With one swipe of a credit card, you’ve just paid for some gas. You may also have given thieves some very valuable information.
That’s if you’ve just fallen victim to a skimmer.
Card skimmers, which steal your credit or debit card data when you swipe at payment and money machines, have been around for nearly a decade, disguised so you don’t know you’re being duped. The devices have evolved, though, and researchers say they’re now at the point where you really, really can’t tell the difference.
Plus, they’ve swept across the United States at an alarming rate. The number of breached ATMs increased sixfold from 2014 to 2015 and rose again in 2016 by 30 percent, according to FICO, an analytics software company. In June of this year, the Federal Trade Commission put out a public warning, with tips on how you can avoid having your card information stolen.
Hackers have figured out how to create virtual skimmers — malware that’s installed remotely — which let them steal card information without even touching the ATM, fuel pump or other device. It’s an evolution from the physical skimmers, where thieves had to walk up to a machine to plant their hardware hack. In January 2016, one hacking campaign that used virtual skimmers across multiple ATMs netted thieves $13.5 million euros, security firm Trend Micro discovered.
Skimmers are getting harder and harder to notice, according to Mark Nunnikhoven, Trend Micro’s vice president of cloud security. “If a machine has been compromised with software,” he said, “there’s no way you’re able to tell.”
As if you didn’t already have enough to worry about when it comes to computer security.
This year alone has brought a number of threats from all kinds of angles. A few months back, ransomware took over PCs around the world, holding them hostage for payment, and that likely won’t be the last time. Just last week, word came that some versions of the popular CCleaner software had been infected with malware.
Then on the credit card front, there’s that massive Equifax hack, which coughed up sensitive information on nearly half the US population.
When 100 credit card numbers can be sold online for $19 a bundle, it’s easy to see the appeal for cybercriminals. Credit card information is feeding an entire illicit ecosystem, with some thieves even opening online schools to teach the hackers of the future.
Hackers can create virtual skimmers by breaking into a bank’s network — for instance, by tricking an executive into providing access, as Nunnikhoven has seen. Instead of compromising physical ATMs one at a time, hackers can steal from multiple ATMs all at once. And there’s less risk of getting caught.
“ATMs are really just very simple computers that happen to be attached to a box full of cash,” Nunnikhoven said. “We have enough problems securing computers that aren’t attached to cash.”
The gas station problem
Banks are working to stay a step ahead of the thieves, with techniques like introducing chips on cards, which are more secure than the magnetic stripes. New rules are helping, too. As of October 2015, any stores still using old swipe terminals became liable when fraud occurs. That got businesses adopting the new tech pretty quickly. But take note: The rule doesn’t apply to gas stations until 2020.
Which means thieves who used to target random ATMs in stores are now swarming to gas pumps instead.
“We’re seeing an uptick of skimmers becoming more common at fuel stations,” said Angel Grant, director of fraud and risk intelligence at security firm RSA. “We anticipate this to continue to grow.”
At gas stations, the skimmers can be installed on card readers in less than 30 seconds, and they’ll record all your card data for collection by the bad guys. It’s an easy gig: Those pumps are often unattended late at night, and thieves can plug in their skimmers while pretending to get gas.
The skimmer stores the data, and the scammers return to grab the stolen credit or debit card numbers over Bluetooth, without touching the pump again.
Gas station owners aren’t likely to rush to make changes. It’s more expensive to upgrade pumps than ATMs.
On Reddit, it’s a thing now to see posts of people finding card skimmers by fidgeting with the card reader on an ATM and sometimes snapping it right off. But there’s an alternative: A programmer at SparkFun Electronics created an app to save you from having to brutalize your local cash machine.
Because the majority of these skimmers use Bluetooth for harvesting the stolen data, your phone should be able to detect them easily. Nathan Seidle, SparkFun’s founder, created the Skimmer Scanner app to automatically detect the skimmer’s Bluetooth signal, which is most noticeable at gas pumps.
The Boulder-based company worked with local police in Colorado to take a look at a popular skimmer in the region, a module called the HC-05. These modules are typically used for DIY educational projects to provide Bluetooth capabilities on homemade gadgets. But they’re also extremely common for credit card skimmers, and cost only $3 each.
“They’re obviously mass produced,” Seidle said. “It’s so cheap that they can just pepper these things all over the place.”
Because these skimmers are a bargain, their Bluetooth names can’t be changed — it’s always HC-05. They also have a hard-coded default password: “1234.” In other words, their weak spot is the same one that can get you in trouble with lots of the gadgets in your home.
The Skimmer Scanner looks for connections with that name; then attempts to connect with the default password, the same way the thief who planted it would. The app then sends the letter “P” as a command to the Bluetooth device, and if it’s a skimmer, it’ll send back “M.” The system has been able to detect skimmers at distances between 5 and 15 feet.
The Android app is available on the Google Play store for free, and in open-source format on Github.
Researchers said the app is a great step in fighting back, given how common the HC-05 Bluetooth module is, but it’s not going to stop all skimmers.
Eventually, too, once hackers realize how dumb those Bluetooth modules are, Nunnikhoven said, they’ll move onto something that isn’t as detectable.
“There’s a limited lifetime on apps like Skimmer Scanner,” he said. “The attackers are always changing their tactics to avoid getting caught.”
Updated at 10 a.m. PT to correct Angel Grant’s title.
The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.
CNET en Español: Get all your tech news and reviews in Spanish.