BALTIMORE—At the USENIX Security Symposium here today, University of Florida researcher Nolen Scaife presented the results of a research project he undertook with Christian Peeters and Patrick Traynor to effectively detect some types of “skimmers”—maliciously placed devices designed to surreptitiously capture the magnetic stripe data and PIN codes of debit and credit cards as they are inserted into automated teller machines and point-of-sale systems.
Nolen and his fellow researchers worked with data provided by the New York City Police Department (NYPD) to assess the types of credit-card-skimming gear currently in the wild. They uncovered four broad categories of skimming gear:
Overlays and deep inserts are by far the most common types of skimmers—and are increasingly difficult to detect. Police, Scaife noted, often find them only by looking for the cameras used by skimmers to capture PIN numbers, because most of the common detection tips—including trying to shake the card slot to see if it dislodges—are ineffective.
SkimReaper is aimed specifically at overlays and inserts. It uses a card-shaped sensor with a printed circuit that, when powered, can detect the voltage spikes created by coming in contact with magnetic reader heads. If it detects two or more, there’s a skimmer in play.
Testing against skimmers collected by the NYPD, the SkimReaper yielded a 100-percent detection rate. The NYPD has adopted SkimReaper and has already discovered one skimmer in the wild with the device; another seven police departments have also signed on for the SkimReaper, and Scaife says that demand exceeds his team’s ability to manufacture them.
But the payoff is huge in terms of damage to skimming operators. Card-skimming devices are costly and custom-manufactured for each type of targeted machine, and stopping and retrieving a skimmer can put a serious dent in the skimmer’s profits. Detection in place also offers law enforcement an opportunity to catch the skimmer or an accomplice in the act of trying to remove the device after data is collected.
