Card skimmer app spots hacked gas pumps - but there's a catch

An app which can spot credit card skimmers secretly installed on gas pumps has been developed, but don't go looking in the App Store to try to download it. Bluetana tackles the growing issue of credit and debit card theft, where tiny scanners are installed on the card reader and used to surreptitiously clone its details when customers go to pay for their gas.

Although early iterations of the skimmers tended to be bulky and even require whole new fascias for ATMs and other card readers, the latest generation of devices are far more clandestine. Indeed, some skinners can be as small as a thin overlay to the slot of the legitimate card reader, or even installed inside the pump itself.

With access to the PIN pad too, ZIP codes and PINs can also be harvested. Depending on the type of card, criminals responsible can withdraw cash from ATMs from victims' accounts, or make purchases with cloned credit cards. Actually spotting the cloning equipment can be time-consuming, however.

That's where Bluetana comes in. Developed by teams at UC San Diego and the University of Illinois, the app relies on the fact that many of these installed skimmers use Bluetooth to offload the collected card details. That allows criminals to remotely download the database simply by parking nearby, but also gives Bluetana a way to spot the presence of skimmer hardware.

By analyzing scans of found Bluetooth skimmers, the researchers came up with an algorithm that can better differentiate between the skimmers' wireless fingerprint and Bluetooth in use by other devices nearby. "Bluetana extracts more meaningful data from the Bluetooth protocol, such as signal strength, than existing skimmer detection applications," Maxwell Bland, coauthor of a study on the new app, explains. "In a few cases, our app was able to find devices missed by visual inspection."

A public trial in three US states has seen 42 skimmers identified by inspectors using the app overt the past year. That includes two skimmers that had been gathering credit and debit card details for six months without being spotted. Bluetana typically takes three seconds to detect a skimmer, versus 30 minutes on average for physical searches.

Unfortunately for consumers wary of potential card fraud, the app won't be released for general use. Instead, it'll be limited to gas pump inspectors, presumably in part because the university teams created it with technical input from the US Secret Service.