Skim Reaper

A trio of academics from the University of Florida has developed a device that can detect different types of payment card skimmers —devices developed by cyber-criminals to collect data from credit and debit cards inserted inside ATMs or gas pump card readers.

The device's name is Skim Reaper, and researchers developed the device with the help of the Financial Crimes Task Force of the New York City Police Department (NYPD).

Skim Reaper developed in cooperation with NYPD

Between July 14, 2016, and November 11, 2017, the NYPD collected skimmer devices from across New York and sent them to researchers for study. The research team broke down and analyzed the various types of skimmers criminal groups were installed across the city.

This included skimmers that crooks installed on top of an ATM or gas pump's mask (called overlay skimmers), skimmers inserted deep inside the ATM/gas pump card slot (called deep insert skimmers), skimmers embedded inside the ATM or gas pump's case (called internal skimmers), and skimmers that tapped into network communications (called wiretap skimmers).

Skimmer device types collected by NYPD

Skimmer device types

With the knowledge gained from analyzing all these real-world-proven skimming devices, the University of Florida researchers created Skim Reaper, a one-size-fits-all device that can detect all the above-mentioned categories of skimming devices.

How Skim Reaper works

Skim Reaper does this with the help of a so-called "measurement card" that a user can insert into an ATM or gas pump reader's card slot.

With the help of an attached microcontroller, the measurement card detects the number of read heads as the card enters the ATM or gas pump reader.

If it detects one, the ATM or gas pump reader is deemed safe. If there are two, this means a skimmer is present.

Researchers say their Skim Reaper device detects all the types of skimmers collected by NYPD officers in the past year with a 100% success rate.

Skim Reaper already used by NYPD officers

The research team has already equipped the NYPD Financial Crimes Task Force with Skim Reaper devices, according to Patrick Traynor, one of the Florida researchers.

Traynor says he's willing to provide Skim Reaper devices to other law enforcement agencies. If the device is as successful as it appears, Skim Reaper may also have a bubbling market in the financial sector where banks may be interested in equipping their support technicians as well.

According to a recent report, hackers have increasingly targeted gas pump card readers in recent months.

Skim Reaper better than existing Bluetooth-based solutions

Earlier this year, an electronics engineer created an Android app that could detect skimmer devices using the phone's Bluetooth connection.

This method of using phones to detect Bluetooth communications coming off a skimmer is very popular, and law enforcement has often recommended it in the past.

But the Florida researchers say that this method is not as efficient as has been believed until now.

"Despite the prevalence of smartphone applications which claim to detect skimmers via Bluetooth, only 7 of 35 (20%) of the skimmers recovered by NYPD had wireless data retrieval capability," the research team says. "The majority of skimmers detected (71%) use serial, SPI, or I2C communication to download the data [they collect/steal]."

Award-winning research

The research team presented their work yesterday at the 27th Usenix Security Symposium, held in Baltimore, USA.

Their paper —entitled "Fear the Reaper: Characterization and Fast Detection of Card Skimmers" won the conference's Distinguished Paper Award. The full whitepaper is available for download for free from here.

Related Articles:

British Airways Fell Victim To Card Scraping Attack

Infowars Store Affected by Magecart Credit Card Stealing Hack

U.S. Capitol Police Arrest Suspect for Doxing U.S. Senators