Skimmers want the data on your payment cards
Transition
to practice is really a passion of mine. It is wonderful to write
papers and have great ideas. But it is even cooler to get a million
people using it. – Professor Patrick Traynor.
Patrick
Traynor, Ph.D., is the John and Mary Lou Dasburg Preeminent Chair in
Engineering and a professor in the Department of Computer and
Information Science and Engineering (CISE) at the University of Florida.
His research focuses on the security of mobile systems, with a
concentration on telecommunications infrastructure and mobile devices.
He is also a co-founder of Pindrop Security, CryptoDrop, and Skim
Reaper. (Read his full bio at the end of this article.)
Trusted CI spoke with Professor Traynor about his experience transitioning Skim Reaper from a lab experiment into a real-world product.
Trusted CI: How did the Skim Reaper project get started?
We
were doing work on how mobile payments are done in the developing
world. Imagine that you don't have a credit card, you don't have access
to a traditional bank, but you have a cell phone. People were texting
each other and trading top-up minutes as currency. Safaricom in Kenya started allowing people to exchange cash instead of minutes.
The first digital payment system for much of the developing world is called M-Pesa.
There'll be tremendous advantages bringing such systems here to the US.
But in the process of doing that work, we were looking at how
traditional payment systems work.
Skim Reaper was an offshoot of an NSF-funded project on trying to secure modern payments (NSF grant 1526718).
It's not like credit cards are going to disappear anytime soon. We're
going to have more types of payments, so we're going to have to secure
these legacy things.
I had my credit card stolen six
times in three years. When I talk to academics about credit card fraud,
everyone treats it as a solved problem. When I went through the process
with a debit card, the money was out of my account for a long period. I
started thinking about how people who are financially vulnerable might
go long periods without cash. I thought we needed to do something—to
look at how we can push back against credit card skimming.
Trusted CI: How does Skim Reaper work?
The
Skim Reaper is a card that's swiped or dipped into the payment
terminal, just like a credit card. It's a device about the size and
shape of a credit card. It determines how many times it's being read.
That's a very simplistic version of what it's doing. But with the kind
of credit card skimming that we're going after, the adversary adds a
second read head to the card reader. They'll do that by overlaying it.
Or they'll put one deep inside, called deep insert.
The
card reader itself is going to get a normal read, but so too will the
attacker. By developing a device that counts the number of times it's
being read and then compares that to the number of times it should be
being read, we know whether you have additional read heads in place and
therefore whether there's a skimmer.
If a skimmer is in
place, the device will turn on a red LCD. If the blue LCD lights up,
everything is fine. Something like 10% of the population is red-green
colorblind. So, we chose a blue light instead of green. We tried to be
as inclusive as possible in the design.
Trusted CI: Did you have any NSF funding for Skim Reaper?
We
had no explicit NSF funding for Skim Reaper other than the grant to
study securing modern payments that preceded it. I have not applied for
TTP-explicit funding before, but I am in the process of applying for
some now. I have also applied for SBIR funding in the past as part of my work on Pindrop.
Trusted CI: Tell us how things got started.
When
we started on this path, we didn't have access to credit cards
skimmers. We started by looking online and trying to reach out to
various law enforcement agencies, many of whom, of course, said, “who
are you and why are you asking for credit card skimmers?” But we got
quite lucky. We were in the process of prototyping our devices. We'd
seen enough of the things online and had access to a few small units.
Then,
we happened to meet the NYPD Financial Crimes Task Force attending a
conference about traditional theft in retail at the University of
Florida in 2017. When we met these detectives, we ran back to our lab,
grabbed our prototypes, and showed them. They said they could use
something like that. We flew up to New York in January 2018 at our
expense with our devices for them to teach us everything they know about
skimmers and then used our devices on skimmers they had previously
recovered. We were in New York City for three days and the NYPD was
fantastic. I mean, they were amazing. The care and the skill. They took
us through the world of skimming, how it works, where it happens, and
the motivations. We worked with the detectives during the day, and we'd
go back at night and we would rewrite user interfaces.
Initially,
our card had a box with a little LCD screen that would give
instructions. They were great instructions for lab guys like me. But
that's not what the detectives wanted. They said “nope, it's pretty much
got to give us a thumbs up, thumbs down. The tiny print is not going to
help us when we're out in the field, you just have to give us a clear
signal.” We'd run back to the hotel, rewrite user interfaces, bring them
back, test them again. Then on the second day, we saw how they were
using them. And the original devices we had literally held together with
electrical tape and Gorilla glue. We had to find a Home Depot in
Manhattan on the second night because we had to essentially tape them
back together.
We learned a lot about how users wanted
to use the device, how durable it would have to be, and what the
procedures around the use of the device might be. That experience was
invaluable. We kept great contact and left five prototypes with the
NYPD. About a month and a half later, they came back to us and said that
they had used the device on an ATM in Queens. They had a positive hit.
They did a stake out, and ultimately were able to make an arrest and
conviction based on the use of our device.
Trusted CI: How did the project then transition to a product?
From
there, things grew quickly. We started getting media coverage and all
of a sudden this project that had happened really out of my own shame
for having my credit card stolen so many times, resulted in probably
2,000 phone calls to my office and thousands and thousands of emails. We
realized this was widespread. We were prototyping as fast as we
possibly could. It probably took us fifteen hours to make a single
device. But now, we had requests for thousands. We had to try and do
this professionally because we couldn't send out something that as we
saw lasted a couple of days. We needed to transition this into a real
product. And that's what we spent the next year doing.
Trusted CI: Talk about the scope of your potential customers.
We
started off working with law enforcement because they had the most
examples of credit card skimmers and they're the ones who are generally
called in to deal with the problem when it exists. But ultimately what
we're doing is trying to make this available to companies, vendors, and
retailers because they're the ones that have the point-of sale-units.
They're the ones who are being attacked. It’s the same reason that every
retailer needs to have locks on their doors. We think every retailer
that takes credit cards, debit cards, or gift cards needs to have a Skim
Reaper. They need to know that their customers are going to be secure
when they make those payments. And in fact, we've heard anecdotally, and
I know for myself, when consumers feel like yours is the store where
their card has been skimmed, they stop going there. We think it's on
retailers to deploy these devices.
Trusted CI: What about banks or ATM manufacturers?
We
are working with multiple companies in the financial industry. There
are multiple banks of varying sizes that we currently have as customers.
One of the most important things for a transition
that I've found is it's not just about having a good pitch. It's not
just about having a good product; it's about getting in front of the
right people. The media coverage has really helped. (How the 'Skim Reaper' is trying to kill credit card skimming devices) (How the 'Skim Reaper' protects you from credit card skimmers)
Many
industries don't want to talk about security problems, at least
publicly. And that's a natural thing. You don't want your consumers to
think that you are more vulnerable than the competition. But by working
with law enforcement, by doing media outreach with them, this allows
other businesses to admit that is a problem for them and they often
reach out directly to us.
Trusted CI: Without disclosing any customers, how big have you grown?
We started selling in August of 2019, and we're now deployed in 20 states and internationally.
Trusted CI: Would you like to make any acknowledgments?
I
really want to thank the NYPD Financial Crimes Taskforce. If they
hadn't taken a chance on us early on, we probably wouldn't be having
this conversation. But I'm also grateful to the local police department
here in Gainesville, Florida. They've been tremendous. Beyond that, the
Department of Agriculture and Consumer Services in the State of Florida
are responsible for ensuring that gas pumps pump the correct amount that
you pay for. But because they're on the ground and out inspecting
pumps, they're often the ones that come across skimmers. And for the
last two years they've really been a tremendous resource and we very
much enjoyed working with them. All these folks continue to help us by
giving us access to the newest skimmers that are out there so that we
can make sure that number one, our devices continue to work. And number
two, we have new things in the pipeline which will come out soon.
Again,
I can't speak highly enough about our law enforcement partners. These
folks work hard and need the resources to do their job as effectively as
possible. And all throughout this transition process, it just wouldn't
have been possible without willing law enforcement partners.
Trusted CI: Tell us about your support structure.
We
provide videos and we often Skype with customers to make sure that they
know how to use it correctly. So far, we've had minimal requests for
support. But again, the experience with the NYPD showed us how to
simplify the interface. A tool that's likely to give retailers any kind
of help in this space has got to be easy enough that it can be learned
in two minutes.
Trusted CI: How widespread is skimming?
This
is one of the interesting questions we're trying to answer. The best
example comes from colleagues at the Department of Agriculture. They
often pull out skimmers from gas pumps and they're wrapped in tape and
on occasion they'll have numbers on them. I was told a story where
somebody in one day pulled out a number 17, a number 32, and he said,
“that's great, I have two but where's one through 16, 18 through 31? And
what's the stopping number?” Their guess, based on how many they were
pulling, was that they were getting about 5% of what's out there.
Prior
to the Skim Reaper, there really weren't any tools to know the numbers
because these things are often undetected. Sometimes they are recovered
and taken away, sometimes the bad guys come back and take them and move
them to other spots. Knowing the scale of the problem is quite
difficult. But I think anecdotally, we all know someone who's had their
credit card stolen. And if it's not you, you're lucky.
Trusted CI: Talk about some of the other things you're working on.
I'm
fortunate to have a wonderful group of incredibly talented and diverse
students here at the University of Florida. We're working on a huge
range of problems, everything from security and microfinance to
detecting deep fake voices and disinformation. We're also looking at
strengthening two-factor authentication for common users. Our work
really runs the gamut. And that's only possible because of NSF funding.
Most of my students are indeed funded by the NSF, and we're quite
fortunate.
Skim Reaper is my third startup. I want to
try and help incentivize junior scientists and help make that path a lot
easier because it's tough, but it's been worth it.
Trusted CI: Why is transitioning to practice important?
In
a keynote I gave, I had a slightly darker take on this. The NSF is
funding us for a long time and we're quite fortunate and we're doing
great work. But at some point, they might say, “We're just not winning
the battle. The return on investment isn't high enough.” We may need to
do this for our own survival. And quite frankly, the world needs us, and
the world needs our innovation. I like that more positive spin on it.
Trusted CI: Any last thoughts?
One
last thing I do want to plug. We made a conscious decision that are our
devices are manufactured in the US. They're manufactured in Houston.
This is important to us because the ideas were generated in the US and
we're now helping to create high-tech jobs in Houston. We think that
this is a great example of reasons to invest in science. We're creating
jobs from the ideation to the manufacturing phase. And they're all
happening here in the US.
Bio
Patrick
Traynor is the John and Mary Lou Dasburg Preeminent Chair in
Engineering and a Professor in the Department of Computer and
Information Science and Engineering (CISE) at the University of Florida.
His research focuses on the security of mobile systems, with a
concentration on telecommunications infrastructure and mobile devices.
His research has uncovered critical vulnerabilities in cellular
networks, developed techniques to find credit card skimmers that have
been adopted by law enforcement and created robust approaches to
detecting and combating Caller-ID scams.
He received a
CAREER Award from the National Science Foundation in 2010, was named a
Sloan Fellow in 2014, a Fellow of the Center for Financial Inclusion at
Accion in 2016 and a Kavli Fellow in 2017. Professor Traynor earned his
Ph.D and M.S. in Computer Science and Engineering from the Pennsylvania
State University in 2008 and 2004, respectively, and his B.S. in
Computer Science from the University of Richmond in 2002. He is also a
co-founder of Pindrop Security, CryptoDrop, and Skim Reaper.
