Skimmer Scanner Scammer

Once upon a time there were some bad people who decided to steal credit card numbers. These were not your elite hackers targeting online retailers, these were local criminals hacking retail card scanners. Every retailer has those machines but they are typically sitting right in front of an employee. What to do? Move the operation to the gas pumps.

The attack is relatively simple — devices called “skimmers” are installed by criminals inside gas pumps while no one is looking. Skimmers quietly steal card information in the background when people pay for their gas. The stolen card info is collected later and used without the card holder’s knowledge or consent.

The excellent folks at SparkFun, an awesome electronics company that makes dev boards and open source hardware, were recently contacted by law enforcement representatives to do a “teardown” of one of these devices. Their write-up is highly recommended reading.

One awesome artifact of their research project is a new Android app called Skimmer Scanner. This app is for use by regular people, you do not need to be any sort of technologist to use it. Check it out — when you enter a gas station, you press the Scan button and it tells you whether it detects any skimmers in the area. That’s it.

Just press the Scan button and wait a few seconds!

If it does find one, it allows you to report it:

Bad news, you should not patronize this gas station.

If not, you are good to go!

Time to fill the car with dead dinosaurs.

This app is great because it tells me where I should shop, I no longer need to make that decision by myself.

Wait. What?

Let’s clarify that. No app will cause me to go to a gas station, only the gauge needle pointing at the E will do that. So in fact, this app will tell me where I should not buy gas.

I feel some social engineering coming on. It seems plausible to scare people away from a gas station by pretending there is a skimmer nearby. Who would want to do that?

  • Unscrupulous competing gas station owners who want to drive customers to their gas stations
  • Criminals looking to extort money from gas station owners (“It would be a shame if you had no customers…”)
  • Unscrupulous customers who want the gas station all to themselves (odd, but conceivable)

Is it possible? Enter the Skimmer Scanner Scammer. This is a little doodad that has no reason to exist other than to prove it can do what it claims to do. This ugly version only took a few minutes to make, half of which was finding the parts around the work bench.

Ugly but functional.

The bill of materials is nothing more than an Arduino Mini clone, an HC-05 Bluetooth module on a 5V breakout board (since it is natively a 3.3V board), and a couple of resistors to help bring the voltage down on the transmit line (the receive is no problem, the Arduino can handle the 3.3V input just fine). Based on the description of the simple algorithm used by the SparkFun app, the software running on the Skimmer Scanner Scammer (that is waaay too fun to say) is effectively nothing more than:

if (hc05.available()) {
oneChar = hc05.read();
if (oneChar == ‘P’) {
delay(100);
hc05.write(‘M’);
}
}

Does it work? Let’s turn it on and find out!

It works. Mostly pointless experiment complete. A real bad actor would move to the next steps of miniaturizing this and hiding it in something like a thumb drive but since this is an academic experiment there is no reason to go further.

There are two simple takeaways from this exercise:

  1. Trust, in this case the trust given by a user to a recognized good actor like SparkFun, is a delicate thing. It is can be subject to abuse by nefarious third parties in ways not originally intended.
  2. Social engineering comes in all shapes and sizes. Keep your guard up and stay safe out there.