In less than 30 seconds a hacker can install a $10 piece of pre-built hardware – easily purchased online – into a gas pump. This device is called a skimmer and it’s designed to get your credit card number when you use it at the pump.
A clever developer came up with a somewhat simple approach to protecting yourself at the gas station. The CEO and Founder of SparkFun, Nate Seidle, along with programmer Nick Poole, built a free, open-source Android app to detect popular skimmers.
The app detects a specific Bluetooth signal and, if found, it tries to establish a connection and send a command that will verify the existence of a skimmer in your general area. The app is looking for Bluetooth networks with an ID of HC-05, which turned out to be the default on devices Seidle tested; if it finds one you’ll be alerted.
SparkFun’s Bluetooth device-detecting app is called Skimmer Scanner and it’s a bare-bones tool that appears to work as intended. It’s free and open-source and the developer says it doesn’t keep or record any information.
In a fantastic blog post detailing a complete dissection of several of the devices, Seidle explains that most of the criminals are dealing in bulk:
The designers of this skimmer were smart, it’s better to make these devices easy to connect to than to add a layer of security. What’s the worst that could happen? The device is detected and removed from the pump. Meanwhile, 10 more have been deployed for a total cost of $100.
The only tool necessary is a key to unlock the pump. The locks are basic and there are no more than a few different key designs for all gas pumps – master keys for the model.
This isn’t new; for decades, criminals have been using various computer hardware devices to intercept credit card numbers during transactions. But hardware hacking is no longer the domain of only talented – albeit shady – individuals. It’s the purview of anyone with a laptop, a car, and the stolen credit card information necessary to buy an easily made piece of hardware online.
While I haven’t had the opportunity to ride around looking for skimmers yet, I can happily confirm that there are no skimmers scamming in my office.
Update 2:30 PM CST 9/20: Updated to clarify that Nick Poole wrote the application and Nate Seidle researched the skimmers.