Comments: Gas Pump Skimmers

Pages

Comments 52 comments

  • The code isn’t that short- according to the configuration bits, everything above 0x800 is code-protected and reads out as 0x0000.

    • Yep! You’re totally right. Thanks for pointing that out. I’ve updated the tutorial.

  • So wouldn’t the easiest way to solve this problem be to make another device (equally as cheap) that’s installed deeper in the pump, which occasionally wakes up and scans for the known bluetooth device, and if found, sends the command to erase it, and disables the pump, and triggers some kind of alarm. If the thieves can use a $10 device to collect the data, there’s no reason the gas station can’t use something similar to defeat it. Seems that it would be a pretty cheap retrofit, and completely shut this nonsense down, at least until they change something. Of course just monitoring the opening of the pump, and disabling it if the opening wasn’t authorized, as others have talked about, would also work, and not have to play the cat and mouse game everytime the skimmers get modified.

    • I second that idea. I actually run several convenience stores and would be very interested if someone could build something to monitor the pumps. There is plenty of room inside them for something like this. If it could send an email with a time stamp that would make catching the person installing the skimmer much easier, as most stores have cameras recording the pumps 24/7. I have only started working with Arduinos in the past few months. I’m sure someone here can make something much better than I ever could. Even if it only monitored when the pump door was opened would be great. We don’t get into them that often.

  • Sorry in advance for the lengthy first comment, but I wanted to clarify how credit card companies handle fraud, as it’s changed in the last two years, and is still changing.

    The Payment Card Industry (PCI) defines the standards and rules for credit cards, and they have been driving banks and merchants to use the EMV standard, which (among other things) uses “chip cards” to cryptographically protect against skimming and cloning. Europe changed over to chip cards over a decade ago, but American retailers (led by the National Retail Federation, or NRF) have a powerful voice in how credit card acceptance is done in the US. They have bitterly complained that converting to EMV will take expensive cash register system changes that will bankrupt many businesses. So the PCI dragged their feet here in the US, while fraud losses continued to mount. But about 10 years ago, data breaches with millions of credit card numbers stolen started changing how the industry was impacted by fraud, and they decided they needed to change.

    However, the PCI is just an industry organization, they can’t force stores to spend the thousands of dollars it would take to buy brand new chip card readers; they can’t force banks to install new systems to issue chip cards. Instead, PCI came up with an incentive based program they called the “Liability Shift”. They picked a date and told merchants and banks to be compliant with the new rules by that date, or they place themselves at serious financial risk.

    What is the Liability Shift? In October of 2015, the PCI implemented new rules who was responsible for fraud. All fraud committed on a stolen card is now the responsibility of “the weakest link” in the security chain. ALL fraud.

    Weak links are determined by the security at each point in the card acceptance chain. Chip cards are more secure than mag stripe cards. Chip terminals are more secure than mag stripe terminals. So if a bank issues you a mag stripe card and it gets skimmed at a retailer that has a chip reader, the bank is liable for all the fraud committed with that card. If the bank issues a chip card, and it’s skimmed at a store that doesn’t have a chip reader, the store is liable. If a store has a chip card terminal, but lets their customers swipe their cards, they are still weak. A web payment page that doesn’t take CVV2 numbers is asking for trouble. A web site that stores CVV2 numbers (a total violation of the PCI Data Security Standard, PCI DSS) that gets breached could leak thousands of accounts. A payment processor handles cards from thousands of merchants, and could leak millions of accounts.

    The reason this should be very scary is that PCI means ALL FRAUD committed with a stolen card number becomes the liability of the weak link. Did the thief buy a new Ferrari with the stolen credit card? If your store or your bank or your site was determined to be the weakest link, you pay for the Ferrari. A breach anywhere, such as a few cards stolen from a deluxe hair salon that caters to millionaires that take cards with high dollar credit limits, could easily bankrupt the victim.

    Now, on to gas pump skimmers. Card readers are built into the gas pumps, and you can’t just pick up an old pump and replace it (like you could with a cash register.) Gas pumps are far more expensive to retrofit with chip readers than regular cash registers, and there are a huge number of pumps deployed around the country. So the PCI has deferred the liability shift for gas pumps to 2020. But it’s coming.

    Even with all this incentive, US business have still been incredibly slow to convert over to chip readers. Less than half of the retailers take chip cards. After their initial reluctance, US banks have embraced chip cards. Banks understand the risks much better than the merchants. But bankers have failed at convincing their clients to convert their cash registers.

    There’s far more going on here, of course; so if you have questions or corrections, feel free to post them as replies to this comment. But I hope this intro helps people better understand who ends up paying for the fraud.

    • Thank you very much for the elaborate explanation. So these card skimmers can only steal card / transaction details from magnetic stripes? In my country, only chip & pin is allowed so there is no point in even downloading the app right?

      thank you in advance.

      • It’s still possible to copy an account number from a skimmer attached to a chip reader, but without a valid CVV or CVV2, it’s very hard for the thief to profit from them. Thieves have been known to use account data stolen from EU countries to make online purchases from poorly protected US sites, but I’ve not heard of an incident where the stolen data originated from a chip card.

        It’s a really hard-to-exploit flaw. I don’t think you have nearly as much to worry about as an American with a mag stripe card!

  • To clarify – when a CC company does a chargeback, they take the money back from the merchant where the stolen cards/numbers were used. This article makes it sounds as if they take the money from the gas station at which the were skimming took place – and that is incorrect.

    I wrote a medium post with more detail on this here: https://medium.com/@anthonydavidadams/credit-card-skimmers-sparkfun-8ea3b7340a17

    • Hi Member 1144207 - Thanks for the article! I updated the tutorial. I completely agree - SparkFun looses money (and by loose, I mean we have money taken directly from our checking account) every time an order is reported as lost or is purchased with a stolen credit card. Just like your article points out it’s extremely painful. We’ve learned hundreds of lessons over our 15 years of business and have put many safeguards in place but we will never get to zero.

      As a credit card holder I’m pleased I don’t have to pay for fraudulent charges. But as a business owner it seems odd that the onus of responsibility to prevent fraud is put on the hundreds of thousands of small businesses rather than the 3 or 4 large credit card companies. I very much dislike the system but I am forced to play the game.

  • The thing about most pump companies is they’re Cheap; if the hardware wasn’t designed 30 years ago then they’re not interested. The card reader interface is almost certainly raw TTL data with a Card Present (!CP) line and one pair of !CLK/!DAT lines for each track read (so 2 pair in this case). It’s up to the software to determine if the data is being read forward (card inserted) or reversed (card removed) and to verify the LRC. Look for MagTek’s “I/O Interface for TTL Magnetic Stripe Readers, Technical Reference Manual” for more info.

    • The pinout is mentioned in this document on page 7: https://www.magtek.com/content/documentationfiles/d99875139.pdf 3rd party clock and data magstripe readers (mostly from Magtek) were standard in the industry for many years. Only with the new shift to EMV is that changing.

    • Excellent! Thank you Lonewolf and 2094.

  • Awesome article. FYI: I think the PIC firmware seems tiny because the code protect bits are set (location 0x300008 is 0x00). With these bits set to zero, the ROM from 0x000800 to 0x007FFF will read as zero. And indeed, that entire space is filled with zero. Also, the reset vector begins with a branch to location 0x001ACA, which is all zeroes, so I’m pretty sure most of the actual firmware is missing due to the code protection.

  • In the article you switch between HC-05 in the first half and HC-06 in the detailed breakdown. Warnings referencing this article only seem to mention HC-05 as it’s the most prominent ID in the first part of the article, are both being used in the wild?

    • We visually compared what is in our hands with what the various manufacturers call ‘HC-06’. All three modules identify over the air as ‘HC-05’. My guess is that there is an app that the criminals created that look for HC-05. As the hardware changes, it may be easier for them to re-program the Bluetooth module ID than it is for the criminals to go back and update software that pulls down the card data.

      To add to the confusion, there are dozens of manufacturers of very similar Bluetooth modules using the CSR chipset. The HC-06 model from one company may be called the HC-05 or HC-03 from another company.

  • Hi Nate , Im a petroleum service technician (I Install and repair gas stations ) and have been in the industry for close to 30 years and work on most manufactures dispensers (aja what people call pumps). Ulimately the problem could be fixed by convenience store owners changing the default locks on dispensers. There are many after market locks that can be added to prevent avvess to the electronics cabinets. These could be purchased for around $100-200 depending how many fueling positions are at a site. Any questions you may have I would be happy to help. Just respond to this and I can provide you with an email address to correspond. Thank you for your time.

  • Hi, i am a gas station owner in florida and i have been hit 3 times already. The local cops just come and take the skimmers and nobody gets caught, we never hear from them again. Im tired of this already. I have scanned my pumps and found one thats broadcasting its name as linvor. I did a google search and found out its a HC-06 which is basically a skimmer. I am not going to take it off yet, i wanna catch these crooks once and for all. My question is, after connecting to it with an android or even a laptop, how can i retrieve the credit card numbers. Im doing this so i can identify my customers and tell them to ask their banks to do an investigation and hopefully get a picture of one of the guys taking out money from the ATM, so i can spot them next time they come to harvest their numbers. If you do not want to say it here in public, you can email me (richardspade999@gmail.com). Thank You!

  • I ran the skimmer scanner three times tonight at 3 local gas stations. 1. 7-11 and it foudn two devices which it said were not skimmers. Odd! 2. Racetrack which installed new card readers recently 0 found. 3. Sunco on the way home. 0 found.

    Is it possible that the 7-11 has skimmers, but you cannot login? They have 14-16 gas pumps and would be a good target. the youtube page here shows newer skimmers Is is possible they have changed the password and you detect them, but cannot login? https://www.youtube.com/watch?v=3z2lQSjSHb0

    • Nate / last year / 1

      The Skimmer Scanner scans for all the bluetooth devices in the vicinity and displays the MAC address of any bluetooth devices detected. I often see 3-4 devices around and these are just normal bluetooth devices (headphones, cars, remote speakers, etc). There’s no need to worry about those. There is a non-zero chance one of those bluetooth devices is a skimmer that is different from the one we built the app for but it’s hard to say for sure.

  • There has been a recent spat of these in Longmont. I attempted to relay this page and the app to my office, but was shut down. Our office manager made an inquiry to the Longmont Police Department and was told that this app was just a scam and to not install it. According to the police department there is no way to protect yourself or detect skimmers.

    Not that it makes a difference, but I thought you may want to know if only for trivia or conversational purposes.

    • Nate / last year / 1

      Thanks for the heads up. I’m not sure who or what they are talking about. We have worked with their office before. <shrugs>

      When in doubt, check the source! That’s why we enjoy open source so much: you can view what the app is doing. Namely, here is where we pass the letter ‘P’ to the unit after HC-05 has been detected and a password of 1234 works.

  • Thanks for great post about skimmers. You work made me interested to take a look in firmware that this device has. And it seems I am looking on some sort of bootloader. It is kind a hard to read this assembly language, but it seems, that actual firmware is loading from EEROM to the memory and executes from 0x082A location.

    Disassembled code could be found here

  • do you really need the app? why not just do a ‘scan’ for available bluetooth devices and if you see HC-05 alert the station attendant…

  • are the skimmers under question used to read only the magnetic stripe or the chip as well?

    • These devices only skim the mag stripe. Skimming the data between the chip and the reader doesn’t produce enough information to create a cloned card, so it’s essentially worthless to the thieves.

  • Do credit card skimmers used on ATMs work in the same manner (e.g. bluetooth)? Can this app be used for detection of credit card skimmers on ATMs?

    • Some ATM skimmers have used Bluetooth (http://krebsonsecurity.com/2010/07/skimmers-siphoning-card-data-at-the-pump/ ); others use GSM modules, ( http://krebsonsecurity.com/2010/06/sophisticated-atm-skimmer-transmits-stolen-data-via-text-message/ ), while really older ones use SD cards that must be manually harvested. See https://krebsonsecurity.com/all-about-skimmers/ for a long list of articles about skimmers.

  • The base board is very likely a surplus item intended originally for another purpose. While I don’t see this particular one on eBay, there are literally millions of surplus assemblies of this general nature available online. That likely explains the high quality of the base board and the use of EoL components. I’ll be one can find a “kit” for a few bucks online to make your own skimmer along with instructions.

    On another note, there are literally dozens of bluetooth monitoring apps for IoS available from the chip manufacturers, and some parts vendors. I have 16 different ones on my personal phone (yes, I know this is a danger sign)… Not saying you should be porting the app to IoS, but perhaps one of these existing apps can work to detect the skimmers with little or no modification.

  • ——————– Frequently Asked Questions (FAQ) ——————–

    • Will there be an iOS version of the Skimmer Scanner app? I checked with someone from the SparkX team that worked on the project and there are no current plans for development with SparkFun. At the time, they did not have a Mac to develop an app for iOS users. I do not have that much experience with iOS phones but I believe that iOS devices require a special iAP bluetooth protocol, which may not be compatible. However, the code is open source [ https://github.com/sparkfunX/Skimmer_Scanner ] and there are people that have forked the repository. It’s possible that someone in the community may be working on an iOS app.
  • According to the PIC18F4450 datasheet, the chip has 3 levels of code protection for each of 3 memory blocks (Boot: 0-0x7ff, block1: 0x800-0x1fff & block2: 0x2000-0x3fff) From the posted hex file, it appears the only active code protection is to prevent external readers from accessing block1 and block2. Inter-block read protection is not active. If you still have the devices and want the actual skimmer code it should be a trivial task to add new code in the boot block that will read and dump the contents of block1 and block2.

  • I would upgrade the app to once it discovers a skimmer, send the ‘E’ command to lock it up. I don’t know how often the power to the pump is recycled, but it’s got to make it difficult for the bad guys to retrieve their ill-gotten data.

    • We pondered this and then realized that modifying anything about the device would be tampering. Best to leave it to the user to contact the authorities.

    • Nope. Leave it alone, and report it to the police. Don’t tamper with the evidence; let the cops decide how to handle it.

  • I read that newer pumps require encryption and will make this kind of skimming obsolete. Can anyone comment on how to identify encrypted vs free Text? Also, my guess is that the process of cycling old pumps out of service will tak time. Could anyone comment on how long.

    My point here is to get a sense of how long this sort of skimming will go on. If it’s a long time, then I would like to help my local law enforcement. I would like to see if I can get the plans an code for Nate’s war driving version. I would build it and give it to the local cops.

    Thanks

    • If the pump takes chip cards (the kind you leave in the reader slot until the screen says “approved”) then the transaction data is safe (even if it’s not properly encrypted, the chip generates a digital signature that keeps the transaction safe.). If it’s a swipe reader (the kind where you insert and ‘quickly remove’ your card) it’s garbage, regardless of their claims of encryption.

  • I’m loading the APP now, gonna go drive around collecting boards to prototype with ;)

  • In terms of who pays… Right, the business where the crooks use the stolen card have to eat the charge back. Also, if a particular business gets enough charge backs, then the credit card company will increase the fee the company pays on all their charges. For instance, a small business might have a deal where they pay 2.5% in credit card fees. Then they get a bunch of charge backs from fraudulent credit cards - maybe through no fault of their own - and the credit card company ups their fee to 3%. For a company doing mostly credit card payments you just lost 0.5% of margin; and I think it can get worse. The increased fees across your whole business might be a lot more than the actual fraud. I’ve always wondered if fraud was actually a money maker for the credit card companies. Does anyone know?

  • keeping passwords and id’s at factory defaults is better for the criminal. Otherwise, they could tie a particular device back to a specific criminal if law enforcement gets access to their phone or device used to pull the cc’d numbers .

  • I don’t think the klaxon idea is a good idea.

    A better idea is this: Have a password hash stored in a ROM circuit somewhere in the pump. Then have a battery backed SRAM, connected to a leaf switch on the pump. This battery backed RAM also have a IR diode that can receive data from a remote.

    If the pump is opened, the cleartext password is deleted from the battery backed SRAM, causing the password to no longer match the hash inside ROM. Upom this detection, it would be best to just have it to disable the pump and also completely remove power from the card reader.

    When a approved technician is going to repair the pump, he does his repair as normal. When he then closes the cover, the pump will now refuse to start up (as the password does not match the hash). To reset this, the technician would then use a IR remote to re-instate the password inside the battery backed RAM.

    And if the pump is disabled due to a cleared password, the technician then knows somebody has poked inside without authorization.

    • For the last few years PCI has required pump companies to encrypt data flowing between card reader and internal electronics. These types of skimmers are only effective against older hardware.

  • About the app … thanks for making it, but it crashes during scan for me. Others have reported this in the ratings section on Google Play. The BT scan starts finding devices but crashes before coming back. FWIW, my phone is a Google Nexus 5 running Android 6.0.1. If there is any diagnostic info I can gather for you, I’d be happy to help, and I’d also be happy to try pre-release versions is you work on fixing it. (Oh, I’m testing in my house, so I’m /pretty/ sure it’s not a case of a skimmer becoming sentient and fighting back. But you never know.)

    • My apologies. We are hardware nerds and this is our first attempt at a mobile app. The app source is open and we desperately need assistance making the app better. If you think you can help, please submit a pull request, we would be thrilled!

  • Instead of an Android phone or porting to Apple, what about a Raspberry pi zero wireless scanner with battery, small touch screen and a project case? The kind of thing many makers/geeks might want to carry around anyway…… Just a thought.

    • We built a longer range scanner using our BlueSMiRF Gold module connected to an Arduino with a GPS module and SD shield for logging. Works great for war driving but we wanted a mobile app to enable ten of thousands of regular readers rather than a few hundred who would have the chops to assemble something on their own.

      If you end up building a scanner please post it and let us know! I’d be thrilled to read about it.

      • Great article. do you have a breakdown or tut on the longer range scanner you built? I would be pumped (no pun intended) to build one and see what it finds.

  • Brilliant article. Will this ever exist for iOS devices? Referring to the app btw….

    • To be honest, we are complete noobs when it comes to mobile app design. We are hardware people through and through (as I hope the tutorial demonstrates). We’ve released the code open source and hope that someone can help us compile and release the app for iOS.

    • Not a fully featured one, at least until the criminals upgrade to Bluetooth Low Energy. Apple just doesn’t support the Bluetooth Classic Serial Port Protocol on iOS, preferring with their own pay-to-play iAp. If they were smart they’d replace the Bluetooth module not with a BLE module, but long range 900MHz-ish radio so they wouldn’t have to return to the scene of the crime over and over. Thank $DIETY script kiddies ain’t that bright.

  • Two things - first, if you’re going to be doing a bunch of these (from the sound of it you might be), get some pogo pins and mill or 3D print a jig.

    Edit - for replacing the EEProm clip you can likely make a clamshell style one… if you have to deal with a bunch of different board sizes but they’re all similar layouts, you might benefit from starting from a 3d-printed table vice model - there are a few floating around on thingiverse

    Second, I’d be curious to know how many skimmers are reported by gas station owners or maintenance people. I’d think you’d want them as an ally in finding the source of these crimes, and I’d worry that a law which fines them would give them a strong incentive not to report. I’m sure that there are cases where they are the perpetrator, but I’d be surprised if most of the pump station owners/operators wouldn’t consider themselves victims of this crime as well. Fining them would just increase the number of people injured by the crime and make it harder to track back to its root cause.

  • Law enforcement notifying people that their cards might be compromised sounds helpful, but wouldn’t the baddies who read the data be most likely to clear the device’s memory after they’ve read it? (So, any numbers law enforcement (or other good guys) find on these devices have probably not actually been read yet?)

    • We had that confusion as well and the data supports it: we found only a few card numbers on the units given when I would expect dozens or hundreds of reads per day at a given pump. The criminals must download the data and clear the previous records almost daily. Getting the un-downloaded data and contacting those credit card holders seems odd but that’s what we were asked to do.


If you've found a bug or have other constructive feedback for our tutorial authors, please send us your feedback!