A team from the University of Florida won a 2018 Usenix Security Distinguished Paper Award for Fear the Reaper: Characterization and Fast Detection of Card Skimmers, which presents their work on the “Skim Reaper,” a fast, easy-to-use, reliable credit-card skimmer-detector.
The team analyzed the NYPD’s trove of skimmers and realized that skimmers overwhelmingly work by shimming a second read-head into the swipe slot (the alternative, a “deep tap,” requires extensive work on the target machine and has only been found on gas pumps). By designing a credit-card-sized probe, they can detect these second read-heads.
It’s a breakthrough: the skimmers themselves are virtually invisible and undetectable to physical inspection, but hiding the second read-head is going to be very hard.
Skimmers represent a significant and growing threat to
payment terminals around the world. Moreover, adversaries have become increasingly sophisticated, making
the detection of such attacks difficult. We address these
problems by conducting the first large-scale academic
analysis of skimming devices. With a characterization
of the techniques
actually
being used by attackers, we
first debunk much of the common advice offered to pro-
tect consumers. We then develop the Skim Reaper tool,
which relies on the necessary physical properties of the
most common types of skimming devices found in New
York City. After successfully testing our solution on
skimmers used in real crimes, we show that simple adversarial countermeasures are ineffective against our device. Accordingly, though systematization, characterization and measurement, we show that robust and portable
tools can be developed to help consumers and law enforcement to rapidly detect such attacks.
Fear the Reaper: Characterization and Fast Detection of Card Skimmers [Nolen Scaife, Christian Peeters, and Patrick Traynor/Usenix Security]
(via Four Short Links)