The price we pay for convenience is sometimes vulnerability to unscrupulous people trying to steal valuable financial information. It’s not always an anonymous hacker on the internet, however — the biggest danger may be at your local convenience store. The next time you fill your tank and swipe your card, be aware that there could be a “skimmer” inside the pump, recording and storing your credit card data for later retrieval.
It turns out that it’s ridiculously easy to install a card skimmer at a point of sale terminal. Gas pumps are particularly vulnerable because they’re often unmanned and have a lot of traffic. Luckily, there’s a free Android app called Skimmer Scanner that can alert you if there are any of these devices nearby.
A gas pump skimmer can be installed in less than 30 seconds. It records your credit card data when you fill up, then when the perpetrator returns to the scene of the crime — hours or even days later — they can retrieve all the stolen credit card info remotely with a cell phone or laptop.
Nathan Seidle, CEO of the website SparkFun, has a detailed analysis of how these gas pump skimmers work at his blog. He was contacted by local law enforcement, who provided him with several of the skimmer devices they had found, and asked if he could retrieve the data that they had stored.
Most skimmers use a Bluetooth connection, which can be easily detected. Seidle was amazed at the ineptitude of the criminals who designed the skimmers. “Initially this blew my mind,” he wrote. “If I were to design a bluetooth skimmer I would program the module to NOT broadcast its ID.”
He went on to add, “The soldering of the ribbon (the gray cable that connects to the credit card reader) is horrendously bad indicating the perpetrator has very little experience with soldering and probably zero experience with electronics.” Don’t count on criminal incompetence to protect you, however. “The designers of this skimmer were smart, it’s better to make these devices easy to connect to than to add a layer of security. What’s the worst that could happen? The device is detected and removed from the pump. Meanwhile, 10 more have been deployed for a total cost of $100.”
The Skimmer Scanner app checks for nearby Bluetooth transmissions and alerts you when one is detected. “Many of these devices go undiscovered until they’re removed by the scammers,” Nathan Poole (who designed the app) told ZDNet. “I think what we’ll find as more and more people use the app is that there are more skimmers out there than anyone previously thought.”
Currently, the app is only available for Android and there are no plans for an iPhone version. The code is open-source, however, so feel free to tinker away.