Skimmer Scanner
September 20, 2017 11:31 AM   Subscribe

Card skimming (previously) is a practice where thieves will place a secondary card reader over the primary card reader of a gas pump, which will then collect and store the information of any card used at that pump. As this scam proliferates, more and more scammers are using cheap skimmers that they buy off of the Internet, which they do not configure, making them detectable through the Bluetooth capabilities of your average smartphone. An open source (GitHub) app called the Skimmer Scanner (Android only, available through the Play Store) automates this process even further, and its author provides an in-depth tutorial about card skimming, and how to avoid it.
posted by codacorolla (38 comments total) 47 users marked this as a favorite
 
Fucking douchebag scammers! I'm so paranoid about this shit that I go inside the bank to get money and gas station to use my credit card anymore. Thanks so much for the post, codacorolla.
posted by strelitzia at 11:45 AM on September 20, 2017 [3 favorites]


I'm installing the hell out of this.
posted by Holy Zarquon's Singing Fish at 11:46 AM on September 20, 2017


Skimmer Scanner does nothing but crash on my android device. Oh well, maybe it'll get a patch.
posted by agentofselection at 11:48 AM on September 20, 2017 [1 favorite]


I got skimmed last year and it was a huge disruption to my life that I'm still annoyed about. Haven't paid at the pump since.
posted by Pope Guilty at 12:03 PM on September 20, 2017 [5 favorites]


I've switched to only using Mobil stations with the SpeedPass thingy so I can start the pump and pay all from the app.

I'm sure there's a huge security hole in that too that we'll discover in a year or two but hey, no skimming! I only let my card get hijacked by real hackers.
posted by JoeZydeco at 12:05 PM on September 20, 2017


If someone found the means to install it, can't they find the means to de-install it and then read it offline without the use of bluetooth. It seems like that would be the next 'advance' and render these apps obsolete if they become widely used.
posted by vacapinta at 12:05 PM on September 20, 2017


So like, given that you find a skimmer, and they seem to all use the default settings, wouldn't this also work as a way to scam the skimmers by stealing their CC's first?
posted by pwnguin at 12:08 PM on September 20, 2017


a few years ago, after a visit to New York, I found that my checking account had been emptied, and when I got to a computer and reviewed my recent transactions, I noted that over the last four days, somebody had been driving Queens, hitting a bunch of ATMs and just making continuous withdrawals of my checking account up to the daily limit. I called my bank, and we sorted it out. They gave me a new ATM card and restored the stolen funds, then initiated a police investigation. When I asked what their theory was, they provided their main working theory that it was just someone who installed a skimmer on the ATM machine that I used and a hidden webcam to capture my PIN entry. They at least knew which ATMs the thief had visited and so they were hoping to investigate via security camera footage for each of the locations as well as the ATM where the skimmer was installed.

To that conservative quote that: "every liberal is a conservative who hasn't been mugged yet" ... I am generally pro-privacy and anti-surveillance, but in that one week of getting my bank account restored, if I could've had access to every one of those security cams, I'd replay them all to the point of obsession.
posted by bl1nk at 12:08 PM on September 20, 2017 [6 favorites]


If someone found the means to install it, can't they find the means to de-install it and then read it offline without the use of bluetooth. It seems like that would be the next 'advance' and render these apps obsolete if they become widely used.

This specifically targets off-the-rack skimmers that are installed without any changes to their default settings. Anybody who's even marginally careful can avoid it, but enough assholes aren't that you can still use it to avoid many skimmers that might otherwise get your info.
posted by Holy Zarquon's Singing Fish at 12:13 PM on September 20, 2017 [3 favorites]


Last December, my bank debit card got skimmed at a gas station. I didn't find out about it until a couple of weeks later when my bank froze my card. The bank told me to cut up my debit card and a replacement card would be sent with a new, uncompromised number. So, I waited and waited, but the new card didn't come, so I was without a debit card. But I made do, and it was just one more thing to carry around in my wallet.

Two days ago, I get a new debit card in the mail. This one has a chip in it. That's good, I'm thinking. So I call to activate my card, and the automated system says they have no record of my existence. This is funny, since I have been a customer of this bank since literally before it existed. A big bank bought my tiny hometown bank, and then that bank was sold to an even BIGGER bank.

Finally, after waiting on hold for about a half hour, I get a human being on the phone. I tell the woman at the bank call center my story, and she promptly hangs up on me. Now I'm mad. I call again, wait for a half hour on hold again, and get another banker on the phone. This person does not hang up on me. Instead, she asks a lot of probing questions, including querying me about recent debits. Finally, she says that the card I'm trying to activate has been reported for fraud, but she admits she thinks I am who I say I am.

How can this be reported for fraud? I ask. I JUST got the card yesterday. Turns out, they had reissued the card with the same number that had been skimmed ten months ago. The woman on the other end of the phone said they would send me a new card with a new number. I told her I'm not holding my breath.
posted by vibrotronica at 12:19 PM on September 20, 2017 [23 favorites]


I saw an article last year that claimed almost all skimmers just slide over / in the real card slot, and that if you simply grab the card slot and tug before using, you can be fairly certain it's legit if it doesn't move on the tug.
posted by COD at 12:20 PM on September 20, 2017 [1 favorite]


Cool. I installed Skimmer Scanner and scanned my office. It found my boss's Bose wireless speakers, so it's clearly doing something.

Yay!
posted by cooker girl at 12:23 PM on September 20, 2017 [4 favorites]


If someone found the means to install it, can't they find the means to de-install it and then read it offline without the use of bluetooth. It seems like that would be the next 'advance' and render these apps obsolete if they become widely used.

It's way more risky for the crook to come back and tamper with the gas pump every time they want more CC numbers than it is for them to just buy gas normally while a laptop under the passenger seat collects the info.
posted by aubilenon at 12:23 PM on September 20, 2017 [5 favorites]


I saw an article last year that claimed almost all skimmers just slide over / in the real card slot, and that if you simply grab the card slot and tug before using, you can be fairly certain it's legit if it doesn't move on the tug.

Yeah, I have read that as well, and always make sure to touch the slot at an ATM or gas station. I hope it's true; I've never touched one that seemed to have been tampered with. Definitely going to look at that app, though.
posted by briank at 12:26 PM on September 20, 2017 [1 favorite]


Since I've started walking around with a cane more of the time, I've started using Apple Pay more frequently, since it's easy to use one-handed as opposed to pulling out my wallet and fishing out the card I want to use. This weekend I found myself filling my gas tank, and idly wishing the station had Apple Pay - then realizing I don't remember seeing it at any gas pump. Are there reasons for this (or is it just that I haven't come across it)? Is it just technological inertia on the part of the gas station owner? Or is Apple Pay not as secure in this context for some reason that I'm not aware of?
posted by nickmark at 12:28 PM on September 20, 2017


nickmark: some gas stations support wireless payment: see here and here to start. I'm sure Apple is getting there with some proprietary gas station... iGas? The iPump?
posted by Snowishberlin at 12:38 PM on September 20, 2017 [1 favorite]


I've always given the card slot a good yank before I use an ATM. Is that not enough?
posted by Ampersand692 at 12:42 PM on September 20, 2017


Skimmer Scanner does nothing but crash on my android device. Oh well, maybe it'll get a patch.

An update was pushed out to the play store within the last hour that seems to fix the crashing issue, at least on my phone.

I've always given the card slot a good yank before I use an ATM. Is that not enough?

Not in this case. The skimmers in this article are installed inside the housing of the gas station pump, and cannot be seen or pulled out through the card slot.
posted by blakewest at 12:44 PM on September 20, 2017 [4 favorites]


The skimmers in this article are installed inside the housing of the gas station pump, and cannot be seen or pulled out through the card slot.

Yeah, that's alarming. I always do the "give it a look over and a yank" before using the cardreader at a pump, but these are completely invisible to that.
posted by We had a deal, Kyle at 12:49 PM on September 20, 2017


There are also deep-insert skimmers that are literally shoved inside the card slot and have a slim enough hardware profile to not be visible unless you specifically know they're in there there. Security expert Brian Krebs has been on this beat for a while now.
posted by Strange Interlude at 12:53 PM on September 20, 2017 [3 favorites]


I just installed Skimmer Scanner, and learned that somebody nearby has a Tile stuck to something, so at least that part works.

Also, it asks for access to your location, but I have mine turned off, and it still worked.
posted by Faint of Butt at 1:00 PM on September 20, 2017


You all need to be really careful with this.

In addition to this, which is cute, there is a widely-known set of zero-interaction bluetooth vulnerabilities in the wild right now, and there are almost certainly people who are thinking about how to weaponize this in the context of skimmers and scanning tools.

You should have bluetooth turned off if you're not using it, particularly if you're not 100% confident in your patch level or concerned about your overall security posture.
posted by mhoye at 1:15 PM on September 20, 2017 [14 favorites]


This is why my debit card is still in mint condition, while my credit card looks like it's been to hell and back.

At least when (not if) my card gets skimmed my actual money won't be at risk.
posted by steamynachos at 1:56 PM on September 20, 2017 [10 favorites]


You should have bluetooth turned off if you're not using it

Just be careful if you plan to upgrade to iOS 11 this week. Turns out that switching off Bluetooth and Wifi from the control panel doesn't do what you think it does.
posted by JoeZydeco at 1:57 PM on September 20, 2017 [4 favorites]


I get my gas at Costco and spoke to the gas station attendant who said that Costco always has someone patrolling the pumps and they check each pump every 15-20 minutes.
posted by FJT at 2:08 PM on September 20, 2017 [4 favorites]


OK, on that blueborne bluetooth exploit, WTF do we do as consumers if our phone manufacturer, in this case Samsung, basically blow off fixing it? I mean, I can't afford to buy a new phone, but this definitely makes me rethink my "loyalty", such as it is, to Samsung.
posted by maxwelton at 2:17 PM on September 20, 2017


thanks for this. I installed the app. I keep my bluetooth turned off most of the time except while I'm driving so I can use handsfree stuff (and listen to my Spotify), so it'd be also useful to run the app whenever I pull up to a pump.
posted by numaner at 2:33 PM on September 20, 2017


Is "I live in Oregon" the "I don't even have a TV" for this thread?
posted by rifflesby at 2:55 PM on September 20, 2017 [15 favorites]


> I get my gas at Costco and spoke to the gas station attendant who said that Costco always has someone patrolling the pumps and they check each pump every 15-20 minutes

Every hour, according to the guy I asked at my Costco. You've got faster nogoodniks in your neighborhood.
posted by The corpse in the library at 4:24 PM on September 20, 2017


OK, on that blueborne bluetooth exploit, WTF do we do as consumers if our phone manufacturer, in this case Samsung, basically blow off fixing it?

I think the options are really just "live without bluetooth" or "use bluetooth and hope nobody does anything bad". Of course you could do a blend of the two - disable it until you need it, then turn it on and hope nobody does anything bad, and then disable it again.
posted by aubilenon at 4:43 PM on September 20, 2017


I think the options are really just "live without bluetooth" or "use bluetooth and hope nobody does anything bad". Of course you could do a blend of the two - disable it until you need it, then turn it on and hope nobody does anything bad, and then disable it again.

Also consider leaving bad reviews for your device if it's still new enough that people might be buying it from the places where you might leave reviews, and consider switching manufacturers for your next. I know I'm not likely to buy another Motorola until they reconsider their security update policy.
posted by radwolf76 at 5:46 PM on September 20, 2017


I'm still wondering what happened to my debit card a number of years ago. I had used it at a gas pump two days before Christmas and then found out a couple of weeks later it must have been lost right after (as it was the last transaction on it). I also found out almost $1000 had been withdrawn from my account using the card. My bank said it had occurred from an ATM at the nearest location on Christmas Eve. It being a special day, it was easy for me to remember I had actually been talking to my coworker and her boyfriend at work at that very moment—we didn't close till later in the afternoon. I was also sure I hadn't withdrawn any amount of money anywhere close to that time having already finished all my Christmas shopping. The bank refused to do anything. I reported it to the police who then threatened to charge me with mischief for making a false claim as the bank's video apparently showed me making the withdrawals. It really messes with a person's mind to have that happen. I know for sure but having no way of proving that it was absolutely not me, my coworker verified my alibi, no money or purchases ever showed up in case I forgot, and I also didn't drink, don't have amnesia or the like, etc., etc. My best theory is that the pump had a skimmer, although none was reported, I coincidentally lost my card, and the bank faked a time stamp to avoid repaying...?
posted by blue shadows at 7:24 PM on September 20, 2017 [1 favorite]


Any chance of a similar app for iPhone?
posted by anshuman at 8:25 PM on September 20, 2017


So is this still a risk in Oregon and New Jersey, where attendants have to pump gas for you?
posted by gottabefunky at 8:54 PM on September 20, 2017 [1 favorite]


Is it just technological inertia on the part of the gas station owner? Or is Apple Pay not as secure in this context for some reason that I'm not aware of?
In some places - here in the UK for example - there are regulations against using any mobile phone in a gas station. I gather that some 1990s - or maybe even earlier - studies were run which looked at the risk of something like a phone falling out of a car door, causing the battery to come off and hence creating a spark that could ignite vapour. These days such risks are unlikely to realistic - and of course pretty much everybody has a switched on phone with them when filling the car. But the signs warning drivers not do use a phone are still there - and this could be an obstacle to getting an industry sanctioned use of a payment technique like ApplePay.

A quick search would seem to indicate that the scam is less common in "chip and PIN" countries - where both the CC number and a PIN (and information from the chip) are needed - this does not mean it stops everybody.
posted by rongorongo at 12:37 AM on September 21, 2017



>> OK, on that blueborne bluetooth exploit, WTF do we do as consumers if our phone manufacturer, in this case Samsung, basically blow off fixing it?

> I think the options are really just "live without bluetooth" or "use bluetooth and hope nobody does anything bad".


Unfortunately, the big picture right now is that the mobile-device security situation is a tire fire. Carriers routinely ship devices that are vulnerable and outdated before you take them out of the box, and with the exception of iPhones, generally carriers have no incentive to permit, much less test and ship, security patches of any kind, much less OS upgrades. So they don't. Right now if you care about device security you should get a current-generation iPhone, keep it updated and replace it when it goes off support. The second-best option is to get one of Google's flagship phones directly from Google. Everything else is basically managing impossible-to-judge risks, which is roughly the same as saying "ignore it and get on with your life."

Use a six-digit or longer numeric passcode to boot and unlock your phone. Turn off bluetooth if you're not using it. If you believe yourself to be at near-term risk (state, domestic, other) turn off biometric auth.
posted by mhoye at 8:32 AM on September 21, 2017


Any chance of a similar app for iPhone?

Possibly. An iOS version would likely be able to detect a device named "HC-05", but that's about it. This is due to how Apple exposes Bluetooth functionality to third party developers (in a manner suitable for the App Store).

For the technically inclined: It looks like the Android version creates a serial connection between the phone and the skimmer; this is used to verify the skimmer by sending it a few commands. On iOS, there isn't a simple way to do that (I haven't had a chance to play with the new L2CAP streams in 11 yet though). Also, the Android app can automatically pair with the peripheral with a PIN (because hey, who really wants explicit permission to bond?), whereas on iOS, the user would be prompted.
posted by bonje at 8:48 AM on September 21, 2017


So, I just need a Bluetooth scanner, a terminal, and a shell script to easily locate and pull the cc#s from one of these skimmers. It'd be slightly more difficult with an Android phone or tablet, but super easy with a Linux, Mac, or Windows laptop.

A good samaritan could routinely delete the stored numbers with that tilde command. Too bad they didn't figure out how to push data into memory via the BT interface because what would really ruin the skimmer-peoples' day would be to delete the stored numbers and then fill up the memory with bogus data.
posted by Ivan Fyodorovich at 9:58 AM on September 21, 2017


« Older "The desire for different food is UNREAL ..."   |   Lillian Ross 1918-2017 Newer »


This thread has been archived and is closed to new comments