Detecting Credit Card Skimmers

Modern credit card skimmers hidden in self-service gas pumps communicate via Bluetooth. There's now an app that can detect them:

The team from the University of California San Diego, who worked with other computer scientists from the University of Illinois, developed an app called Bluetana which not only scans and detects Bluetooth signals, but can actually differentiate those coming from legitimate devices -- like sensors, smartphones, or vehicle tracking hardware -- from card skimmers that are using the wireless protocol as a way to harvest stolen data. The full details of what criteria Bluetana uses to differentiate the two isn't being made public, but its algorithm takes into account metrics like signal strength and other telltale markers that were pulled from data based on scans made at 1,185 gas stations across six different states.

Posted on August 26, 2019 at 6:41 AM • 33 Comments

Comments

tsAugust 26, 2019 9:28 AM

makes you wonder how widespread this is.. and what other countries are affected by such skimmers.
though credit cards are quite "american" by comparison.

ScaredAugust 26, 2019 10:10 AM

@ts
The big risk is with debit cards: you are responsible for the loss and knowing the combination of card data and a PIN code can yield several 1000 $$ before it's detected.
A fraudulent credit card transaction is the credit card company's loss.

TimAugust 26, 2019 10:39 AM

DETSEC.org did this amateur style using a Pi3 and Ubertooth-One last year. The SparkFun App used hardcoded bluetooth IDs and did not detect skimmers unless they ID as HC-05. Skimmer Scanning works best at night to cut down on the chatter. We presented the findings in our Sept 2018 meetup and helped a group of high school STEM students plan and execute a similar project.


Great Scott Gadgets makes the UberTooth One
https://greatscottgadgets.com/ubertoothone/

VAugust 26, 2019 10:43 AM

My bank installed a new ATM with a very flat face. Maybe it was designed that way to make any card skimmer more obvious?? Gas pump designers could use the same trick.

metaschimaAugust 26, 2019 11:50 AM

One thing I do from previous research papers posted here is I put a thin piece of transparent tape over the card's magnetic band. This will prevent the majority of skimmers from reading the card, the only problem is that it may prevent some card readers on older gas pumps from also reading the card. That's ok, if that happens I pay inside. I will also be using an app to scan for common skimmers now that I know about it, thanks.

Felix TysonAugust 26, 2019 12:37 PM

@V From the second article it sounds like some card skimmers are installed entirely inside the machine with no outside-facing visible parts:

Criminals break into the pumps, many of which can be opened using a universal master key, to install the skimmers. Skimmers are connected to both the keypad and the magnetic stripe reader inside the gas pump.

E.M.H.August 26, 2019 1:22 PM

Be aware, folks, that this app is not available to the public. As noted in the UCSD press release:

Bluetana was developed with technical input from the United States Secret Service and is only available to gas pump inspectors. It will not be available to the general public. It is now used by agencies in several states.

So unless some of us reading this are pump inspectors, we can't get our hands on this easily. Just an FYI.

TatütataAugust 26, 2019 2:07 PM

I routinely checked out what the SOTA for ATM skimmers in patents, and was slightly shocked that among the top results in the list was a family belonging to Capital One Services LLC, claiming a priority date of 28 January 2014, and with members in US, EP, and CA. I was more expecting to find implements on the card readers themselves.

There are already four issued enforceable US patents, with the title "ATM skimmer detection based upon incidental RF emissions".

More might be on the way in the US, but I can't find out, as the USPTO web site is at this moment overloaded.

US9892600
US10121330
US10186119
US10388118

Claim 1 of US9892600 reads:

1. A system for detecting ATM skimmers comprising: an antenna located within communication range of an ATM, configured to:

detect one or more radio frequency (RF) signals, the RF signals comprising at least one or more signals emitted by the ATM, and
transmit the RF signals to a receiver; and
a receiver, comprising:

a memory storing instructions; and
one or more processors that execute the instructions to perform one or more operations for detecting ATM skimmers, the operations including:

receiving RF signal data corresponding to the one or more detected RF signals,
determining one or more unidentified RF signals of the detected ATM RF signals that differ from one or more baseline RF signals,
determining whether the one or more unidentified RF signals are present for a predetermined period of time, and
determining whether a skimmer is present at the ATM based on a determination that the one or more unidentified RF signals are present for the predetermined period of time and based on a determination that the one or more unidentified RF signals match one or more RF signals of a known skimmer.

The claim of the "method" type would potentially cover infringement both the supplier of detection software and it user.

The later three patents appear to be to be mere linguistic variations of the initial one.

Without spending too much time in parsing the claimed subject-matter, I would say that one should watch out for nasty cease-and-desist letters...

TatütataAugust 26, 2019 2:32 PM

If I were the scammer, I would move about the frequency of the Bluetooth transmitter right out of the 2.4 to 2.4835 GHz band, which has a 3.3% fractional bandwidth.

So changing the frequency of the master clock by plus or minus three point something percent should put the skimmer right out of the range of standard phones on which the detection app would be installed on. (But then, if the phone is modified to operate beyond the standard ISM band, the skimmer signal would really stand out.) (Incidentally, I discovered today that you can turn your Raspberry Pi 3 into a SDR with just the on-board chipset. I also ordered a Pi 4, quad 64 bit ARM with 4GB memory, I have to see that from close)

A Qualcomm data sheet indicates that their chips expect two clocks: a 16MHz master clock for operating, and a 32kHz one for keeping the time during sleeping periods.

As modules are produced in high volumes, I would expect the RF components to have wide tolerances, i.e., the antenna is low-Q, and LO VCO should cover the range. You would probably lose a few dB in the ceramic RF filter, if you don't just bypass it entirely. (If you're going to be a scofflaw, why don't go all the way?).

If you're not be able to fix a Bluetooth module with your propane torch, an "ecosystem" will surely pop up.

Another solution would be to forgo entirely Bluetooth, and roll your own wideband, low LPI, DSSS transmitter.

TatütataAugust 26, 2019 2:40 PM

One last thing: what's with the name "Bluetana"? Did they get one past the censor, or what?

TatütataAugust 26, 2019 3:18 PM

A probably even simpler workaround: Just get away from Bluetooth, and buy Raspberry Pi Zero W which is almost as cheap.

The Pi Zero is 65mm × 30mm × 5mm, whereas the first Bluetooth/WiFi module I could find is 18mm x 25.5mm x 3mm.

I suppose that open-source software could be modified to keep the Zero's wireless interface silent, except when specifically solicited.

ChrisAugust 26, 2019 3:42 PM

Or
Part-1
# SENSOR-4 BLUETOOTH (BUILTIN RASPBERRY NO EXTRA HW NEEDED) (SOMEWHAT BUGGY)
hcitool lescan --duplicates |grep -E "00:0B:CE|20:16:09" >> /home/droid/skimmer.out &
killall detect-skimmer.sh
sleep 3
/home/droid/detect-skimmer.sh &
echo 012 Sensor-4 Skimmer Detector via alarm.sh >> /root/boot.log

Part-2
#!/bin/bash

# Bluetooth Skimmer Detector
# MAC Address triggers in /root/alarm.sh
watch -n 0.1 -d -t -g ls -l /home/droid/skimmer.out && echo -e '\033[1;36m'"Sensor-4 SKIMMER Detected" >> /home/droid/terminal.log && date --rfc-3339=seconds >> /home/droid/terminal.log && echo "BLUE$ && aplay -q /home/droid/bat1.wav

# Restart Script
sleep 2
/home/droid/detect-skimmer.sh

Part-3
# Check if boot is finished so we dont run into a Terminate issue
clear
echo "Waiting for Bootsequence to finish please wait"
FILE=/home/droid/boot.finished
if [ -f $FILE ]; then
echo "Starting Detector ..."
# Backup Logfile
cat /home/droid/tetra.log >> terminal-all.log
rm -f /home/droid/terminal.log
touch /home/droid/terminal.log

clear
echo "========================================================="
echo '\033[0;32m'' Displaying last 8 messages since last scan '
echo " Detector Scanning for Signals "
echo "========================================================="
tail -n32 /home/droid/terminal-all.log
tail -f /home/droid/terminal.log

else
sleep 1
/home/droid/droid.sh
fi

--
Some code missing but basically so...
//C.L//

LomaxAugust 26, 2019 3:58 PM

@Peter A. : Better than that, next year:

following the release of CC-skimmer detectors, the devices were modified to just store the data and keep the bluetooth in a dormant state through the day. Once its clock hits a time configured earlier, around the time the gas station is closed (or has low traffic in case of 24 hours stations), it will wake up and transmit all the day's data.

ChrisAugust 26, 2019 4:07 PM

@ Tatütata
I discovered today that you can turn your Raspberry Pi 3 into a SDR with just the on-board chipset
--
Thx!

lurkerAugust 26, 2019 4:25 PM

Doesn't a chip'n'pin card make skimming a step change more difficult? I s'pose it doesn't matter when skimming is just a cost of doing business...

ChrisAugust 26, 2019 4:38 PM

Lomax, makes sense that they would do that but a scanner is still mitigating it
it just wont work for a customer passing buy if not activated, but it would work if its a permanent install at the ATM etc...

What we lack is vendor ID:s , that Krebson Security liunk shows one more vendor ID
so now i have 3 but there must be many more out there, someone here might know them and post
them for public knowledge.

hcitool lescan --duplicates |grep -E "00:0B:CE|20:16:09|20:18:08"
//C.L//

GodelAugust 26, 2019 6:13 PM

I think I read in the Krebs article that the newer varieties of skimmers are ditching Bluetooth and going to 3G phone chips, reporting in once a day.

Clive RobinsonAugust 26, 2019 7:05 PM

@ Godel,

the newer varieties of skimmers are ditching Bluetooth and going to 3G phone chips, reporting in once a day.

Mobile phone modules are very cheap and you can get them working with an Adriano Nano with little effort.

As such the first case I remember of using mobiles phone nodules was inside ePos terminals "as new" from China, supplied to an English Supermarket train.

As for Bluetooth there is a lot of it around. But it is not that discreet, and it's realy not that difficult to break into.

ThothAugust 26, 2019 8:27 PM

Apps that detect smart card skimmers are not new. There are those anti-shimming shields that the banks equip on their ATMs and that's still not good enough.

Maybe we should just put the stash of cash and gold bars in the attic ceiling and basement and when we need money we could grab some from the usual hiding place as long as there is no theft or natural disasters right ?? Or maybe we could split them up and hide them to minimize risk ??

The EMV standards are not lacking of security protocols to encrypt and sign transactions and to provide a moderate defense against skimmers.

The problem is the banks are refusing to play along to upgrade their protocols blaming on the complexity and cost to upgrade to modern security protocols and standards for card based transactions.

Most cards are still operating on 2 Key 3DES and yes ... only 2 Key not 3 Key. Even the encryption on the POS terminals are using 2 Key for most of them despite the fact that 3 Key 3DES are already available and especially the AES-128 and even 256 bits keyed have been proposed and the specs written and left in the cold for many years because most of the banks are simply too lazy (with tonnes of excuses) to migrate.

The legacy CARD NOT PRESENT mode of operation are still being used and in demand and the EMV have not yet push it out of support. That means only with the card's banking details (i.e. the Card Application Number) embossed on the front of the card or a card's CVV code and Cardholder's name, you could pretend to be the cardholder. It has been long known that these publicly known information printed and embossed on the front and back of cards are never secure since anybody picking up one of your cards or taking a glimpse at it while you dig through your wallet or handbag for the suitable card for a nice discount, could pretend to be you.

The CARD PRESENT mode which requires a physical card and a user to enter the PIN is more secure due to the fact that the 3DES key in the card is used to sign a random nonce and the protocol are encrypted with 3DES.

The one thing a card skimmer cannot do is extract the 3DES key directly from the tamper resistant chip although the fake PINpad could steal the user's PIN codes, without the uniquely diversified 3DES key with the user's PIN codes, it would still be useless to negotiate a session with the Payment HSM to process the transactions.

The huge caveat is whether the security protocol implementations are done well enough to have no flaws that an attacker can exploit. ATM terminals, payment temrinals and backend systems are known to have flaws and the cards are also not immune to flaws.

The problem is not about creating detection tools. It's just like an anti-virus sitting on your Windows PC when your Windows PC is already full of holes.

Mobile authenticators, biometrics and so on have been hailed as more secure methods for authentication that the banks and financial enterprises have been peddling these latest and greatest Snake Oils. They are no better since the underlying layers are still not fixed and are in fact untested creations while the plastic cards have been in the market for over 20 or more years.

What it boils down to is the usual topic of Castles and Prisons, secure computations and so forth yet again which myself, @Clive Robinson and many others have posted and contributed.

The underlying layers have to be well done before the top layers can claim the security it markets.

An added side note which I have pointed out is the vulnerability of static QR codes and their weakness of being easy to intercept and change even if there is encryption and signature baked into a static QR code.

The world have seem to take a liking for QR based transactions and there are increasing scams and attacks on these static QR codes which is not surprising at all.

IsmarAugust 27, 2019 4:15 AM

“Bluetana was developed with technical input from the United States Secret Service and is only available to gas pump inspectors. It will not be available to the general public. It is now used by agencies in several states.”

given that the app can be installed on any phone and as such used to automatically notify the those in charge via internet this restriction to having it installed on authorised phones only makes little sense but then again very few government policies do ...

VinnyGAugust 27, 2019 2:31 PM

@metaschima re: gas pump skimmer avoidance - A possible flaw in your procedure is the chance that the wetware behind the counter is also compromised (in cahoots with the skimmer operator.) I don't know the stats, but I suspect the probability is significant.

metaschimaAugust 27, 2019 2:54 PM

@VinnyG

Yes, I suspect it also and have had several encounters at shady establishments that I strongly suspect skimmed my card. However, assuming that the EMV chip is harder to skim no matter the terminal used I'd say it's still useful unless they capture my card info in another way.

ChrisAugust 27, 2019 6:11 PM

@Tatütata
Thanks again for the Pi3 SDR Thread
it also seems possible with some samsung phones, that together with python should make it sing, it so seems that at least samsung s2 and samsung s4 among some other hardware has that same chipchet, that little hack made my alpha dongle obsolete and i can now do some wifi stuff natively in the raspberry so thanks for that again.

--
Makes the Alpha card obsolete
--
# SENSOR-5 WIFI-02 DRONE DETECTOR SAAB
# in progress (Needs a separate WIFI Card such as Alpha)
#/usr/bin/python /home/droid/subtype4.py |grep -E "00:A0:D5|A8:CC:C5|00:40:85|00:E0:CD|00:13:68" >> /home/droid/wifi02.out &
#killall detect-wifi02.sh
#sleep 3
#/home/droid/detect-wifi02.sh &
#echo WIFI02 via alarm.sh >> /root/boot.log

# SENSOR-5 WIFI-02 DRONE DETECTOR STANDARD BASIC DRONES
# in progress (Needs a separate WIFI Card such as Alpha)
#/usr/bin/python /home/droid/subtype4.py |grep -E "A0:14:3D|90:3A:E6|00:26:7E|00:12:1C|90:03:B7|4C:0F:C7|24:72:60|EC:3D:FD|28:F3:66|E0:B9:4D|8A:DC:96|60:60:1F|08:EA:40|90:97:D5|08:EA:40|4C:0F:C7|00:7E:56|B0:$
#killall detect-wifi03.sh
#sleep 3
#/home/droid/detect-wifi03.sh &
#echo WIFI03 via alarm.sh >> /root/boot.log

# SENSOR-5 WIFI-01 DRONE DETECTOR AEROVIRONMENT
# in progress (Needs a separate WIFI Card such as Alpha)
#/usr/bin/python /home/droid/subtype4.py |grep -E "00:1E:96" >> /home/droid/wifi04.out &
#killall detect-wifi04.sh
#sleep 3
#/home/droid/detect-wifi04.sh &
#echo WIFI04 via alarm.sh >> /root/boot.log

ChrisAugust 27, 2019 6:14 PM

I have many detectors ...
these are just a part of what i scan today
but at leat you get the point
have a nice day
//C.L//

ChrisAugust 27, 2019 6:32 PM

Oh and btw regarding the GSM sending devices on the gaspumps you can scan the IMEI addreess too however its more of a hardware hastle sine you need more hardware, a singe rtlsdr stick is not enough but its not difficult at all

ChrisAugust 27, 2019 6:35 PM

Re IMEI scanning devices turn off your phones! its as i said not difficult and easy to track a person, so.. what more do i have to say, i have code for that too

SamAugust 27, 2019 9:40 PM

@Thoth

You're making a point about the crypto security of EMV when gas pumps don't even use EMV because it costs a bundle to upgrade them. The mag stripe systems used RS-422 on twisted pair phone cable and to upgrade to handle the higher bandwidth requirements of EMV, they have to rip and replace the wiring and conduit.

Gas pumps are considered hazardous locations due to the flammability of fuel vapors, so every single piece has to be tested and certified as to not cause a spark and explosion. Plus fuel sales are low margin; most gas stations would go bankrupt without selling full-priced coffee and beer. They can't afford the $30k per pump replacement.

In fact, not only is crypto not the weakest point, the overly complex EMV protocol and its support of offline transactions caused this mess. If they just stuck with the simple rotating CVV system that Contactless/MCE uses, you'd get 99% of the security (i.e. just enough to shift fraud to online card-not-present) with very little upgrade complexity.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.