UC San Diego Develops App To Curb Card Skimmers At Gas Stations
Wednesday, August 14, 2019
Photo by David Baillot/University of California San Diego
Despite San Diego's already high gas prices, consumers may unwittingly end up paying more at the pump.
That's because the gas pump may have a Bluetooth skimmer — technology that can scan credit and bank card numbers and transmit them over a wireless connection to a thief.
Christopher Rohde of the U.S. Secret Service says skimmers aren't new. Physical skimmers have been placed on top of card scanners.
But these Bluetooth variations can help criminals steal more information than before. They are embedded directly inside the pump and are harder to detect. And they are still cheap to make or buy over the Dark Web, Rohde says.
"The bad guy can just be driving by, link up to it and have all the credit card data pushed out electronically," Rohde said. "In less than a minute, a criminal can come in and load a skimming device that can hold anywhere from 10 to 2,000 numbers."
Rohde estimates skimmers could have amounted to hundreds of millions in fraud last year.
That's why the Secret Service in San Diego has teamed up with researchers at UC San Diego in what Rohde calls a first-of-its-kind relationship.
Rohde oversees the USSS Southern California Electronic Crimes Task Force, which has been lending technical expertise to UCSD engineers Nishant Bhaskar and Aaron Schulman.
These researchers have been studying skimmers around the country, and developed a phone application that can detect them. It isn't available to consumers, but can be requested by local law enforcement.
"So a gas station inspector, once they get to a station...they can also launch this app and it quickly starts scanning for Bluetooth devices in the vicinity," Bhaskar said.
The screen is a simple black page with a series of frequency numbers, categorized by different colors.
"The devices that are in red are actually what we think are suspect devices," Bhaskar said.
Schulman says while there are other commercial applications or Bluetooth detection on normal phones, they aren't as precise. This application, which they called Bluetana, can pinpoint an actual skimmer based on the frequency they are likely to have.
"We found in our giant study, (those applications) are actually often mistaking real products that appear at gas stations for skimmers," Schulman said.
Schulman says criminals typically buy skimmers that end up having the same few frequencies. So, the application uses that information to target the illicit skimmers.
The Secret Service will not be using the application or keeping any data from it. But, it can receive leads from local law enforcement using the application.
Schulman says the application is now being picked up nationally, including by gas station inspectors in San Diego.
"Mostly it was word of mouth. Once it became clear it was working and finding skimmers, people or law enforcement and Weights and Measures officials didn't know were there, they would talk to each other...and say 'hey there's this new application, do you know about it?'" Schulman said.
"And then we would ship them a really cheap smart phone, a $100 smart phone, with our tool on it."
Last year, inspectors found 33 skimmers in four different states using Bluetana.
"And, now there's a detection device that's able to notice that signal isn't a watch, it isn't just being emitted from someone's iPhone."
Rohde says the application will help gas station inspectors find these skimmers more easily. It will also help the Secret Service get leads that could help them understand what criminals are doing, and try to get ahead of them.
But, he says, the application is only one part of the puzzle in addressing gas station fraud.
"We continue to try to catch up, the criminals, the evolution continues," he said.
Rohde says the skimmer devices appear to not work with EMV chip card readers. So, many gas stations are trying to upgrade their pumps to avoid the problem. However, that can be costly for retailers.
He also says new legislation that could pass next year may shift the burden of fraudulent activity back onto the retailers which could be financially disastrous for some smaller gas stations.
"Gas stations need to continue with better security...unfortunately they are going to need to spend a lot of money on the EMV chip readers (on pumps)," he said.
So in the meantime, Rohde recommends consumers be smarter about how they pay for gas.
"Maybe using a pump that's closer to the attendant...try not to use a debit card...and pay inside."
To view PDF documents, Download Acrobat Reader.