ICYMI: Nate's credit card Skimmer Scanner app

One small step for credit security...

Favorited Favorite 3

Over the past few months, Nate has been working with a local law enforcement agency here in Colorado to reverse-engineer the hardware used in gas pumps to skim your credit cards. Turns out, the hardware found in some Colorado gas pumps is used by fraudsters nationwide, and can be detected via Bluetooth.

Nate and his SparkX team wrote a free app you can download here to make it easy for anyone with an Android phone to make sure your credit card information is secure at the gas pump.

alt text

So far, there have been over 38,000 downloads of the app from the Google Play store! If you’ve found a skimmer using the app, tweet at us (@sparkfun) with the zip code where you detected one using the hashtag #skimmerscanner. If we get enough results, we can eventually use the zip codes to generate a map that will show us how widespread the use of skimmers actually is, without compromising individual users' privacy or exact location.

You can read Nate’s full breakdown of the hardware below, and learn more about his investigative tactics.

Gas Pump Skimmers

September 6, 2017

Tear down of gas pump skimmers along with how to detect and block them.

Hopefully the Skimmer Scanner app can get us one step closer to credit card security by encouraging a community of makers in the field to combat credit fraud.


Comments 25 comments

  • Obligatory ‘when is the iOS version going to be available’ question? Awesome idea btw. Never mind, I saw the answer on Nate’s original post.

    • I believe iOS support is impossible, since iOS doesn’t allow connection to arbitrary Bluetooth Classic devices within an app (MFi certification is required). This does not apply to keyboards, audio devices, or Bluetooth Low Energy devices. I don’t think the skimmers are any of the above (I’m guessing they’re Bluetooth Classic Serial). This is also why iOS can’t connect to Bluetooth OBD2 dongles.

    • Hi MomboMan - please can you supply the answer on the iOS app availability? I looked for this, but did not see it - thanks in advance.

  • Is it HC-05 or HC-06? The article says HC-05 in the beginning but HC-06 later on…

  • I remember about 3 months ago I got a call from my bank (FirstBank) to me know that they caught fraudulent activity on my debit card. Apparently the thief made a huge purchase at about $400 at a King Soopers but my bank caught it and rejected it during purchase. I believe they caught it because the thief did not use the chip or maybe because I’ve never shopped there. I’m not sure but I’m positive that gas pump skimming was how they got my card. I’m definitely going to participate in this because I don’t want anyone else to experience this fear. Thanks Sparkfun and Firstbank!

  • I like the idea but you may be more vulnerable just by enabling Bluetooth due to the recently discovered Blueborne exploit.

    https://www.engadget.com/2017/09/12/blueborne-bluetooth-exploit-ios-android-windows/

    Does Sparkfun plan to Open Source the app?

    • Hey! The scanner does not require you to leave Bluetooth on for any significant length of time. Simply open the app, give it permission to turn on Bluetooth, perform a scan, then hit the “Turn off Bluetooth and Close App” button (As of Version 4)

      And the app is absolutely open source, check it out! Skimmer Scanner GitHub Repo

  • I have already downloaded and used it several times. I’m not sure what I would do if it ever came up with a “hit”, besides just move on. Who can say if an employee of the gas station put that skimmer there?

    • Even if you believe there’s a chance an employee put it there, it’s still worth reporting to the station if you find one! You might save a lot of subsequent people from credit theft.

      • Here in AZ, I’d be inclined to report it to the local police department (on their non-emergency number). Or maybe the state Bureau of Weights & Measures, which is supposed to check every pump every couple of years for accuracy, and puts a label with their 800 number on it for reporting problems.

        Another possibility is the “investigative reporting” team for local TV stations…

      • Yes, that’s a good point! I also wonder if there’s a state agency that could be notified. While finding the info for a local police department (if you can even figure out which local jurisdiction you are in!) could be cumbersome, there would be only one number you would need for your entire state.

  • FWIW, I always pay cash for gas. If someone wants to “skim” the serial numbers off my “yuppie food stamps”, then that’s an issue between them and the Secret Service, but of no concern to me!

    • Cash is inconvenient sometimes but not as inconvenient as identity theft! I still use my card at the pumps but there is no better security than just paying cash.

      • Hey Nick! When do you come back on front of the videos? We miss you ;)

        • And I miss all of you!

          It has taken some time to get back at it after returning from SparkX, but I just shot the Product Showcase for this week, so you’ll be seeing me soon!

      • For many years, I stuck to using Arco gas because they had “pay-on-the-island” machines, though you still had to go into the store to get your change. Unfortunately, they recently went the way of the dodo. (The thought had occurred to me to make an ADA complaint, but I never did.)

  • Pic chips are crazy common in oil/gas automation. Odds are whoever started mfg skimmers in bulk just tweaked a reference chip/app for decoding the magnetic pulses read by a cassette tape pickup head as the card is pulled past.

    An esp8266, bt module and/or oled in an altoids tin would make a fairly compact standalone skimmer scanner.

    As does a $10 Android phone from the dollar store…

    I use those and “obsolete” phones as cheap dashcams via DVR app. Scanning for skimmers whenever GPS shows the vehicle stopped would be dirt simple, as would automating alerts via email/SMS.

  • Nice idea, but from my point of view totally useless app. Is easy change HC-05 and/or HC-06 name and password, so app dont find anything.

  • Thought you might like to know this: I sent an e-mail to the Phoenix ABC affiliate’s “head” investigative reporter on Monday, Sept. 25 – they ran a story on it on the 6:00 PM news on Friday, Sept. 29. I noticed the SF logo on the screenshots that they showed, so hopefully it will get rather unproductive to try to install skimmers!

  • Just read a comment to make a hardware option for iOS …. but if you are going that way, why not just make a stand-alone solution … I mean that’s what we like about Sparkfun and this hobby :). BTW just installed on my Galaxy S8+ and it ran with no problems

    • That’s a great idea. I do have an android, so I’ll probably download and use this app, but if I could build a bunch of small boxes to give to family and friends, that would be great… Could even be a good project for my son’s boy scout troop to work on their electronics merit badge. I haven’t looked at the details yet, but I’d be in for testing/helping with something like this…

      • Come to think of it.. If Sparkfun were to start something like this, it could use the phant.io to actively collect the data for the mapping of the found devices. I’d LOVE to just put a small box on my dashboard and leave it there if the range was good enough to detect from there (which I suspect, it is..)

  • Is there a hardware solution we could build to use this on ios? Obviously we would need an external bluetooth, since we can’t control the one in the phone. We might be able to use personal hotspot to connect this device to the phone for read/write .. an idea.

Related Posts

Why do we collaborate?

Recent Posts

Why do we collaborate?

Tags


All Tags