Computer scientists at the University of California San Diego’s Jacobs School of Engineering have developed a smartphone app that can quickly and accurately detect the presence of an illegal credit or debit card skimmer installed on a gas station pump, reducing inspection times from 30 minutes to just three seconds.
Card skimmers are a problem on all kinds of devices requiring you to insert or slide your plastic, but for ATMs, which are nearly impossible to hack open, and payment terminals inside a store, external hardware has to be added which aren’t that hard to spot if you know what you’re looking for.
Gas station pumps are a different story, however. Some can easily be opened using a universal key which isn’t hard to acquire, allowing the skimming hardware to be installed inside so it’s completely invisible to unsuspecting users. To retrieve the data that’s collected throughout a day, like card numbers and PINs, criminals just need to pull up nearby and download it all over a wireless Bluetooth connection. But it’s that functionality which allows this app to detect the illegal hardware.
The team from the University of California San Diego, who worked with other computer scientists from the University of Illinois, developed an app called Bluetana which not only scans and detects Bluetooth signals, but can actually differentiate those coming from legitimate devices — like sensors, smartphones, or vehicle tracking hardware — from card skimmers that are using the wireless protocol as a way to harvest stolen data.
The full details of what criteria Bluetana uses to differentiate the two isn’t being made public, but its algorithm takes into account metrics like signal strength and other telltale markers that were pulled from data based on scans made at 1,185 gas stations across six different U.S. states.
So far Bluetana has been successfully used to find 42 Bluetooth-based card skimmers installed in gas pumps across three U.S. states, including two that had been operating for almost six months without detection. But don’t expect to be able to whip out your phone and perform a quick security scan the next time you go to fill up your car.
The computer scientists who developed Bluetana worked closely with the United States Secret Service and for the time being, it’s a tool only available to official gas pump inspectors. The concern is that making it available to the public will allow those who design and engineer the card skimming hardware to figure out what it’s specifically scanning for, and find ways to circumvent its effectiveness.