ICYMI: Nate's credit card Skimmer Scanner app

One small step for credit security...

Favorited Favorite 3

Over the past few months, Nate has been working with a local law enforcement agency here in Colorado to reverse-engineer the hardware used in gas pumps to skim your credit cards. Turns out, the hardware found in some Colorado gas pumps is used by fraudsters nationwide, and can be detected via Bluetooth.

Nate and his SparkX team wrote a free app you can download here to make it easy for anyone with an Android phone to make sure your credit card information is secure at the gas pump.

alt text

So far, there have been over 38,000 downloads of the app from the Google Play store! If you've found a skimmer using the app, tweet at us (@sparkfun) with the zip code where you detected one using the hashtag #skimmerscanner. If we get enough results, we can eventually use the zip codes to generate a map that will show us how widespread the use of skimmers actually is, without compromising individual users' privacy or exact location.

You can read Nate's full breakdown of the hardware below, and learn more about his investigative tactics.

Gas Pump Skimmers

September 6, 2017

Teardown of gas pump skimmers along with how to detect and block them.

Hopefully the Skimmer Scanner app can get us one step closer to credit card security by encouraging a community of makers in the field to combat credit fraud.

Comments 21 comments

  • MomboMan / about 6 years ago * / 4

    Obligatory 'when is the iOS version going to be available' question? Awesome idea btw. Never mind, I saw the answer on Nate's original post.

    • PickledDog / about 6 years ago / 1

      I believe iOS support is impossible, since iOS doesn't allow connection to arbitrary Bluetooth Classic devices within an app (MFi certification is required). This does not apply to keyboards, audio devices, or Bluetooth Low Energy devices. I don't think the skimmers are any of the above (I'm guessing they're Bluetooth Classic Serial). This is also why iOS can't connect to Bluetooth OBD2 dongles.

    • Member #1151389 / about 6 years ago / 1

      Hi MomboMan - please can you supply the answer on the iOS app availability? I looked for this, but did not see it - thanks in advance.

  • Wayne / about 6 years ago / 2

    Is it HC-05 or HC-06? The article says HC-05 in the beginning but HC-06 later on...

  • moiven / about 6 years ago / 2

    I remember about 3 months ago I got a call from my bank (FirstBank) to me know that they caught fraudulent activity on my debit card. Apparently the thief made a huge purchase at about $400 at a King Soopers but my bank caught it and rejected it during purchase. I believe they caught it because the thief did not use the chip or maybe because I've never shopped there. I'm not sure but I'm positive that gas pump skimming was how they got my card. I'm definitely going to participate in this because I don't want anyone else to experience this fear. Thanks Sparkfun and Firstbank!

  • Member #145744 / about 6 years ago / 2

    I like the idea but you may be more vulnerable just by enabling Bluetooth due to the recently discovered Blueborne exploit.


    Does Sparkfun plan to Open Source the app?

    • Hey! The scanner does not require you to leave Bluetooth on for any significant length of time. Simply open the app, give it permission to turn on Bluetooth, perform a scan, then hit the "Turn off Bluetooth and Close App" button (As of Version 4)

      And the app is absolutely open source, check it out! Skimmer Scanner GitHub Repo

      • Member #145744 / about 6 years ago / 1

        The readme.md lists a /src directory but I don't see one on the github project that you linked.

  • Bob G in FLORIDA! / about 6 years ago / 2

    I have already downloaded and used it several times. I'm not sure what I would do if it ever came up with a "hit", besides just move on. Who can say if an employee of the gas station put that skimmer there?

    • Chelsea the Destroyer / about 6 years ago / 2

      Even if you believe there's a chance an employee put it there, it's still worth reporting to the station if you find one! You might save a lot of subsequent people from credit theft.

      • Bob G in FLORIDA! / about 6 years ago / 1

        Yes, that's a good point! I also wonder if there's a state agency that could be notified. While finding the info for a local police department (if you can even figure out which local jurisdiction you are in!) could be cumbersome, there would be only one number you would need for your entire state.

  • Member #1161617 / about 6 years ago / 1

    Pic chips are crazy common in oil/gas automation. Odds are whoever started mfg skimmers in bulk just tweaked a reference chip/app for decoding the magnetic pulses read by a cassette tape pickup head as the card is pulled past.

    An esp8266, bt module and/or oled in an altoids tin would make a fairly compact standalone skimmer scanner.

    As does a $10 Android phone from the dollar store...

    I use those and "obsolete" phones as cheap dashcams via DVR app. Scanning for skimmers whenever GPS shows the vehicle stopped would be dirt simple, as would automating alerts via email/SMS.

  • Member #1156707 / about 6 years ago / 1

    Nice idea, but from my point of view totally useless app. Is easy change HC-05 and/or HC-06 name and password, so app dont find anything.

  • Member #645707 / about 6 years ago * / 1

    Just read a comment to make a hardware option for iOS .... but if you are going that way, why not just make a stand-alone solution ... I mean that's what we like about Sparkfun and this hobby :). BTW just installed on my Galaxy S8+ and it ran with no problems

    • 172pilot / about 6 years ago / 1

      That's a great idea. I do have an android, so I'll probably download and use this app, but if I could build a bunch of small boxes to give to family and friends, that would be great... Could even be a good project for my son's boy scout troop to work on their electronics merit badge. I haven't looked at the details yet, but I'd be in for testing/helping with something like this...

      • 172pilot / about 6 years ago / 1

        Come to think of it.. If Sparkfun were to start something like this, it could use the phant.io to actively collect the data for the mapping of the found devices. I'd LOVE to just put a small box on my dashboard and leave it there if the range was good enough to detect from there (which I suspect, it is..)

  • djbyter / about 6 years ago / 1

    Is there a hardware solution we could build to use this on ios? Obviously we would need an external bluetooth, since we can't control the one in the phone. We might be able to use personal hotspot to connect this device to the phone for read/write .. an idea.

Related Posts

GEO Week 2024

Recent Posts

GEO Week 2024


All Tags