Gas Pump Skimmers
What’s the first thing that should scare you? There’s three. And the next? The label ‘46’. They’ve got so many in the field criminals need to number them just to keep track.
This is the not the first or the second time SparkFun has dealt with credit card skimmers. The difference is that this time the local governmental agency politely asked for help and we’re always down for trying to put a stop to bad actors.
We were given three skimmers found installed within gas pumps with the request that we try to get the data off the board so that the agents could let those who’ve had their credit card compromised know so they can get a new card. Not great, but it’s a start. Second task: can we build a jig or system so that they can more easily poke at these systems in the future? We were able to accomplish both as well as build an app that detects known skimmer in the area.
Now, for those who don't want to read through the gritty details here's the summary of how the SparkX 'Skimmer Scanner' app works :
These skimmers are cheap and are becoming more common and more of a nuisance across North America.
The skimmer broadcasts over Bluetooth as HC-05 with a password of 1234. If you happen to be at a gas pump and happen to scan for Bluetooth devices and happen to see an HC-05 listed as an available connection then you probably don't want to use that pump.
The Bluetooth module used on these skimmers is extremely common and used on all sorts of legitimate products and educational kits. If you detect one in the field you can confirm that it is a skimmer (and not some other device) by sending the character 'P' to the module over a terminal. If you get a 'M' in response then you have likely found a skimmer and you should contact your local authorities.
How the Skimmer Scanner App Works
The Skimmer Scanner is a free, open source app that detects common Bluetooth based credit card skimmers predominantly found in gas pumps. The app scans for available Bluetooth connections looking for a device with title HC-05. If found, the app will attempt to connect using the default password of 1234. Once connected, the letter 'P' will be sent. If a response of 'M' then there is a very high likelihood there is a skimmer in the Bluetooth range of your phone (5 to 15 feet).
Skimmer Scanner is free, open source, and was available for Android . The app does not obtain or download data from a given skimmer nor does it report any information to local authorities.
If you detect one in the field let us know! We'd love to hear about it.
Do Something About It
These skimmers are most scary because there is no one being held responsible or tasked with prevention. If your credit card number is stolen you simply contact the provider and they will (usually) refund any fraudulent charges and send you a new card. In turn, the credit card companies simply do a charge back to the merchant where the fraudulent charges took place (taking the money from the merchant and refunding it to the customer whose card has been stolen). Gas stations rarely have alarms or indicators on the pumps so it's unclear if they ever know the pumps have been opened. And the fuel pump manufacturers have no incentive to install digital or audible alarms on the pumps. (That costs money.)
Reader Anthony David Adams informed us who really gets charged in these situations. You can read his response here.
Are you angry that your card has been stolen, again? Contact your local congress person or senator and ask them to pass legislation that fines gas stations $100 for every card that is discovered on a skimmer in one of their pumps. It's ultimately up to the gas stations and pump manufacturers to secure their pumps.