A grimly named handheld gadget can detect card-data-stealing skimmers in compromised gas pumps, ATMs
A grimly named gadget could hasten the demise of credit card skimmers used by identity thieves to commit fraud.
University of Florida professor Patrick Traynor and a group of students have developed the Skim Reaper, a credit-card-shaped device that can detect a skimmer’s presence when inserted into an ATM or gas pump card slot.
As of now, the Skim Reaper is just a prototype, but it’s drawing interest from law enforcement agencies around the world and is currently being field tested by the New York Police Department (NYPD).
The shift away from magnetic stripe technology to EMV chip-enabled payment cards has drastically cut down on card fraud. But compliance is not universal – gas retailers are in no hurry to update their pumps to EMV, and many ATM owners simply won’t take on the expense required to upgrade their machines.
Traynor sees a window of opportunity for his invention as long as cards continue to have magnetic stripes.
“I want nothing more than for the Skim Reaper to be a standard tool of law enforcement – really, for anyone who takes payments,” Traynor said. “While EMV is certainly out there, the magnetic swipe standard is not going to go away any time soon.”
Not dead yet: Physical card fraud persists despite EMV’s impact
Criminals have flocked to skimming crime as improved credit card technology thwarted them elsewhere. In a move to cut credit card fraud, the industry began switching to EMV chip-enabled credit cards 2015. Fraud losses due to counterfeit, stolen and lost cards hit an all-time peak of $5.4 billion the following year, but they plummeted to $3.9 billion in 2017, according to data from Aite Group.
Identity thieves switched tactics, and set their sights on two remaining weak points:
- Digital transactions, where the card is not present. Fraud losses from online and other card-not-present fraud losses are expected to reach $4.9 billion in 2018 (up from $3.3 billion just two years earlier).
- Gas pumps and ATMs that still use old magnetic stripe technology.
Gas stations in particular are fertile ground for fraudsters – in 2016, Visa and Mastercard gave fuel retailers a three-year extension to switch to EMV or be held liable for losses due to fraud. And unlike major banks’ ATMs, many independently owned cash machines such as the ones found in bars and convenience stores are still mag-stripe-only. Approximately 9 percent of ATMs in the U.S. are not yet EMV compliant, per data from the ATM Industry Association.
“The retail sector has not made that much progress and fuel pumps haven’t even started,” David Tente, association’s executive director for the U.S. and the Americas, said in an e-mail. “So there is still a lot of skimming going on.”
How the Skim Reaper works
Traynor, a computer science instructor and cybersecurity researcher, was driven to create the Skim Reaper after falling victim to card skimming on multiple occasions.
“I got frustrated because I’m an information security specialist – I had spent the last 15 years of my life dedicated to it,” he said. “It seemed like no matter what I did I couldn’t protect myself.”
Traynor began studying the mechanics of magnetic stripe cards and how skimmers lift their data. The idea for the Skim Reaper started to gel when he and his team connected with law enforcement officials to examine specific types of skimmers.
Traynor explained that skimmers work by adding a second “read head” – the part of a card reader that transmits magnetic stripe data from the payment card – to an ATM or a gas pump. The Skim Reaper, which looks like a long credit card attached to a black box via USB cable, counts how many read heads are in the machine when it’s inserted into the card reader.
“When more read heads are present than should be there, we have a skimmer,” Traynor said.
Cops, retailers and consumers could reap the benefits
The NYPD’s Financial Crimes Task Force has five detectives who work solely on ATM skimming cases, and they’ve dealt with about 250 such incidents just this year, according to NYPD Sergeant Christopher Doty. The department began field testing five Skim Reaper prototypes earlier this year after meeting with Traynor and his team.
Doty said his detectives have thus far used the Skim Reaper to detect skimmers they already knew were present. But he said the device could be invaluable to people whose entire workdays aren’t dedicated to rooting out skimmers – such as bank employees, ATM owners and even police officers on patrol.
“The cop on patrol has a ton of responsibilities and things he has to be knowledgeable of,” Doty said. “It’s kind of like being a jack of all trades, so having something that makes it easier for them to find a device will definitely increase the effectiveness of law enforcement in finding and stopping these skimmers.”
The Skim Reaper could also be a convenient tool for wary consumers. Traynor hopes to someday make a streamlined, commercialized version that can fit into a wallet. (He said a smartphone app could potentially replace the prototype’s processing box, which tells the user if a skimmer is present.)
But the first step is to find a way to mass produce it. At present, Traynor and his team assemble the units themselves using a 3-D printer, printed circuit boards and other components. Each one costs $50 and takes about five hours to build, Traynor said.
“We’re actively trying to find partners who can help us with manufacturing to bring down those times,” he said. “Obviously, we can’t get these out into the hands of many people with that kind of overhead.”
One tool in the fight against fraud
Many Skim Reapers would be needed in a lot of different places to eradicate such a diffuse threat as skimmer fraud. The National Association of Convenience Stores (NACS) estimates 29 million drivers pay with cards to fuel up their vehicles each day, though skimmers affect only a small fraction of total fill-ups. And there are plenty of nonbank ATMs scattered all over the country, perhaps never to be upgraded to EMV.
NYPD’s Doty touted the Skim Reaper’s ease of use and simplicity, but he doesn’t believe any single solution can completely snuff out skimmers.
“In my opinion, that’s got to be a combination of law enforcement, banks and the general public adopting best practices in order to prevent that kind of fraud,” he said.
Traynor remains optimistic the Skim Reaper can be a valuable tool in the fight against fraud, and other entities besides the NYPD are taking notice. Traynor said he’s fielded inquiries from law enforcement officials in his hometown of Gainesville, Florida, the Philippines and “everywhere in between.”
“We’re having lots of good conversations and we welcome others from folks who think they can help make this a reality,” he said. “My goal as an academic is not just to write good scientific papers. In this case, it’s to have an impact.”