitude. That financial institutions prefer to cover up the problem and shift the loss onto the gas stations rather than mandate better device security from the pump manufacturers speaks volumes about their misplaced priorities.

If this topic interests you, we’ve shown you a teardown of a more traditional skimmer in the past.

Thanks [CYK] for the tip.

Sparkfun’s Alternate Reality Hardware

SparkFun has a new wing of hardware mischief. It’s SparkX, the brainchild of SparkFun’s founder [Nate Seidle]. Over the past few months, SparkX has released breakout boards for weird sensors, and built a safe cracking robot that got all the hacker cred at DEF CON. Now, SparkX is going off on an even weirder tangent: they have released The Prototype. That’s actually the name of the product. What is it? It’s a HARP, a hardware alternate reality game. It’s gaming, puzzlecraft, and crypto all wrapped up in a weird electronic board.

The product page for The Prototype is exactly as illuminating as you would expect for a piece of puzzle electronics. There is literally zero information on the product page, but from the one clear picture, we can see a few bits and bobs that might be relevant. The Prototype features a microSD card socket, an LED that might be a WS2812, a DIP-8 socket, a USB port, what could be a power switch, a PCB antenna, and a strange black cylinder. Mysteries abound. There is good news: the only thing you need to decrypt The Prototype is a computer and an open mind. We’re assuming that means a serial terminal.

The Prototype hasn’t been out for long, and very few people have one in hand. That said, the idea of a piece of hardware sold as a puzzle is something we haven’t seen outside of conference badges. The more relaxed distribution of The Prototype is rather appealing, and we’re looking forward to a few communities popping up around HARP games.

Reflective Sensor Becomes Kart Racing Lap Counter

Once you have a track and a kart to race on it, what’s missing? A lap counter that can give your lap times in hardcopy, obviously! That’s what led [the_anykey] to create the Arduino-based Lap Timer to help him and his kids trim those precious seconds off their runs, complete with thermal printer for the results.

The hardware uses an infrared break-beam sensor module (a Velleman PEM10D) to detect when a kart passes by. This module is similar to a scaled-up IR reflective object sensor; it combines an IR emitter and receiver on one end, and is pointed at a reflector placed across the track, up to 10 meters away. When a kart breaks the beam, the module reports the event to the rest of the hardware. Only needing electronics on one side allows the unit to be self-contained.

An obvious shortcoming of this system is the inability to differentiate between multiple karts, but for timing a single driver’s performance it does the trick. What’s great about this project is it showcases how accessible hardware is today; a device like this is possible to put together with what are essentially off-the-shelf components available to any hobbyist, using an Arduino as the glue to hold it together. We’d only comment that a red-tinted piece of plastic as an overlay for the red display (and a grey-tinted one for the green) would make the LED displays much easier to read. Still, this is a very clean and well-documented build. See it in action in the video embedded below.

Continue reading “Reflective Sensor Becomes Kart Racing Lap Counter”

Safe Cracking is [Nate’s] Latest R&D Project

We love taking on new and awesome builds, but finding that second part (the “awesome”) of each project is usually the challenge. Looks like [Nathan Seidle] is making awesome the focus of the R&D push he’s driving at Sparkfun. They just put up this safe cracking project which includes a little gamification.

The origin story of the safe itself is excellent. [Nate’s] wife picked it up on Craig’s List cheap since the previous owner had forgotten the combination. We’ve seen enough reddit/imgur threads to not care at all what’s inside of it, but we’re all about cracking the code.

The SparkX (the new rapid prototyping endeavor at Sparkfun) approach was to design an Arduino safe cracking shield. It has a motor driver for spinning the dial and can drive a servo that pulls the lever to open the door. There is a piezo buzzer to indicate success, and the board as a display header labeled but not in use, presumably to show the combination currently under test. We say “presumably” because they’re not publishing all the details until after it’s cracked, a process that will be live streamed starting Wednesday. This will keep us guessing on the use of that INA169 current sensor that plugs into the safecracking shield. There is what appears to be a reflectance sensor above the dial to keep precise track of the spinning dial.

Electrically this is what we’d expect, but mechanically we’re in love with the build. The dial and lever both have 3D printed adapters to interface with the rest of the system. The overall framework is built out of aluminum channel which is affixed to the safe with rare earth magnets — a very slick application of this gear.

The gamification of the project has to do with a pair of $100 giveaways they’re doing for the closest guess on how long it’ll take to crack (we hope it’s a fairly fast cracker) and what the actual combination may be. For now, we want to hear from you on two things. First, what is the role of that current sensor in the circuit? Second, is there a good trick for optimizing a brute force approach like this? We’ve seen mechanical peculiarities of Master locks exploited for fast cracking. But for this, we’re more interested in hearing any mathematical tricks to test likely combinations first. Sound off in the comments below

SparkFun Gets Back To Their Roots With SparkX

Way back in the before years when there were still interesting concepts for reality TV, Nate Seidle blew up a power supply in his dorm room. Instead of finding replacement parts, Nate decided to start a company. For the last decade and a half, SparkFun has grown immensely, been an incredible resource for makers and engineers alike, and shipped out hundreds of thousands of their iconic red boxes.

Being the CEO of a company means you need to do CEO stuff, and a few summers ago Nate the CEO became Nate the Engineer once again. SparkFun is still doing great, but now we know what Nate has been up to these last months. He’s getting back to SparkFun’s roots with SparkX. This is the newest stuff SparkFun has to offer, there is zero documentation or support, and they’re only developing products because Nate wants to.

In a series of blog posts on the SparkFun blog, Nate goes over what is involved in building a new brand for the latest and greatest SparkFun can produce. This involves setting up the SparkX lab, getting the OtherMills pumping out circuit boards, and  inevitably the occasional containment failure of the blue smoke.

The first product in the SparkX lineup, Product 0, is a breakout board for the MLX90393 magnetometer. This is a pretty nifty magnetometer that Ted Yapo over on hackaday.io has used to characterize magnets. Really, though, the SparkX Product 0 is exactly what it says on the tin: a breakout board that is just an experiment, comes with no guarantees or support. It is the heart of what Sparkfun set out to do twenty years ago.

Cornell Students Have Your Back

Back problems are some of the most common injuries among office workers and other jobs of a white-collar nature. These are injuries that develop over a long period of time and are often caused by poor posture or bad ergonomics. Some of the electrical engineering students at Cornell recognized this problem and used their senior design project to address this issue. [Rohit Jha], [Amanda Pustis], and [Erissa Irani] designed and built a posture correcting device that alerts the wearer whenever their spine isn’t in the ideal position.

The device fits into a tight-fitting shirt. The sensor itself is a flex sensor from Sparkfun which can detect deflections. This data is then read by a PIC32 microcontroller. Feedback for the wearer is done by a vibration motor and a TFT display with a push button. Of course, they didn’t just wire everything up and call it a day; there was a lot of biology research that went into this. The students worked to determine the most ideal posture for a typical person, the best place to put the sensor, and the best type of feedback to send out for a comfortable user experience.

We’re always excited to see the senior design projects from university students. They often push the boundaries of conventional thinking, and that’s exactly the skill that next generation of engineers will need. Be sure to check out the video of the project below, and if you want to see more of this semester’s other projects, we have you covered there tooContinue reading “Cornell Students Have Your Back”

The Mystery Behind the Globs of Epoxy

When Sparkfun visited the factory that makes their multimeters and photographed a mysterious industrial process.

We all know that the little black globs on electronics has a semiconductor of some sort hiding beneath, but the process is one that’s not really explored much in the home shop.  The basic story being that, for various reasons , there is no cheaper way to get a chip on a board than to use the aptly named chip-on-board or COB process. Without the expense of encapsulating  the raw chunk of etched and plated silicon, the semiconductor retailer can sell the chip for pennies. It’s also a great way to accept delivery of custom silicon or place a grouping of chips closely together while maintaining a cheap, reliable, and low-profile package.

As SparkFun reveals, the story begins with a tray of silicon wafers. A person epoxies the wafer with some conductive glue to its place on the board. Surprisingly, alignment isn’t critical. The epoxy dries and then the circuit board is taken to a, “semi-automatic thermosonic wire bonding machine,” and slotted into a fixture at its base. The awesomely named machine needs the operator to find the center of the first two pads to be bonded with wire. Using this information it quickly bonds the pads on the silicon wafer to the  board — a process you’ll find satisfying in the clip below.

The final step is to place the familiar black blob of epoxy over the assembly and bake the board at the temperature the recipe in the datasheet demands. It’s a common manufacturing process that saves more money than coloring a multimeter anything other than yellow.

Continue reading “The Mystery Behind the Globs of Epoxy”