A trio of academics from the University of Florida has developed a device that can detect different types of payment card skimmers —devices developed by cyber-criminals to collect data from credit and debit cards inserted inside ATMs or gas pump card readers.
The device's name is Skim Reaper, and researchers developed the device with the help of the Financial Crimes Task Force of the New York City Police Department (NYPD).
Between July 14, 2016, and November 11, 2017, the NYPD collected skimmer devices from across New York and sent them to researchers for study. The research team broke down and analyzed the various types of skimmers criminal groups were installed across the city.
This included skimmers that crooks installed on top of an ATM or gas pump's mask (called overlay skimmers), skimmers inserted deep inside the ATM/gas pump card slot (called deep insert skimmers), skimmers embedded inside the ATM or gas pump's case (called internal skimmers), and skimmers that tapped into network communications (called wiretap skimmers).
With the knowledge gained from analyzing all these real-world-proven skimming devices, the University of Florida researchers created Skim Reaper, a one-size-fits-all device that can detect all the above-mentioned categories of skimming devices.
Skim Reaper does this with the help of a so-called "measurement card" that a user can insert into an ATM or gas pump reader's card slot.
With the help of an attached microcontroller, the measurement card detects the number of read heads as the card enters the ATM or gas pump reader.
If it detects one, the ATM or gas pump reader is deemed safe. If there are two, this means a skimmer is present.
Researchers say their Skim Reaper device detects all the types of skimmers collected by NYPD officers in the past year with a 100% success rate.
The research team has already equipped the NYPD Financial Crimes Task Force with Skim Reaper devices, according to Patrick Traynor, one of the Florida researchers.
Earlier this year, we partnered with the NYPD's Financial Crimes division, who are now using the #skimreaper throughout the City of New York to get rid of skimmers before they can rip off folks like you and me. They've even already found one! 3/ @NYPDnews— Patrick Traynor (@patrickgtraynor) May 9, 2018
Traynor says he's willing to provide Skim Reaper devices to other law enforcement agencies. If the device is as successful as it appears, Skim Reaper may also have a bubbling market in the financial sector where banks may be interested in equipping their support technicians as well.
However, to get these devices out into the hands of the folks that need them, we’re going to need help. Friends in law enforcement, please reach out directly to us - we want to get this tool to you. 8/— Patrick Traynor (@patrickgtraynor) May 9, 2018
According to a recent report, hackers have increasingly targeted gas pump card readers in recent months.
Earlier this year, an electronics engineer created an Android app that could detect skimmer devices using the phone's Bluetooth connection.
This method of using phones to detect Bluetooth communications coming off a skimmer is very popular, and law enforcement has often recommended it in the past.
But the Florida researchers say that this method is not as efficient as has been believed until now.
"Despite the prevalence of smartphone applications which claim to detect skimmers via Bluetooth, only 7 of 35 (20%) of the skimmers recovered by NYPD had wireless data retrieval capability," the research team says. "The majority of skimmers detected (71%) use serial, SPI, or I2C communication to download the data [they collect/steal]."
The research team presented their work yesterday at the 27th Usenix Security Symposium, held in Baltimore, USA.
Their paper —entitled "Fear the Reaper: Characterization and Fast Detection of Card Skimmers" won the conference's Distinguished Paper Award. The full whitepaper is available for download for free from here.
Congratulations to #usesec18 Distinguished Paper Award Winner "Fear the Reaper: Characterization and Fast Detection of Card Skimmers" by Nolen Scaife, Christian Peeters & Patrick Traynor, all of @UF! pic.twitter.com/ETuEMa2BWV— USENIX Security (@USENIXSecurity) August 15, 2018