A team from the University of Florida won a 2018 Usenix Security Distinguished Paper Award for Fear the Reaper: Characterization and Fast Detection of Card Skimmers, which presents their work on the "Skim Reaper," a fast, easy-to-use, reliable credit-card skimmer-detector.
The team analyzed the NYPD's trove of skimmers and realized that skimmers overwhelmingly work by shimming a second read-head into the swipe slot (the alternative, a "deep tap," requires extensive work on the target machine and has only been found on gas pumps). By designing a credit-card-sized probe, they can detect these second read-heads.
It's a breakthrough: the skimmers themselves are virtually invisible and undetectable to physical inspection, but hiding the second read-head is going to be very hard.
Skimmers represent a significant and growing threat to payment terminals around the world. Moreover, adversaries have become increasingly sophisticated, making the detection of such attacks difficult. We address these problems by conducting the first large-scale academic analysis of skimming devices. With a characterization of the techniques actually being used by attackers, we first debunk much of the common advice offered to pro- tect consumers. We then develop the Skim Reaper tool, which relies on the necessary physical properties of the most common types of skimming devices found in New York City. After successfully testing our solution on skimmers used in real crimes, we show that simple adversarial countermeasures are ineffective against our device. Accordingly, though systematization, characterization and measurement, we show that robust and portable tools can be developed to help consumers and law enforcement to rapidly detect such attacks.
Fear the Reaper: Characterization and Fast Detection of Card Skimmers [Nolen Scaife, Christian Peeters, and Patrick Traynor/Usenix Security]
(via Four Short Links)