Cheap, quick and effective, credit card skimmers plague ATMs and point-of-sale posts around the world, stealing credit card numbers while being almost impossible to spot with the naked eye.
That’s why Nate Seidle, CEO of the open source electronics firm SparkFun, developed a free, open-source skimmer detection app on Android that looks for the Bluetooth signals Seidle found on the skimmers he tested.
Seidle built the app after his local police department asked him to take apart three skimmers that were found nearby gas pumps to see if it was possible to alert the victims. That was accomplished, but the developers went a step further and put together Skimmer Scanner to look for skimmers broadcasting 10-15 feet over Bluetooth as HC-O5 with the password 1234.
Skimmers take seconds to install once an attacker acquires one of the physical master keys for a gas pump or ATM, opens up the machine, unplugs the credit card reader from the main controller, plugs the reader into the skimmer and then hooks that up to the controller.
“A skimmer is basically a man in the middle attack,” Seidle explained. “The skimmer listens for all the serial traffic from the credit card reader (clear text at 9600bps) records it to an external piece of memory (flash in this case) and then passes that same serial traffic onto the pump controller. When you use one of these modified pumps, the pump controller charges your card and you’re none the wiser, but your credit card details are stored in memory.”
Seidle’s in-depth blog post on skimmers is well-worth reading as he dives into and explores the tools in rare detail.
“Years ago it took someone with knowledge and skills to build a credit card skimmer,” he explained. “Now criminals are buying these off the shelf with very little knowledge and slapping them together. It’s basic user design theory: when your customer is not so smart make it idiot proof so they don’t contact you for support. The designers of this skimmer were smart, it’s better to make these devices easy to connect to than to add a layer of security. What’s the worst that could happen? The device is detected and removed from the pump. Meanwhile, 10 more have been deployed for a total cost of $100.”
The same concept is increasingly true around much of high-tech and cybercrime. The kind of acts that used to require serious expertise can now be bought easily and cheaply from an increasingly robust crime-as-a-service economy.
You can find the app in the Google Play store.