Skimmer Scanner, a start to protecting yourself at the pump

Subject: General Tech | September 25, 2017 - 01:12 PM |
Tagged: skimmer scanner, security, bluetooth

If you haven't seen the lengths which scammers will go to when modifying ATMs to steal your bank info you should really take a look at these pictures and get in the habit of yanking on the ATM's fascia and keyboard before using them.  Unfortunately as Hack a Day posted about last week, the bank is not the only place you have to be cautious, paying at the pump can also expose your details.  In this case it is not a fake front which you need to worry about, instead a small PIC microcontroller is attached to the serial connection between card reader and pump computer, so it can read the unencrypted PIN and data and then store the result in an EEPROM device for later collection.  The device often has Bluetooth connectivity so that the scammers don't need to drive right up to the pump frequently.

There is an app you can download that might be able to help stop this, an app on Google Play will detect Bluetooth devices utilizing the standard codes the skimmers use and alert you.  You can then tweet out the location of the compromised pump to alert others, and hopefully letting the station owner and authorities know as well.  The app could be improved with automatic reporting and other tools, so check it out and see if you can help improve it as well as keeping your PIN and account safe when fuelling up. 

View Full Size

"It would be nice to think that this work might draw attention to the shocking lack of security in gas pumps that facilitates the skimmers, disrupt the finances of a few villains, and even result in some of them getting a free ride in a police car. We can hope, anyway."

Here is some more Tech News from around the web:

Tech Talk


Source: Hack a Day

September 25, 2017 | 01:42 PM - Posted by psuedonymous

This is mostly a problem in the US, where EMV has STILL yet to roll out as standard. In other nations where EMV is the standard (e.g. anywhere in Europe) internal communications are mandated as encrypted at all times, so this attack cannot work.

Security of magstripe-based cards is based on pinky-swearing not to look at the plaintext secret numbers.

September 25, 2017 | 03:51 PM - Posted by TheyWillPhotographYourCardBruteForceThePIN (not verified)

Yes but on those chip-ed/chip-enabled cards the readers hang mostly on the outside of the autoteller and folks can place little cameras near to where you insert your chip-ed card(you have to leave your card in the reader with the cards printed 16 digit number exposed) so the reader can interface with the card's chip! And they can at least read(snap a digital photo) of the full embossed numbers off your credit/debit card and then try to hack the 4 digit pin online.

I had this happen to me and now I'll only use the autoteller machines that pull the card completely inside the autoteller machine. Those chip-ed cards have to remain in the reader to work and a picture of the card's full 16 digit number can snapped by a micro-camera positioned in the right place that can be paired up with a smart-phone and that's how someone got my debit card's full 16 digit number. [I only use my card for cash withdrawals at my bank's autoteller machines and only make cash purchases or pay bills with money-orders]

And then I get a call from my financial instution saying that someone was trying to use the card's 16 digit-number/attempted-pin combinations thousands of miles from where I lived. They try to brute force hack your 4 digit pin by going online once they know the full 16 digit card number by trying a different pin-combination at different retailer with each attempted pin combo attempt. And if your financial instution's system does not watch for that brute-forcing pattern across different retailers they can still force their way in.

The autoteller machines that do not pull the card entirely inside the autoteller's body leave the card's embossed numbers open to being photographed digitally if the autotellers chip reader in not fully inside the body of the autoteller. So the card's makers need to stop using any embossed numbers and provide some sticky-tape covers to place over the card's 16 digit number that are prited(not Embossed) on the card.

Those micro-cameras need to be regulated like locksmithing Tools so people can not legally have that technology without a license, because those Micro Spy Cameres are so small they can be fitted in some very tight places and paired up with a smartphone.

September 25, 2017 | 04:17 PM - Posted by Jeremy Hellstrom

TL;DR but my guess is you completely ignored the pictures of ATM's I linked to.

September 25, 2017 | 05:25 PM - Posted by HowSoChipsEMVsNotSoGreat (not verified)

Not really a reply to your article as much as a reply to the post above saying that those Cards with the chips inside were safer and the card that I used had It's full 16 digit number photographed and it was a chip card only, with no mag-stripe!

So I even though I was not ripped off I still had to cancel the card and get it replaced(pain on the A$$).

They need longer pin numbers for everyone as 4 digits is not enough, and something to cover the card's printed/embossed 16 digit account number also. So if you have to leave the card in any reader the card's full 16 digit number can not be photographed.

September 25, 2017 | 07:34 PM - Posted by Jeremy Hellstrom

That below is a full insert card reader, the skimmer scans it exactly like the machine does.   They do the same to the number pad to capture your pin, no cameras needed.

Lots of bastards out there.

September 25, 2017 | 09:02 PM - Posted by NotTheKindOfATMsToTrust (not verified)

Yes, that's why I only use the ones at my bank branch that are a simple slot in a metal case with only about large enough slot to accept the card with no big plastic shield and an ATM that pulls the the card all the way inside with a motor. While that one looks(in your Photo) to be the kind that the user pushes the card in and it only sits in that plastic holder with the card's chip enabled end of the card that only actually sits part of the way into the ATM's matal body(Unsafe ATM).

That's why I'll only use the ATM's that are attatched directly to my Bank Branch that only have a tiny slot that's barely the width and thickness of my ATM card and the ATM has geared rollers that pull the card all the way past the cards total length into a reader that's inside the safe that is inside the ATM that is attatched to my bank branch's physical building! And I'll only withdraw money from my Banks Branch's attatched ATM and use cash for purchases and money orders to pay bills.

I also have an old fashion(Old Fart) Passbook savings account that can only be accessed in person with the Passbook and ID with no electronic access allowed from outside the Bank's intranet and NO ATM access allowed. I also keep another savings accout at another bank that has an ATM card access and a checking account where the e-deposts are sent, and that e-deposit account is kept as low as possible most of the time. So bills are not paid with checks even though I have a checking account/direct deposit account and Bills are paid with money orders and goods are purchased with cash.

Trust only the ATM's with a simple slot that pull the card fully inside the ATM with a motor and only the ATM's attatched to the Bank Branch Building. But I'm extra careful(paranoid) because even if they do snap a photo my card they will have to hack my pin because I cover the Key Pad with one hand while I entering the pin with the other and the ATM that I use pulls the card all the way inside the ATM with its motor and that flat plain metal slot is hard to fit or hide anything in and around.

But then Nothing is totally safe amnyways because Equifax has already spilled everybody's beans for all to see.

September 25, 2017 | 05:34 PM - Posted by SpeakinOfRipoffsInTheBrowser (not verified)

No wonder my 4 cores/8 threads where all pegged at 100%! Oh the wonderful WC3 folks and their Ad driven dystopia of UI madness! And it's all thanks to HTML5's Ad/Script friendly standards!

"CBS's Showtime caught mining crypto-coins in viewers' web browsers"

September 26, 2017 | 12:25 PM - Posted by psuedonymous

"And they can at least read(snap a digital photo) of the full embossed numbers off your credit/debit card and then try to hack the 4 digit pin online."

I don't know about the US implementation of EMV, but in the UK a pay-at-pump transaction works like this:

- Insert card into fully-enclosed reader
- Enter PIN (always shield, usually a plastic shield in place anyway)
- Remove card
- Start filling

The card is pre-authorised, then the final actual amount is debited at a later date.

September 26, 2017 | 12:28 PM - Posted by psuedonymous

"And then I get a call from my financial instution saying that someone was trying to use the card's 16 digit-number/attempted-pin combinations thousands of miles from where I lived. "

This should not be possible, you can do a Card Not Present transaction using the 16-digit PAN and 3-digit CVV2 (on the rear), and these are treated carefully to monitor for fraud (address checks, most banks use two-factor authentication, etc). Performing a 'card present' transaction with the PAN and 4-digit PIN is not possible, you need access to the keystore on the chip to perform a transaction with the PIN.

Unless the US has implemented some ass-backwards-half-functioning bastardised version of EMV with all the protections stripped out, which is possible.

September 26, 2017 | 04:09 PM - Posted by can'tlogin (not verified)

American Express helpfully places the cvv on the front of the card, so scammers only need that image and they have all the info. But yes, the "brute force pin attempts at multiple retailers" story is hard to understand. On-line retailers don't use your pin #, and it's hard to envision some scammer trying to randomly guess a pin while standing there under a brick and mortar retailer's cctv cameras.

September 25, 2017 | 02:02 PM - Posted by RadioActiveLobster

I avoid this by not having any money to steal.

September 25, 2017 | 08:23 PM - Posted by FallenBytes

They need to bring that to the mass market under the name:

"Dr. Seuss's Anti-Scammer Skimmer Scanner"

September 25, 2017 | 08:43 PM - Posted by Sasquatch0 (not verified)

I work for a gas station, and every day we check a tamper-evident tape that we have placed over every access on our pumps. Any stress on the tape and it smears. If it's pulled up from the device, it smears. If anything covers the tape, the device is suspect.

September 26, 2017 | 09:05 AM - Posted by overpowerlol

I have 2 accounts. One with all my money in and one without.
I only carry the one card with me (the one that's empty).

When I want to take cash out, I go online, move money from the main account into the empty one and then using my card I take the money out.
That way even if my card gets stolen, there's no money in the account. No overdraft and I cannot take anything out that will reduce the balance past 0.
Job done!

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.