Making an E-ink ESP32 Credit Card Skimmer Detecting Keychain
by MrMemory in Circuits > Microcontrollers
7986 Views, 119 Favorites, 0 Comments
Making an E-ink ESP32 Credit Card Skimmer Detecting Keychain
Skimming devices, which steal card information from ATMs, gas pumps, and other payment terminals, have become more sophisticated and harder to detect. They work by sitting between your card and the payment equipment, stealing your payment information and storing it for a criminal to retrieve later. Even in 2024, when I am writing this guide, they remain a problem despite having been reported on for years. With a portable, easy-to-use skimmer detector at your fingertips, you can quickly scan for suspicious devices before making a transaction, preventing potential fraud. In this guide we will build an ESP32 Bluetooth scanner that allows for regular use, offering peace of mind and saving you from the hassle of dealing with identity theft or unauthorized charges. Protecting your financial security has never been easier or more accessible!
Why the ESP32, and why a keychain? You may recall years ago that SparkFun launched an app for your smart phone that scanned for credit card skimmers. This clever app used the Bluetooth chipset in your phone to look for signatures of credit card skimmers that law enforcement had given them access to. However:
- Bluetooth skimmers communicate over Bluetooth Classic, not Bluetooth Low Energy. This means this app and ones like it never worked for iPhones!
- The original SparkFun app is no longer available
- The ESP32 chipset is low-power, comes in a variety of development kits with cool peripherals, and can communicate with Bluetooth Classic devices
This means we can easily develop a companion for your smart phone, regardless of if you run Android or iOS, that can sit on your keychain ready for you to use at the gas pump, ATM, or other places you swipe your cards!
One of these ESP32 development kits is the M5Stack Core Ink development kit. It has buttons, a rechargeable battery, and a slick e-ink display. This is a tiny version of the kinds of displays you've seen used for eReaders, like Amazon's Kindle. These displays are low-power, making them great for keychains and other electronics that you don't want to recharge frequently.
In this guide we will turn this development kit into a sleek credit card skimmer detector that uses Bluetooth Classic to identify nearby chips known to be used by criminals. The end result will be a device with a long battery life that you can keep on your keychain and have with you whenever you swipe your cards!
Supplies
I broke this guide into two parts- one where we build the keychain together, and a second optional part that lets you check the keychain is working by emulating a skimmer.
The following are required to make the keychain:
1x M5Stack ESP32 Core Ink Development Kit
1x Keychain (here's the one I chose)
1x Computer with an available USB port
1x Free Copy of the Arduino IDE
1x Code from my GitHub repository
The following are optional and are only if you choose to continue the guide and emulate a credit card skimmer:
1x Arduino UNO (any revision)
1x HC-05 or HC-06 Bluetooth Module
2x Male-Female Jumper Cables (quantity is for two individual wires, not sets of wires)
Setting Up Your Development Environment
Download the free Arduino IDE for your computer. Once it is installed, return to this guide.
Before opening the code for this project, which we we download shortly, you will need to add some board management URLs so that we can download dependencies for this project. If you are new to Arduino, these are packages of free software designed to run on certain kinds of hardware. We specifically need the ones for our M5Stack kit. To do this follow the below substeps. They will correspond with the screenshots above!
Step 1: Open the Arduino IDE
Launch the Arduino IDE on your computer.
Step 2: Open the Preferences Window
In the top menu, click on "File" (on Windows/Linux) or "Arduino" (on macOS). Select "Preferences" from the dropdown.
Step 3: Add the URL in the Preferences Window
In the Preferences window, look for the field labeled "Additional Boards Manager URLs". This is where you will add the URL.
Step 4: Enter the URLs
Enter these URLs and separate them with commas.
Step 5: Click OK
After entering the URLs, click OK to save the changes and close the Preferences window.
Step 6: Open the Boards Manager
From the top menu, click "Tools". Navigate to "Board" and select "Boards Manager..." from the dropdown.
Step 7: Search for M5Stack
In the Boards Manager window, use the search bar to find the board package for M5Stack.
Step 8: Install the Package
Once you've found the package click Install.
The Arduino IDE will download and install the necessary libraries and tools automatically.
Step 9: Install the M5Core-Ink library
From the top menu, click "Tools". Navigate to "Manage Libraries" and click it. A pane will open on the left. Search for m5core-ink'. Install version 1.0.0 by clicking the Install' button.
Step 10: Select the Installed Board
After installation, you can select the newly installed board by navigating to Tools > Board and choosing the M5CoreInk
The development environment is now set up!
Prepare the M5Stack Core Ink Development Kit
Unpack the development kit. You'll find that it includes a USB-C cable. We will be using this shortly! Connect the USB-C end to the development kit. There is a USB port located on the bottom of the unit.
Hold the power button on the right side of the development kit to turn it on. A green LED will illuminate from the top, as shown above.
If the device does not turn on, its battery may be dead. Simply connect the other end of the USB cable to your computer or to a USB wall charger and give the device a few minutes to charge.
Connect the Development Kit to Your Development Environment
Connect the other end of the USB cable to your computer. The Arduino IDE should still be running. If it is not, re-launch it.
You should have selected the M5CoreInk board from the boards menu in Step 1. If you have not, return to the last part of this step for details.
Once the device is connected you may see pop-up windows stating that drivers are being installed for your newly connected device. This is normal. If this is occurring, give this installation a few moments and then return.
The last thing we need to do is to choose the right serial port. As shown in the image above, go to Tools > Port and choose the port where the development kit is connected. You may have multiple options. The connected development kit will typically appear as a COM port on Windows (e.g., COM3) or as a /dev/tty or /dev/cu port on macOS and Linux (e.g., /dev/ttyUSB0 or /dev/cu.usbmodem). If you are unsure, unplug the device, check the available ports, then plug it back in and see which port appears or changes. This will be the correct serial port for your development kit! Choose it, then move on.
Believe it or not, we're almost done!
Load the Skimmer Scanner Software
In your web browser, navigate to the code repository.
This is like a website for our project, where anyone who is interested can see the project code and even propose changes to it!
We need to download the code to your computer. Click the green `Code' button in the upper right. At the bottom, click `Download ZIP'.
Find this zip in your downloads folder and unzip it.
In the Arduino IDE, which should still be open, click File > Open and select the file 'KeychainSkimmerScanner.ino' from inside your new folder. The code will now open!
Understanding the Code
Don't worry, I don't expect you to be a programmer (however if you are, you should go through the code and understand what it does!).
I wanted to point out how exactly this all works at a high level.
The ESP32 has the ability to communicate with Bluetooth Classic devices. These include your old-school Bluetooth devices like headsets, the stereo in your car, and other gadgets you remember from when Bluetooth was new. These are different from newer Bluetooth Low Energy devices, which are increasingly common. Examples of low-energy devices are Apple AirTags and other tracking tokens that need their batteries to last for a long time.
The code for this project tells the ESP32 inside your development kit to perform a Bluetooth scan when the wheel/button on the right side of the device is pressed. We then search this scan for known chips used by criminals, like this:
This tells the code to count the number of devices that advertise they are an HC-05 Bluetooth device. We also look for the HC-06.
How do we know to look for these particular devices?
These chipsets are extremely common, extremely cheap, and found in many low-cost electronics devices. Criminals will include these cheep Bluetooth chips in their skimmers so that they can sit nearby and have the data they collected transmitted to them wirelessly. This way they do not need to take the gas pump or card reader apart again to retrieve their stolen data. Most importantly, when law enforcement let SparkFun Electronics take a look at how retrieved skimmer devices worked they found these chips on the installed devices! These chips are in the wild, and can be found by the code in this project. Pretty neat, huh?
We have no way of knowing that a device is a skimmer just because it uses one of these chips, but they really shouldn't be in anything broadcasting at your local gas station or grocery store. As a result, if we see one the device will let you know. An alarm will buzz and the screen will display how many potential skimmers it sees. If it sees none, it will display the number of devices it checked out and return to sleep.
Uploading the Software to the Development Kit
Now that our development environment is set up, our development kit is connected, and the software is loaded we can finally install it onto our device. In the upper left there is an arrow button. Click it. The software will compile (the Arduino IDE is turning the human-readable code into a format the ESP32 can read) and will automatically upload it to the device over USB.
The device will emit a sharp tone when this process is complete. It may take several minutes.
Completing the Keychain
Take your device and the keychain you have selected. The device has holes in each corner. I recommend you thread the string for your keychain through one of the upper holes. Above I use the top right hole. You can thread the string all the way through or have it exit halfway depending on the length, shown above, since the device's shell comes apart in two pieces. Bring the other end of the keychain (for the above keychain it's the thicker string side) through the loop to complete the keychain. You should now be able to hold the device by the keychain loop.
Scan for Skimmers
Press the wheel button on the right side of the device in, up, or down. Regardless of which way it is pressed, the device screen will update to say that it is scanning. After ten seconds the device will display how many devices it saw, and then how many are suspected skimmers (recall these are ones using the HC chips, but also devices not broadcasting their identity at all!). If a suspected skimmer is found, the device will emit an alarm and display how many suspected skimmers are present. You should move on to a different gas pump or be wary of a payment terminal if this occurs!
After several seconds the device screen will clear and it will display that it is ready to scan again.
Your keychain is now complete! Don't forget to occasionally charge it- while the development kit was selected for being low power, and the screen won't consume energy in your pocket due to its e-ink technology, it will eventually run down the battery.
Optional - Assembling Parts for a Skimmer Emulator to Test Your Keychain
At the beginning of this guide I stated that there was an optional step you could take to check if your keychain is working. Obviously you won't have ready access to skimmers to check in your home, so we will construct an "emulator" which of course will not have any capability of collecting card information. It will only be a broadcaster with one of the same Bluetooth chips the keychain's code looks for.
Assemble your components- an Arduino Uno, two male-female jumpers, and an HC-05 or HC-06 Bluetooth module. These are shown above
Optional - Building a Skimmer Emulator to Test Your Keychain
Building our circuit is simple, we don't even need to flash the Arduino with any software. We will only be using it as an easy way to power the board the HC-05 and HC-06 modules commonly come on. Notice the pins across the bottom of the Bluetooth module. Now look at the Fritzing diagram above and identify the corresponding pins - they may have slightly different names and may be in a slightly different order. Connect the voltage pin to the Arduino voltage pin (while many of these modules can be powered by 3.6V to 6V, only connect your module to the 5V pin on the Arduino if the module can accept it or it will be damaged. Otherwise, use the 3.3V pin or consult a wiring diagram for your specific module) as shown above. Connect the ground pin to the Arduino ground pin as shown above. You can see how these are connected physically in the photo above. The other pins do not need to be connected to anything. Power on the Arduino by connecting the USB A/B cable to your computer or a USB power source. The LEDs on the Arduino and Bluetooth module will illuminate. You can check that the module is broadcasting by running a Bluetooth scan in the Bluetooth settings of your smart phone. It will be broadcasting either HC-05 or HC-06, as shown above.
You can now run a scan on your keychain. You should get an alert that a skimmer has been found!