Kevin Loeffler's M5Stack Core Ink-Powered Skimmer Scanner Keeps Your Cards Safe From Ne'er-Do-Wells
Scanning for low-cost Bluetooth chips that you wouldn't expect to find in an ATM, this early-warning tool can foil card thieves.
Engineer and researcher Kevin Loeffler has built a keychain-friendly device that aims to make it safer to stick your credit card in untrusted slots β by using an Espressif ESP32 microcontroller to scan for the signatures of known skimming devices.
"Skimming devices, which steal card information from ATMs, gas pumps, and other payment terminals, have become more sophisticated and harder to detect. They work by sitting between your card and the payment equipment, stealing your payment information and storing it for a criminal to retrieve later," Loeffler explains. "Even in 2024, when I am writing this guide, they remain a problem despite having been reported on for years. With a portable, easy-to-use skimmer detector at your fingertips, you can quickly scan for suspicious devices before making a transaction, preventing potential fraud."
Skimmers work by sitting in the card reader slot and capturing a copy of the magnetic stripe as it passes over. Early skimmers required the ne'er-do-wells to revisit targeted card machines to physically remove the device and retrieve the stored card data, a risky endeavor; more recent designs use a Bluetooth radio to let a crim download all the data from a safe distance.
It's these latter type of skimmer that Loeffler's gadget targets, building on an existing but seemingly-abandoned SparkFun project to use a smartphone app for the same purpose. Rather than relying on a phone's radio, though, Loeffler's version farms the Bluetooth work out to an M5Stack Core Ink β a compact Espressif ESP32-based microcontroller development board with a low-power ePaper display.
"The code for this project tells the ESP32 inside your development kit to perform a Bluetooth scan when the wheel/button on the right side of the device is pressed," Loeffler explains. "This tells the code to count the number of devices that advertise they are an HC-05 Bluetooth device. We also look for the HC-06."
"These chipsets are extremely common, extremely cheap, and found in many low-cost electronics devices," Loeffler continues. "We have no way of knowing that a device is a skimmer just because it uses one of these chips, but they really shouldn't be in anything broadcasting at your local gas station or grocery store. As a result, if we see one the device will let you know."
Loeffler has released the source code for the project on Instructables as part of a full build guide; the same guide also includes instructions for building an HC-05-powered skimmer emulator, to test that the skimmer scanner is working.