Over the past few months, Nate has been working with a local law enforcement agency here in Colorado to reverse-engineer the hardware used in gas pumps to skim your credit cards. Turns out, the hardware found in some Colorado gas pumps is used by fraudsters nationwide, and can be detected via Bluetooth.
Nate and his SparkX team wrote a free app you can download here to make it easy for anyone with an Android phone to make sure your credit card information is secure at the gas pump.
So far, there have been over 38,000 downloads of the app from the Google Play store! If you've found a skimmer using the app, tweet at us (@sparkfun) with the zip code where you detected one using the hashtag #skimmerscanner. If we get enough results, we can eventually use the zip codes to generate a map that will show us how widespread the use of skimmers actually is, without compromising individual users' privacy or exact location.
You can read Nate's full breakdown of the hardware below, and learn more about his investigative tactics.
Gas Pump Skimmers
September 6, 2017
Teardown of gas pump skimmers along with how to detect and block them.
Hopefully the Skimmer Scanner app can get us one step closer to credit card security by encouraging a community of makers in the field to combat credit fraud.
Obligatory 'when is the iOS version going to be available' question? Awesome idea btw. Never mind, I saw the answer on Nate's original post.
I believe iOS support is impossible, since iOS doesn't allow connection to arbitrary Bluetooth Classic devices within an app (MFi certification is required). This does not apply to keyboards, audio devices, or Bluetooth Low Energy devices. I don't think the skimmers are any of the above (I'm guessing they're Bluetooth Classic Serial). This is also why iOS can't connect to Bluetooth OBD2 dongles.
Hi MomboMan - please can you supply the answer on the iOS app availability? I looked for this, but did not see it - thanks in advance.
Is it HC-05 or HC-06? The article says HC-05 in the beginning but HC-06 later on...
It should be HC-05. I'll see what I can do about revising the article.
I remember about 3 months ago I got a call from my bank (FirstBank) to me know that they caught fraudulent activity on my debit card. Apparently the thief made a huge purchase at about $400 at a King Soopers but my bank caught it and rejected it during purchase. I believe they caught it because the thief did not use the chip or maybe because I've never shopped there. I'm not sure but I'm positive that gas pump skimming was how they got my card. I'm definitely going to participate in this because I don't want anyone else to experience this fear. Thanks Sparkfun and Firstbank!
I like the idea but you may be more vulnerable just by enabling Bluetooth due to the recently discovered Blueborne exploit.
https://www.engadget.com/2017/09/12/blueborne-bluetooth-exploit-ios-android-windows/
Does Sparkfun plan to Open Source the app?
Hey! The scanner does not require you to leave Bluetooth on for any significant length of time. Simply open the app, give it permission to turn on Bluetooth, perform a scan, then hit the "Turn off Bluetooth and Close App" button (As of Version 4)
And the app is absolutely open source, check it out! Skimmer Scanner GitHub Repo
The readme.md lists a /src directory but I don't see one on the github project that you linked.
I have already downloaded and used it several times. I'm not sure what I would do if it ever came up with a "hit", besides just move on. Who can say if an employee of the gas station put that skimmer there?
Even if you believe there's a chance an employee put it there, it's still worth reporting to the station if you find one! You might save a lot of subsequent people from credit theft.
Yes, that's a good point! I also wonder if there's a state agency that could be notified. While finding the info for a local police department (if you can even figure out which local jurisdiction you are in!) could be cumbersome, there would be only one number you would need for your entire state.
Pic chips are crazy common in oil/gas automation. Odds are whoever started mfg skimmers in bulk just tweaked a reference chip/app for decoding the magnetic pulses read by a cassette tape pickup head as the card is pulled past.
An esp8266, bt module and/or oled in an altoids tin would make a fairly compact standalone skimmer scanner.
As does a $10 Android phone from the dollar store...
I use those and "obsolete" phones as cheap dashcams via DVR app. Scanning for skimmers whenever GPS shows the vehicle stopped would be dirt simple, as would automating alerts via email/SMS.
Nice idea, but from my point of view totally useless app. Is easy change HC-05 and/or HC-06 name and password, so app dont find anything.
Just read a comment to make a hardware option for iOS .... but if you are going that way, why not just make a stand-alone solution ... I mean that's what we like about Sparkfun and this hobby :). BTW just installed on my Galaxy S8+ and it ran with no problems
That's a great idea. I do have an android, so I'll probably download and use this app, but if I could build a bunch of small boxes to give to family and friends, that would be great... Could even be a good project for my son's boy scout troop to work on their electronics merit badge. I haven't looked at the details yet, but I'd be in for testing/helping with something like this...
Come to think of it.. If Sparkfun were to start something like this, it could use the phant.io to actively collect the data for the mapping of the found devices. I'd LOVE to just put a small box on my dashboard and leave it there if the range was good enough to detect from there (which I suspect, it is..)
Is there a hardware solution we could build to use this on ios? Obviously we would need an external bluetooth, since we can't control the one in the phone. We might be able to use personal hotspot to connect this device to the phone for read/write .. an idea.