The Overlook mobile application is inspired by recent research done by a representative of Sparkfun. The folks at Sparkfun were given some credit card skimmers with the request to reverse engineer and extract any data possible from the devices. The Sparkfun engineers found that the devices broadcasted a specific Bluetooth name and connection protocol. The module that many of these skimmers use is primitive and found in a variety of off-the-shelf products and kits.
In response to this, the folks at Sparkfun developed the Skimmer Scanner mobile application. This primitive application returned nearby Bluetooth devices and performed the check for a Bluetooth-enabled credit card skimmer based on their research. Our team wanted to take this a step further and create a crowd-sourced credit card skimmer identification platform based on this research.
What it does
The Overlook mobile application helps to overlook your transactions and ensure that your gas pump credit card transactions are not being intercepted by a cybercriminal.
The mobile application checks all Bluetooth devices nearby when the app is opened. If a candidate for a Bluetooth-enabled credit card skimmer is detected, the application checks this against its identification algorithm and populates its database. This database is then used to add points onto a map in the mobile app, allowing users to view anonymized crowd-sourced information about potential credit card skimmers.
This crowd-sourced awareness of potential security concerns for gas pump users is furthered by an automated Twitter feed sourced from the Overlook data. View Overlook skimmer reports on Twitter:
Finally, a simple table client intended for law enforcement or maintenance roles allows for easy viewing of points added to the database. Partnering with law enforcement or government agencies, an official would be able to extract the physical skimmer and report it as "removed" from the initial discovery point.
How we built it
The Overlook app is built with the following technologies:
Python: Serves the database of Skimmer locations and handles all data endpoints through the mobile application front-end. The Python backend makes requests to the Google Places API to identify the various gas stations that a skimmer might be located at. The Python backend also returns 'hotspots' as to where the most skimmers are appearing, based on reports.
Ionic Framework: This is the main point of interaction between the user, skimmer, and database. The mobile application scans for Bluetooth devices and checks for the possibility of a skimmer, and then populates the data base via HTTP requests, while displaying an embedded Google Maps view of reported skimmers. The Ionic application also leverages geolocation technologies.
Vue.js: Vue JS is used to show the client-table of all database points for law enforcement, administration, data reporting, and more. Our client table is hosted for public viewing.
Arduino: Straight-forward Arduino technology is used with an Arduino Uno and HC-06 Bluetooth module to emulate a credit card skimmer for testing purposes.
What's next for Overlook
Now that we've targeted one type of Bluetooth-enabled credit card skimmer, the next step is to identify other iterations of this concept. The application features support to update the functionality for checking skimmers, should more types of skimmers come up in research studies and field analysis.
The functionality of Overlook is easily expanded to not only gas pumps, but also ATMs, vending machines, and other point-of-sale systems.
Logo adapted from user 'Mello' at The Noun Project under the Creative Commons license.
Interested in our source? Drop a comment or contact any of the team members for more information regarding how this application works.