Gas Pump Skimmer Fraudsters Want Your Credit Card Number - NEM’s Catapult To The Rescue!
By Bader Youssef & Bassem Youssef
I was seated in the chair of my local bank, excitedly awaiting to open a new bank account. As I was handed my new VISA debit card on the spot, I imagined the convenience that a powerful electronic payment solution would bring. Upon giving me the drill on my new card, the first words out of the bank manager’s mouth were:
“Whatever you do, never use this debit card at the local gas pumps!”
That’s right — I wasn’t allowed to utilize the convenience of my card at one of the simplest and seemingly harmless actions one can participate in.
She told me that there was a serious problem concerning the pumps — one which had affected herself as well. I leaned forward in my chair out of curiosity, anticipating the reason as to why I wasn’t allowed to utilize my supposedly secure bank card.
The reason for this dire warning was actually quite simple — and shocking. Many of the gas station pumps in the area were known to be compromised with an illegal credit card logging device known as a “skimmer”. In the last year, the number of skimmers in the state of Florida rose by 27.6 percent. In South Florida alone, nearly 200 skimmers were found in gas pumps. When you take into account the amount of traffic that each pump gets, especially in more populous places, the threat this issue poses becomes much more significant.
With 29 million Americans pumping gas with credit cards everyday, and an estimated amount of $1 million dollars worth of fraud per skimmer, this is a disruptive issue that needs serious technological intervention.
Shocking amount of skimmers found in Florida over the last year - source, WPTV
First things first — how do these things work?
Most prominent in the states of Florida and Texas, Credit card skimmers are devices that are placed near the gas pump’s legitimate card reader. Frequently part of organized crime operations, they are often placed on the inside of the gas pump’s cabinet. The devices then log this data wirelessly over Bluetooth or even a cellular GSM connection, where criminals obtain the credit card information. Due to the wireless nature of the skimmer, the criminal never needs to return to the pump to retrieve their skimmer.
Chip-based card readers are also in trouble; in the last year, devices known as “shimmers” have made their way into gas pump cabinets. These operate on the same principle as the skimmer, only they intercept card information from the supposedly secure chip-based card readers.
To combat this issue, many gas stations began placing “security seals” to indicate if a pump has been tampered with. However, these stickers are easily replaceable once taken off, as the criminal can simply order a pack of 500 stickers for $69 USD online, making it not a very effective method for informing the public.
Security seals do not aid in anti-skimming — they are easily replaceable
So, how can one solve this growing crime that affects millions of people in Florida and elsewhere?
The answer lies with the NEM Catapult blockchain. We battle a high-tech problem with a high-tech solution!
The use of blockchain (a distributed, trusted online ledger), with elements of Internet of Things (IoT), can aid in authenticating and auditing gas pumps and their activities.
For this application, we can utilize the NEM Catapult blockchain, as it introduces several built-in mechanisms that will perfectly suite this application.
To solve this issue, a low-cost IoT “anti-skimming” device is placed within each gas pump’s cabinet. This device will be equipped with a door sensor and smart lock. This is able to log who, when, where, and which gas pump was opened and (possibly) tampered with.
In order to identify if the operator is certified or not, each IoT device would also utilize an RFID (radio frequency identification) tag to authenticate the person opening the gas pump cabinet. This authentication is done on the Catapult blockchain via two steps:
Firstly, the operator that scans the pump’s RFID tag must own a non-transferable token (called a mosaic in NEM) on the Catapult blockchain. This token is a corporate or goverment-issued token, meaning this person would have to be a certified operator in order to own this token. Each of these tokens are placed under a Catapult “namespace”, which uniquely identifies the entity who issued the certification token.
Each namespace on Catapult can only be owned by one entity, which verifies the legitimacy of the certification. For example, if the sender of the certification token is “shell-usa”, you can be certain that the operator was certified by Shell USA, and thus, is allowed to operate and open the pumps.
Operator authentication using NEM Catapult mosaics
Secondly, the gas station must also enter into a one-time, timed disposable smart contract (called an Aggregate Bonded contract) that grants the operator a window of time to perform the necessary, legitimate maintenance. If both the operator and gas station owner sign this smart contract, the IoT device will make note of this on-chain. This smart contract will signify that the operator has indeed shown up and interacted with the cabinet with the gas station owner’s approval within the allotted amount of time.
One-time on-chain smart contract
Once this authentication process is complete, the IoT device logs the full interaction directly on the blockchain as a valid event between the certified operator and the gas pump. If an individual was unable to complete the above steps, the device will log this interaction as “invalid”, notifying the gas station owner and prompting for further investigation on that specific pump.
A concept mobile app that customers could use to discern whether a particular pump is trustworthy or not. On the left, a safe pump is shown. On the right, a pump may contain a skimmer.
The blockchain will keep a verifiable ledger of the events of each gas station, and subsequently, each gas station pump as well. This also makes it more difficult for anyone attempting to gain illicit access to the pumps.
Because each pump is now audited, customers can now verify the history of the pump by scanning the RFID tag, which will indicate whether the pump has been tampered with before. Crisis averted!
Utilizing blockchain and IoT will enable businesses to not only protect gas pumps from skimmers, but also other critical equipment that requires authorized and certified operators. Internet of Things is a very powerful tool that can simultaneously create conveniences for us while helping combat crime and improve quality of life.
NEM Catapult’s easy-to-use API layer makes the communication of IoT devices a breeze, and guarantees a high level of security throughout the entirety of the solution.
Bader and Bassem are the founders of IoDLT, a blockchain-powered IoT solution. For more information or business contact, please email firstname.lastname@example.org
Founded in 2018, IoDLT (Internet of Distributed Ledger Technology) utilizes two disruptive technologies - Internet of Things and blockchain - to provide seamless, secure, and scalable B2B solutions. IoDLT brings security to small and large businesses alike, without compromising user data privacy and user-to-business interactions. Their technology's application spans a wide range of industries, namely healthcare, agriculture, supply chain, and energy metering.
Alongside providing business solutions, IoDLT envisions a future run by embedded devices. Securing those devices will become imperative to the operations of any business. IoDLT deploys proprietary and affordable IoT to blockchain protocols to secure the devices of the world