This article was published on September 20, 2017

Someone finally made an app to detect credit card skimmers at the gas pump


Someone finally made an app to detect credit card skimmers at the gas pump Image by: SparkFun

In less than 30 seconds a hacker can install a $10 piece of pre-built hardware – easily purchased online – into a gas pump. This device is called a skimmer and it’s designed to get your credit card number when you use it at the pump.

A clever developer came up with a somewhat simple approach to protecting yourself at the gas station. The CEO and Founder of SparkFun, Nate Seidle, along with programmer Nick Poole, built a free, open-source Android app to detect popular skimmers.

The app detects a specific Bluetooth signal and, if found, it tries to establish a connection and send a command that will verify the existence of a skimmer in your general area. The app is looking for Bluetooth networks with an ID of HC-05, which turned out to be the default on devices Seidle tested; if it finds one you’ll be alerted.

SparkFun’s Bluetooth device-detecting app is called Skimmer Scanner and it’s a bare-bones tool that appears to work as intended. It’s free and open-source and the developer says it doesn’t keep or record any information.

In a fantastic blog post detailing a complete dissection of several of the devices, Seidle explains that most of the criminals are dealing in bulk:

The designers of this skimmer were smart, it’s better to make these devices easy to connect to than to add a layer of security. What’s the worst that could happen? The device is detected and removed from the pump. Meanwhile, 10 more have been deployed for a total cost of $100.

The only tool necessary is a key to unlock the pump. The locks are basic and there are no more than a few different key designs for all gas pumps – master keys for the model.

This isn’t new; for decades, criminals have been using various computer hardware devices to intercept credit card numbers during transactions. But hardware hacking is no longer the domain of only talented – albeit shady – individuals. It’s the purview of anyone with a laptop, a car, and the stolen credit card information necessary to buy an easily made piece of hardware online.

While I haven’t had the opportunity to ride around looking for skimmers yet, I can happily confirm that there are no skimmers scamming in my office.

Update 2:30 PM CST 9/20: Updated to clarify that Nick Poole wrote the application and Nate Seidle researched the skimmers.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top