Tuesday, May 19, 2020

Transition to practice success story: Securing payment card readers with Skim Reaper

Skimmers want the data on your payment cards

Transition to practice is really a passion of mine. It is wonderful to write papers and have great ideas. But it is even cooler to get a million people using it. – Professor Patrick Traynor.

Patrick Traynor, Ph.D., is the John and Mary Lou Dasburg Preeminent Chair in Engineering and a professor in the Department of Computer and Information Science and Engineering (CISE) at the University of Florida. His research focuses on the security of mobile systems, with a concentration on telecommunications infrastructure and mobile devices. He is also a co-founder of Pindrop Security, CryptoDrop, and Skim Reaper. (Read his full bio at the end of this article.)

Trusted CI spoke with Professor Traynor about his experience transitioning Skim Reaper from a lab experiment into a real-world product.

Trusted CI: How did the Skim Reaper project get started?

We were doing work on how mobile payments are done in the developing world. Imagine that you don't have a credit card, you don't have access to a traditional bank, but you have a cell phone. People were texting each other and trading top-up minutes as currency. Safaricom in Kenya started allowing people to exchange cash instead of minutes.

The first digital payment system for much of the developing world is called M-Pesa. There'll be tremendous advantages bringing such systems here to the US. But in the process of doing that work, we were looking at how traditional payment systems work.

Skim Reaper was an offshoot of an NSF-funded project on trying to secure modern payments (NSF grant 1526718). It's not like credit cards are going to disappear anytime soon. We're going to have more types of payments, so we're going to have to secure these legacy things.

I had my credit card stolen six times in three years. When I talk to academics about credit card fraud, everyone treats it as a solved problem. When I went through the process with a debit card, the money was out of my account for a long period. I started thinking about how people who are financially vulnerable might go long periods without cash. I thought we needed to do something—to look at how we can push back against credit card skimming.

Trusted CI: How does Skim Reaper work?

The Skim Reaper is a card that's swiped or dipped into the payment terminal, just like a credit card. It's a device about the size and shape of a credit card. It determines how many times it's being read. That's a very simplistic version of what it's doing. But with the kind of credit card skimming that we're going after, the adversary adds a second read head to the card reader. They'll do that by overlaying it. Or they'll put one deep inside, called deep insert.

The card reader itself is going to get a normal read, but so too will the attacker. By developing a device that counts the number of times it's being read and then compares that to the number of times it should be being read, we know whether you have additional read heads in place and therefore whether there's a skimmer.

If a skimmer is in place, the device will turn on a red LCD. If the blue LCD lights up, everything is fine. Something like 10% of the population is red-green colorblind. So, we chose a blue light instead of green. We tried to be as inclusive as possible in the design.

Trusted CI: Did you have any NSF funding for Skim Reaper?

We had no explicit NSF funding for Skim Reaper other than the grant to study securing modern payments that preceded it. I have not applied for TTP-explicit funding before, but I am in the process of applying for some now. I have also applied for SBIR funding in the past as part of my work on Pindrop.

Trusted CI: Tell us how things got started.

When we started on this path, we didn't have access to credit cards skimmers. We started by looking online and trying to reach out to various law enforcement agencies, many of whom, of course, said, “who are you and why are you asking for credit card skimmers?” But we got quite lucky. We were in the process of prototyping our devices. We'd seen enough of the things online and had access to a few small units.

Then, we happened to meet the NYPD Financial Crimes Task Force attending a conference about traditional theft in retail at the University of Florida in 2017. When we met these detectives, we ran back to our lab, grabbed our prototypes, and showed them. They said they could use something like that. We flew up to New York in January 2018 at our expense with our devices for them to teach us everything they know about skimmers and then used our devices on skimmers they had previously recovered. We were in New York City for three days and the NYPD was fantastic. I mean, they were amazing. The care and the skill. They took us through the world of skimming, how it works, where it happens, and the motivations. We worked with the detectives during the day, and we'd go back at night and we would rewrite user interfaces.

Initially, our card had a box with a little LCD screen that would give instructions. They were great instructions for lab guys like me. But that's not what the detectives wanted. They said “nope, it's pretty much got to give us a thumbs up, thumbs down. The tiny print is not going to help us when we're out in the field, you just have to give us a clear signal.” We'd run back to the hotel, rewrite user interfaces, bring them back, test them again. Then on the second day, we saw how they were using them. And the original devices we had literally held together with electrical tape and Gorilla glue. We had to find a Home Depot in Manhattan on the second night because we had to essentially tape them back together.

We learned a lot about how users wanted to use the device, how durable it would have to be, and what the procedures around the use of the device might be. That experience was invaluable. We kept great contact and left five prototypes with the NYPD. About a month and a half later, they came back to us and said that they had used the device on an ATM in Queens. They had a positive hit. They did a stake out, and ultimately were able to make an arrest and conviction based on the use of our device.

Trusted CI: How did the project then transition to a product?

From there, things grew quickly. We started getting media coverage and all of a sudden this project that had happened really out of my own shame for having my credit card stolen so many times, resulted in probably 2,000 phone calls to my office and thousands and thousands of emails. We realized this was widespread. We were prototyping as fast as we possibly could. It probably took us fifteen hours to make a single device. But now, we had requests for thousands. We had to try and do this professionally because we couldn't send out something that as we saw lasted a couple of days. We needed to transition this into a real product. And that's what we spent the next year doing.

Trusted CI: Talk about the scope of your potential customers.

We started off working with law enforcement because they had the most examples of credit card skimmers and they're the ones who are generally called in to deal with the problem when it exists. But ultimately what we're doing is trying to make this available to companies, vendors, and retailers because they're the ones that have the point-of sale-units. They're the ones who are being attacked. It’s the same reason that every retailer needs to have locks on their doors. We think every retailer that takes credit cards, debit cards, or gift cards needs to have a Skim Reaper. They need to know that their customers are going to be secure when they make those payments. And in fact, we've heard anecdotally, and I know for myself, when consumers feel like yours is the store where their card has been skimmed, they stop going there. We think it's on retailers to deploy these devices.

Trusted CI: What about banks or ATM manufacturers?

We are working with multiple companies in the financial industry. There are multiple banks of varying sizes that we currently have as customers.

One of the most important things for a transition that I've found is it's not just about having a good pitch. It's not just about having a good product; it's about getting in front of the right people. The media coverage has really helped. (How the 'Skim Reaper' is trying to kill credit card skimming devices) (How the 'Skim Reaper' protects you from credit card skimmers)

Many industries don't want to talk about security problems, at least publicly. And that's a natural thing. You don't want your consumers to think that you are more vulnerable than the competition. But by working with law enforcement, by doing media outreach with them, this allows other businesses to admit that is a problem for them and they often reach out directly to us.

Trusted CI: Without disclosing any customers, how big have you grown?

We started selling in August of 2019, and we're now deployed in 20 states and internationally.

Trusted CI: Would you like to make any acknowledgments?

I really want to thank the NYPD Financial Crimes Taskforce. If they hadn't taken a chance on us early on, we probably wouldn't be having this conversation. But I'm also grateful to the local police department here in Gainesville, Florida. They've been tremendous. Beyond that, the Department of Agriculture and Consumer Services in the State of Florida are responsible for ensuring that gas pumps pump the correct amount that you pay for. But because they're on the ground and out inspecting pumps, they're often the ones that come across skimmers. And for the last two years they've really been a tremendous resource and we very much enjoyed working with them. All these folks continue to help us by giving us access to the newest skimmers that are out there so that we can make sure that number one, our devices continue to work. And number two, we have new things in the pipeline which will come out soon.

Again, I can't speak highly enough about our law enforcement partners. These folks work hard and need the resources to do their job as effectively as possible. And all throughout this transition process, it just wouldn't have been possible without willing law enforcement partners.

Trusted CI: Tell us about your support structure.

We provide videos and we often Skype with customers to make sure that they know how to use it correctly. So far, we've had minimal requests for support. But again, the experience with the NYPD showed us how to simplify the interface. A tool that's likely to give retailers any kind of help in this space has got to be easy enough that it can be learned in two minutes.

Trusted CI: How widespread is skimming?

This is one of the interesting questions we're trying to answer. The best example comes from colleagues at the Department of Agriculture. They often pull out skimmers from gas pumps and they're wrapped in tape and on occasion they'll have numbers on them. I was told a story where somebody in one day pulled out a number 17, a number 32, and he said, “that's great, I have two but where's one through 16, 18 through 31? And what's the stopping number?” Their guess, based on how many they were pulling, was that they were getting about 5% of what's out there.

Prior to the Skim Reaper, there really weren't any tools to know the numbers because these things are often undetected. Sometimes they are recovered and taken away, sometimes the bad guys come back and take them and move them to other spots. Knowing the scale of the problem is quite difficult. But I think anecdotally, we all know someone who's had their credit card stolen. And if it's not you, you're lucky.

Trusted CI: Talk about some of the other things you're working on.

I'm fortunate to have a wonderful group of incredibly talented and diverse students here at the University of Florida. We're working on a huge range of problems, everything from security and microfinance to detecting deep fake voices and disinformation. We're also looking at strengthening two-factor authentication for common users. Our work really runs the gamut. And that's only possible because of NSF funding. Most of my students are indeed funded by the NSF, and we're quite fortunate.

Skim Reaper is my third startup. I want to try and help incentivize junior scientists and help make that path a lot easier because it's tough, but it's been worth it.

Trusted CI: Why is transitioning to practice important?

In a keynote I gave, I had a slightly darker take on this. The NSF is funding us for a long time and we're quite fortunate and we're doing great work. But at some point, they might say, “We're just not winning the battle. The return on investment isn't high enough.” We may need to do this for our own survival. And quite frankly, the world needs us, and the world needs our innovation. I like that more positive spin on it.

Trusted CI: Any last thoughts?

One last thing I do want to plug. We made a conscious decision that are our devices are manufactured in the US. They're manufactured in Houston. This is important to us because the ideas were generated in the US and we're now helping to create high-tech jobs in Houston. We think that this is a great example of reasons to invest in science. We're creating jobs from the ideation to the manufacturing phase. And they're all happening here in the US.


Patrick Traynor is the John and Mary Lou Dasburg Preeminent Chair in Engineering and a Professor in the Department of Computer and Information Science and Engineering (CISE) at the University of Florida. His research focuses on the security of mobile systems, with a concentration on telecommunications infrastructure and mobile devices. His research has uncovered critical vulnerabilities in cellular networks, developed techniques to find credit card skimmers that have been adopted by law enforcement and created robust approaches to detecting and combating Caller-ID scams.

He received a CAREER Award from the National Science Foundation in 2010, was named a Sloan Fellow in 2014, a Fellow of the Center for Financial Inclusion at Accion in 2016 and a Kavli Fellow in 2017. Professor Traynor earned his Ph.D and M.S. in Computer Science and Engineering from the Pennsylvania State University in 2008 and 2004, respectively, and his B.S. in Computer Science from the University of Richmond in 2002. He is also a co-founder of Pindrop Security, CryptoDrop, and Skim Reaper.