LPRC - Episode 21 – Digital Threats ft. Dr. Nolen Scaife
Episode Date: March 21, 2019The post Episode 21 – Digital Threats ft. Dr. Nolen Scaife appeared first on Loss Prevention Research Council....
Transcript
Discussion (0)
Hi, everyone. Welcome to Crime Science. In this podcast, we aim to explore the science of crime and the practical application of the science for loss prevention and asset protection practitioners, as well as other professionals.
Co-host Dr. Reid Hayes of the Loss Prevention Research Council and Tom Nehan of ControlTech discuss a wide range of topics with industry experts, thought leaders, solution providers, and many more. In this episode, Dr. Nolan Scaife, security researcher, co-founder, and officer of University of Florida's first two security startups, CryptoDrop and Skim Reaper,
discuss common digital threats and the fundamental weaknesses in systems and networks.
We would like to thank Bosch for making this episode possible. Protect high-risk items using
Bosch IP cameras with built-in video analytics. Send a video snapshot to a manager when a person
loiters at a display or trigger an audio message to play through a loudspeaker when an item is touched while getting situational awareness using video verification solutions.
Alert potential offenders that are being watched and improve customer service for legitimate shoppers, all with video analytics.
Learn more about product protection in zones one and two of the LPRC zones of influence or by visiting Bosch online at boschsecurity.com.
All right.
Well, welcome everybody back to another episode of LPRC's Crime Science,
brought to you here from Gainesville, Florida, home of the University of Florida.
And I'm joined today by my co-host, Tom Meehan, who's the Chief Strategy Officer for Control Tech
and a longtime asset protection and loss prevention practitioner.
And between the two of us, we'd like to delve into topics that hopefully help out practitioners out there primarily,
whether it's an LPAP or law enforcement practitioner, but also academics, students and faculty alike.
Because what we're always trying to do, of course, is apply theory and method,
somewhat rigorous applications to very relevant topics.
We're trying to basically solve real-world problems,
but use a little more discipline around that.
So today what we're going to do is we've talked to a lot of behavioral
or social scientists like ourselves, practitioners.
Today we're going to be joined by Nolan Scaife.
Dr. Scaife is, in effect, a computer science and information science engineer. And so it's
a different perspective. We've worked with Nolan for two, three, four years now, off and on, or
he's worked with us to help us figure out what
in the world he's doing, but he's always taken a practical approach. I'm going to kind of go into
the background. So welcome here, Nolan, Dr. Scaife, if you will, and I would like to ask you,
you know, first, what was your background before you went to grad school at the University of Florida? Yeah, so I spent a number
of years in industry. My career started at a telecom, Altel, which is now part of Verizon
and AT&T and so forth. And then I spent a number of years working at Walmart in their security
organization. Right. Excellent. And did some of that, or how did that lead to you deciding,
you know what, I'm going to pursue higher learning,
higher degrees to become X?
How did that kind of play a role?
Yeah, you know, when I was going through my undergrad and master's degrees,
I really wanted to get to the fundamentals of some of these problems
and how we can, you know, build better detection systems
for some problems that are out there in the real world. And that takes some time and space to
really think about those problems. And so that's ultimately what drew me here.
All right. Interesting. And how did the University of Florida come into play? I mean,
you're originally from Arkansas. That's where you were anyway. And how did one lead to the other?
I mean, you're originally from Arkansas. That's where you were anyway.
And how did one lead to the other?
Yeah, so a few years ago, as part of the UF Rising program,
the state of Florida put some big dollars into building a security organization here at the University of Florida.
And as part of that investment, they brought a lot of really great faculty here from other institutions and ultimately the quality of faculty was what brought me
specifically to UF. And you've used the term security. What part of security, of
course I know, but what part of security have you been mostly engaged in and
going forward? Yeah, so I, you might call this computer security or
cybersecurity. It's got a lot of different names, but specifically we're interested
in the security properties of applications of computer science. Perfect. Okay. There you go.
So I was going to say, could you maybe describe, you talked about there was some serious money
that came over from the state of Florida under the RISE program and UF RISE and Going Greater, Go Greater.
But what did that look like?
They brought in some outstanding faculty.
How have they, what have they set up with those funds to date?
And what does that look like?
You know, because you've got this unique insider view into that.
Yeah.
So, you know, as part of that program, like I said, they brought a ton of faculty
from other universities, and they put us all in one place. They call it the Florida Institute
for Cybersecurity Research, and it's quite a few faculty. I would guess it's nearly or over 20 now,
and quite a few students now, and we're all under one roof trying to solve these tough problems.
Interesting.
And so we were introduced to the team FIX, you know, Florida Institute for Cybersecurity Research, a few years ago.
And, you know, professor's trainer.
And I'm trying to think we had two others come over here and work with us and meet with us initially and we had folks from Target came in and they were particularly
interested in understanding what all is going on here but who are some of the
outstanding faculty real quickly over there now in FICS or in the in the
program? Yeah so there's Patrick Traynor he's my PhD advisor and a close
confidant we've worked on on some of these problems together for a while.
There's also Kevin Butler who works on these kinds of problems, especially in finance.
There's Tom Shrimpton.
He does cryptography and practical applications thereof and so many others.
Yeah, so many others now.
and so many others.
Yeah, so many others now.
And one other thing I got to go to, I wanted to bring up,
was I've been invited to an annual event that your team over there puts on,
both for academia and for the industry.
What's that called and look like?
Yeah, so that's the annual FIX conference.
And what they do is they try to bring in folks from industry.
They try to bring in academics.
Of course, you can see what projects are going on in the labs with student presentations.
But what they're really trying to do is get both industry and academics in one place so that we can identify the future problems and possible solutions. Yeah.
There you go. Okay. Excellent. What I'd like to do, Tom, let me go over to you. What are
some initial questions or comments you've got for Nolan?
Yeah. Thanks, Reid. And thanks, Noel, for coming on. Our podcast has a varying listening
audience from folks from academia, law enforcement, both local and federal, and then a predominant or retail asset protection piece.
And I know that we often get questions on how we find guests.
Obviously, you're with the university.
What can your team do to really help retailers and retail chains be better enabled in how they can prevent some of these cybersecurity instances while keeping in mind that there needs to be a balance between prevention and customer service?
Yeah.
So, you know, one of the things that we've been doing here at UF, and it's a methodology that I've adopted and continues to inform what we're doing, and that's one of constraints.
You know, a lot of academic research doesn't make it to industry because it's not developed in such a way that makes sense.
It's not ready for prime time, as it were.
You know, we kind of stand up these test beds.
We test our solutions for these problems and then, you know, maybe get a publication or two out of it, which is great, and that's what we need in the sciences. But it doesn't necessarily mean that there's this intangible thing or this adoptable set
of methodologies or information that you can just go pick up.
And so what we're trying to do is develop these solutions with some constraints.
And those constraints hopefully are the differentiator for our research and it being actually able to be deployed in the real world.
or something where you would feel like would be a great example of where you were able to help a retailer or a retail chain or come up with a solution that has been adopted that was actually scalable or something that is tangible for them?
Yeah, thanks.
So in the last few years, we've been looking at the problem of card skimming.
few years we've been looking at the problem of card skimming and in particular, you know, how we can better detect, how we can better detect card skimmers. And so, you know, today for a lot of
retailers, for a lot of law enforcement agencies, this is a really manual process. And having been
out with law enforcement looking for skimmers, I can tell you, you know, it takes a really keen, trained eye in
many cases to detect these. But we actually met the NYPD at the IMPACT conference a couple of
years ago, and they have been fantastic partners with helping us get access to skimmer technology,
helping us to refine the ideas that we had for detecting skimmers.
And what this really amounted to was we developed this device.
It's called the Skim Reaper.
And it's a credit card-shaped device that you can swipe or dip onto a payment terminal.
And essentially it counts the number of readers that are present.
So in most cases, when a criminal or somebody has come into your organization
and they put one of these skimming devices that's designed to steal your customer's card data
onto or inside of the card acceptor,
this will actually tell you if an abnormal number of devices is trying to read the card, as it were.
And so what this really allows law enforcement and retailers to do is multiply the productivity.
time for a small number of highly trained employees to go, or law enforcement agents,
to go out and check for skimmers, this can be done in just a few seconds and it will give you a definitive result. And so what we're trying to do right now, this is actually a startup from our
research. We're actually trying to get these manufactured as fast as we can because there's been so much interest in this device and in solving this problem.
I had a quick question if I could, Nolan.
Maybe without going into too much detail, but what's it kind of look like in problem solving?
So we all know skimmers are an issue both inside the store in those card reading machines and then, of course, at fuel pumps outside the store in the parking lot, if you will.
But how do you guys look at this as engineers? into steps or stages that an offender or a group would have to go through
to consider them to consider a successful theft, fraud, or violence event.
And then we're going to do things about those steps.
But you all being more engineering and computer science scholars and scientists,
how do you look at the problem and then how does that drive what you do from an R&D standpoint? Right. So, you know, the biggest challenge for us when we got started was getting
our hands on skimmers. And I know a lot of law enforcement agencies, I know a lot of retailers
that are probably listening to this podcast right now have a box full of skimmers. But as academics,
it's hard for us to get our hands on those. and so the partnerships that we've made with
law enforcement agencies here in the state of Florida and New York have
really helped us you know be able to you know what we call characterize or tear
down you know the skimmers into into their constituent components and so what
we did after that and and and the way that we the way that we attacked this problem is to try to identify what is actually fundamental to the problem.
Skimmers come in all different shapes and sizes and capabilities.
Some of them have cameras built into them.
Some of them don't.
But in the vast majority of cases, especially in ATM and point-of-sale skimmers, the most common way to attack these devices is to actually add a completely independent system for reading the card.
So, you know, when you go into a store and you swipe your credit card and you're going to pay for your groceries, this device is reading your card and the point of sale terminal is reading your card. And so once we had, you know, kind of taken, once we had kind of looked at what was fundamental to reading a card, you know, what does this kind of device have to do, then it was
not too far off from us building a detection system
for being able to detect when that was happening.
Okay.
So your term then, term of art, is characterize.
Yeah.
So you're going to break this thing down, whatever it is.
What are some components of skimmers?
I mean, what are some of the components for them to get the information from you to them?
Yeah, so we have seen a number of different styles of skimmer, but this most common kind,
you can imagine it has a magnetic read head. You've probably all seen those little the little metal silver part of a card reader they always have some sort of
mechanism for pushing the card onto the head so maybe that's a spring or a wedge or something that
that that kind of forces there to be some pressure there and then they'll have other components that
are kind of critical to being an electronic system so there'll be a battery of some kind to power it.
There'll be some kind of storage.
In some cases, they may have Bluetooth
so that the criminal can just come back and get the card data.
Actually, we've seen them with, they'll have cellular modules
and a SIM card in there, so it'll just text the card data to the criminal.
And then we'll see, you know, some that have capabilities like cameras. So for example,
especially in ATMs, the card data is far more valuable to the criminal if they have the pen
in order to get cash out of an ATM. So they'll use things like cameras, they'll use things like cameras. They'll use things like pin pad overlays that actually sit on top of the pin pad
so that when the customer is pressing in their pin,
it actually presses through this device and captures the pin.
But ultimately, they use incredibly small components.
I mean, you can imagine that these devices have to be small enough to not draw suspicion.
You know, they're going to look, they feel like the real payment terminal, what the consumer expects to be there.
And so they're very, very small in most cases.
Okay.
So working with law enforcement a little bit, and I know you were working here
locally in Alachua County Sheriff's Office, Gainesville Police Department. And then as you
all participated at the LPRC Impact two years ago, you met the people that are over the, I guess it
was the felony division, NYPD's felony division. Yeah, the Financial Crimes Task Force, yeah. And those task force resides in that division.
But what are some of the things you've learned from law enforcement about that behavior?
And from their standpoint, the way they look at the skimmer issue versus, say, what you're doing,
and does that help?
The more you know not just about the digital or electronic components,
but about how they're used and so on.
Does that help or not?
Or how does it help?
No, it definitely does help.
And in some of those cases,
it's really driven the design decisions that we've made.
So, you know, for example, on ATMs, for example, I mentioned that these have batteries on them. Well, those batteries,
they go dead. And so in a lot of cases, or in all the cases, actually, the criminals have to come
back and get them. And so being able to produce something that can kind of quickly detect
when a skimmer is present lets them actually put a patrol officer or something or someone else
to watch that skimmer so that when the criminal comes back to get it, they can actually
arrest them on the spot. Okay. Interesting. What is, have you seen any other interesting
approaches? You all look at the components and you and in this case, you decided, look, if I detect more than one thing is scanning or reading this card right now, we may have a problem.
I'm going to light this thing up. I'm going to let the user know, the Skim Reaper user know. Have you heard any other approaches that people looked at technologically that are out there and open? Yeah, so that's a great question. So, you know,
some of the common advice that you would get for protecting yourself against skimmers will say
things like, you know, pull on the card reader. Of course, we know from working with the NYPD that
they use really strong uh double-sided
adhesives to stick those on or in some cases they actually fit you know so closely on there you
could say it may be a clips onto the onto the payment terminal and so um you know that's kind
of a non-technical detection measure um they're also uh you may have heard of these apps that you can get for smartphones.
They say, oh, go to a gas station, and you're going to run this app, and it's going to detect Bluetooth skimmers.
So some skimmers that are present in gas pumps, for example, they have Bluetooth.
And you can imagine that that's because it's less risky for the criminal if they only have to open the pump once.
And so they'll drive up.
They can just drive back through the gas station,
use their phone, and pick up the card data.
But we actually did a teardown of every one of these apps
that's available for both iOS and Android phones.
Describe a teardown, if you could. Yeah, so we take these apps, and we do what's called decompile them, essentially.
It turns this app that you download back into code that we can look through.
And so one of the things that you can find from that code is the mechanism that it uses to detect skimmers.
So I give you this marketing description, and it says, here's an app that can detect skimmers.
And so as a computer scientist, I want to know, OK, well, how does this detect skimmers?
And so that's what the teardown does.
It lets us find those mechanisms that they're using to detect skimmers.
So we looked at these, and we found kind of across the board
that these apps use really brittle ways of detecting.
Yeah, Reid's showing me one of these apps right now on his phone.
They use really brittle mechanisms to do it. So, you know, it might be something as simple as,
okay, I'm going to scan for Bluetooth devices. And if I have something that matches this name,
and I connect to it with this pin, and I talk to it in this pin and I talk to it in this way and it responds in this other way,
then it's definitively a skimmer. Of course, we know that that's brittle. It only takes
five to 10 seconds to change it so that it won't detect that. But on the worst side,
we actually found apps that don't detect skimmers. All they do is they'll show you an ad and then list, you know, give you a list of devices
that are in range, any device that's in range, and then tell you no skimmers are found.
So there's this problem here where as a consumer you really can't measure the effectiveness
of these. But I guess more importantly, as far as skimmers go,
not all skimmers use Bluetooth.
So, you know, you could, I mean, it's not unreasonable to think
that there's a false sense of security that's given to the users of these apps
because we know some skimmers use Bluetooth.
Some use cellular, as I mentioned
before, some of them have to be retrieved. And so there's no kind of universal method for,
for detecting those kinds of skimmers that way. Well, I guess it's like police radar detectors.
But if the police are doing speed control and they're not using radar, they're using, you know, LIDAR or another
technology, then same thing. It actually might work, but it's not going to work in this case,
in this situation, because that's not what they're using. So, okay, that's interesting.
Because that was part of my, the intent of the question. What, you know, what else is going on?
What are people trying out there? And like you say, some of these things are hardwired in. Some of them are battery. Some,
you've got to open it and access it with whatever, some kind of card or whatever. And then others,
Bluetooth, others sell cellular or whatever it might be. Yeah. Okay. And so many of the LPRC members, the 70 retail organizations and all their chains that they have, have a lot of skimmer issues, whether it's in-store readers or, of course, their fuel station.
You know, the fuel pump readers, the skimmers that are out there.
So of great interest how to do this.
Can you tell me, Nolan, I know in addition to the really neat stuff that you guys
are doing, continue to do with skimmers and that detection and abatement there, what are you,
what else are you working on that would be of interest in this case to a retail restaurant
community that are out there in the law enforcement that are supporting them? Some of the other fraud
issues that you guys are working on? Yeah. So to kind of get started on
this, answering this question, we, so there's lots of different other kinds of skimmers that,
you know, criminals are moving the bar constantly. And so while the skim reaper that I mentioned
detects accurately, you know, these types of magnetic stripe skimmers,
there are now skimmers that can skim information when you use your phone to pay,
or there are skimmers that can take your information when you use your chip to pay.
And so there's all these new different kinds of skimmers that are out there,
and we're trying really hard to find new ways to detect those.
But outside of the detection of skimmers,
we're also really interested in detecting what criminals do with those cards.
So in a lot of cases, you can imagine that they get this data and then they, this card data, you
know, they count information and they put it onto counterfeit cards and then they take those into a
store. Or, you know, they'll go into a store, for example, and try to read the gift cards that are
on the racks and then wait until there's a balance on them and then you know write that information
to a blank counterfeit card and then take it into a store uh and use it and how might they know
a balance has been put on these cards that are right now they're inert i mean right yeah yeah
so you can imagine the attack works uh something like this so you know they go in uh there are um
their gift cards that are on a rack uh they swipe the gift card with a small handheld
magnetic stripe reader. In some cases gift cards don't have, the pen is not obscured
on the back so they might write down the pen or if they are obscured, you know, it's not
hard to put another sticker over the top of the over the top of the pin to make
it look like it hasn't been tampered with and then they you know take the
information you know home and they check the balance on it so you know you check
the balance it's not activated you check the balance it's not activated you check
it the third time and all of a sudden it's got $50 on it. And then you put that information onto a counterfeit card and then take it back into the store.
Okay.
And there's obviously it's time sensitive, so they've got to have their crew set up so that,
all right, got to balance on this card.
We've got to quickly do X or Y before the legitimate customer uses it and so on, I guess, right?
So that's where the behavioral part comes in.
There's always that human interface.
So maybe there's a vulnerability there, an opportunity for us to do something.
Right.
So some of the things that we have done is build a system for detecting these illegitimate cards.
And it turns out you can imagine that when a retailer that's listening to the
podcast or a bank, they make gift cards, they're made at these manufacturing facilities that have
really high-end mechanisms for creating these cards. You know, they load a bunch of blank
cards into a hopper and they go down this assembly line, you know, at a relatively
consistent speed, as opposed to what we find that criminals most often do is they use these
inexpensive, you know, $100 or so card encoders, you know, something that you can put in your car,
something that you can, you know, they're very small, they're handheld, almost. And and and so these these encoders actually have really low
quality encoding mechanisms inside there when I say encoding I mean you know the
ability to write the data to a magnetic stripe yeah and so we we worked we
worked actually with Walmart on this who provided us a number of blank gift and stored value cards for our experiments.
And we found that with incredibly high accuracy, we can determine at the point of sale, for example, whether or not a card appears to be manufactured in a legitimate facility.
a card appears to be manufactured in a legitimate facility.
And so, you know, you could imagine using something like that as another indicator for, you know,
hey, maybe we should, you know, visually inspect this card before we accept it.
Okay, good.
And one question I had was, you know, as a behavioral scientist, I look for signatures, you know, unique digital or bio signatures,
what a person looks like, their face, their ears, their hands, the way they walk, you know,
things like that. And then, of course, there are digital signatures from their wearables,
as you know, of course, and their phones and other portable devices, their vehicles and all
these things. Are there other signatures or unique fingerprints? We know that ATF and FBI
can reverse and look at forensics and understand where this explosive device maybe came from. Who
made this? There's telltale signs like safe crackers and the MO, the method of operation.
Do those things exist in the digital world as well with some of the things we're talking about?
Is that something that could be developed in the future?
I don't know.
Yeah, almost certainly.
So, you know, we don't, for example, the work that I was just telling you about, about detecting counterfeit magnetic stripes,
we can, today we're able to distinguish, you know, legitimate from not legitimate.
But, you know, with time, it could be possible to be able to say, well, we think that this was encoded by, you know, brand X encoder, which, you know, is a substantial narrowing of the possible
space. Okay, so going beyond binary, legit, not legit, not legit.
Okay, now, boom, let's go to the next level.
Either we add that to the database or, hey, we may get a hit or it's telling us something.
Right, exactly.
Giving you some more clues.
Right, exactly.
And for us, you know, as academics, to be able to work on those problems,
we need partnerships with card manufacturers, with retailers, with law enforcement
to help us get those data points so that we can build those systems that can do those things. Yeah, that's excellent. I know
our members now, the 70 chains and the 76 now, I think technology companies, and then we've got
some of the manufacturers, the P&Gs and Bacardi's and Cody's, Duracell's and so forth of the world,
but they want to add a few more. They'd like the transport guys, the UPS, FedEx, you know,
as postal service, but the other one are the card guys.
They would love to get Discover and MassCard, Visa, American Express, and so on, come into this community to work together collaboratively with all the solution partners, including UF and other academic institutions.
And then the other, the scientists that we've got here on the behavioral side.
And so I love that idea.
And that's something that we'd love to that capability in here and and work on those things
it's in everybody's best interest to to do that and a big theme that we've got right now is trust
that a shopper she needs to trust that she will be safe and secure that you're going to be in
stock for and when she gets there to that shelf or
that website, you're in stock. She needs to trust though, also, while she makes that transaction
in your store or online, that her data are not going to be, her personal information and so on
are not going to be compromised. And I think it's that sort of total mutual trust, you know, by
everybody that we're all working toward. I agree. I agree. And I think, you know, by everybody that we're all working toward.
I agree.
I agree.
And I think, you know, there's a lot of interesting open problems in the payment security space like what we've been talking about.
And so, you know, fundamentally what we want to do is we want to help build that trust.
We want to, you know, build systems that are robust against these kinds of attacks.
One of our research scientists, I believe you know Stephanie Lin,
she just came back from a trip to China.
And Walmart China were amazing.
They hosted her and showed her around.
But, of course, she reported back, as you well know and many of our listeners,
that nobody carried cash, nobody carried credit cards that she came across.
Pretty much all proximate, close in readers of some description.
So can you kind of address some of those types of transactions,
current or potential vulnerabilities and things that we might look at
to jointly research on that?
Yeah, there's a lot of interest in developing new electronic payment systems.
We have this really rich history here in the U.S. of payments going from cash to checks
to credit and debit cards and now smartphones and apps and so forth.
But as you mentioned, a lot of other economies
are going essentially directly from cash to smartphone apps.
And so we did a study a number of years ago
of these so-called mobile money apps,
person-to-person payment apps,
and found that there were lots of different problems
with these apps that could put customers at risk,
that put their money at risk.
And so once we, you know, one of the nice things about these types of apps is that you can stand them up quickly.
But that also means that, you know, in being able to quickly adapt to the needs of your customers,
that there may actually be some security problems in doing so.
And so one of the things that we're really interested in is this space of digital payments,
whether that's apps or smartphones or any other type of newer electronic payment system,
and to make sure that customers can trust those.
Because you can imagine that, you know, putting your money into one of these apps
and then finding out at some point in the future that your money is now gone
would be, you know, highly problematic.
And so those are the kinds of problems that we're looking at.
Okay.
There's a lot of talk and has been on near-field communications and things like that,
but we know what's near to maybe me as a layman in this area.
What about to you all?
I mean, what are intercept ranges roughly, right?
Yeah.
I mean, you hear people
with Pringles cans in the parking lot trying to listen in to the to the
transactions what's that look like from where from your perspective yeah so
increasingly electronic payments are being are becoming more robust against
copying you know that one of the problems with magnetic of course, is that you can simply copy it.
That's what we're talking about. And that's getting more and more difficult over time.
So what criminals are starting to do is instead of trying to copy the information that's on your
phone, is relay it. And so you can imagine what they do now
instead of putting a skimmer on top of where you tap your phone,
the NFC terminal,
and trying to acquire some data that you can copy
and make a clone of your phone,
what they'll actually do is make it to where
when you tap your phone on there,
your phone, you think you're talking to, say, this gas pump, right?
But really what your phone is talking to is a terminal somewhere else.
And so you tap your phone, and now all of a sudden you've paid for someone else's transaction somewhere else.
And the relaying can be done over quite a long distance.
Okay.
So some sort of gate is opened and then, wow, okay.
Yeah.
So in effect, what the criminals are doing is they're just moving the problem
to another point of the transaction.
Okay.
Always interesting.
So what are some other digital threats that you all are thinking about or seeing that a business might be up against and that law enforcement should start to know more about that we haven't talked the problem of ransomware. And I'm sure a lot of your, I'm sure
a lot of your listeners have heard of ransomware, but for those of you who haven't, it's this
malicious software that tries to extort you to get you to, or to get your files back or control of
your systems back. And so we, we spent quite a while looking at a lot of different ransomware samples
to try to figure out, you know, what is, again, what is fundamental to this problem? I mean,
you could imagine that, you know, these things have lots of capabilities. You know, they might
try to talk out to the internet or they might, you know, show you a certain kind of ransom message on your on your system.
But really, it's not it turns out that those things are not really fundamental to that problem.
And so, you know, all it really has to do is, you know, take these files that you might have on your on your on your corporate workstations, on your your law enforcement records.
on your corporate workstations, on your law enforcement records.
And then it's going to do some kind of transformation to those.
Your files, your vacation photos, or your store records are going to go in on one side,
and what comes out on the other side is some unrecognizable garbage.
Encrypted, if you will.
Yeah.
Something like that. Exactly, yeah. Okay. some unrecognizable garbage encrypted if you will yeah and something like exactly yeah okay uh and
and so what we tried to do was rather than say you know of all of these you know programs all
of this software that you have on your machine let's decide what is good and bad which is a very
hard problem to solve um we started to look at the transformation that happens to files to try and better detect
when the files are essentially being turned into garbage and intercede and stop it from
happening.
So those are other kinds of problems that we're working on.
So not just in the payment space, but more broadly in consumer and business protection,
how can we stop these kinds of attacks from happening?
All right, excellent.
I mean, it's so much of what we've touched on
in the time we've got has been amazing
because, again, if we go back to this trust issue,
the consumer, the retailer, restaurateur, whatever, the law
enforcement community, everybody's together, working together. And these problems are creating
breakdowns and trust on top of huge, huge losses for everybody. But that's resulting in avoidance
behavior. People aren't going certain places or doing certain things that, you know, it's like terrorism. You're, you know, terrorism where you are genuinely afraid, so you avoid an action or a place and so
forth that you really should be able to go and do. And so we really appreciate that. So I would say,
you know, Nolan, I really want to appreciate you coming here today and talking to us. We've
really, really enjoyed working with you here at
UF. And for our listeners that don't know, Nolan is graduating, graduated. He's now, that's why I
say Dr. Nolan Scaife, and is conducting his interviews and so on. So wherever you end up,
Nolan, you know, of course, we really, really want to stay in touch. And more importantly for us,
selfishly, we'd like to continue to work with you in any way that makes sense for you to do that.
And so I appreciate you coming here today.
Well, I appreciate that.
And working with the LPRC has been really fantastic. would have been totally different or total non-starters without the help of your members
and the Impact Conference and all the great things that you do.
This is a space that we really love working in because we get to see, you know,
as computer scientists, we get to develop these things and help solve real problems.
And so, you know, I want to continue to do that.
I know you guys want to continue to do that.
And so I will continue to work together, I know.
Okay, fantastic.
Following the recording of this episode, Tom Meehan and Dr. Nolan Scaife were able to discuss additional questions separately.
Hello, everybody.
Tom Meehan here had a network issue.
So it's part two of the episode with Nolan Scaife from the University of Florida and going to have some follow-up conversation here.
Thank you again for joining us, Nolan.
Yeah, thanks for having me.
So I wanted to just have some follow-up questions really specific to the Skim Reaper and really how would someone go about getting it?
So if you had a law enforcement agency or a retail security department that is looking to get one of these devices in hand, how would they do it?
Yeah. So after the academic paper came out, we had a number of folks that reached out to us directly.
Our email addresses are on the paper. And so some folks found it that way.
the paper. And so some folks found it that way. Some folks found it through press releases that had gone out from the university, etc. But now we've launched a
website. So you can go to skimreaper.com and you can sign up to get more information or contact us
if you want to participate in our pilot program. Okay, great. And then, so as far as your pilot program,
are there any pilots or any success stories that you could talk about today,
places where it has been implemented successfully or success stories?
So the devices that are out in the field today are our research prototypes.
So these were devices that we had made by hand.
They take several hours to make just one of them. They have 3D printed cases and
so forth. The pilot program is going to be for the first batch of our
manufactured units. So we don't have any of these out in the field yet. We're
still going through the prototyping and testing. It turns out when you make these kinds of hardware devices, they need various levels of regulatory approval to be able to be sold in certain markets.
So we're going through that right now.
And the pilot program is really for organizations that want to be early adopters of this technology.
They're going to get the first batches of our production run.
If a retailer today wanted to learn more, is the website the best place?
Should they email you directly?
What's the best place for a retailer specifically to get information?
So the best way to get information on the Skim Reaper is from our website.
There are two ways to sign up.
You can sign up for the newsletter if you're just generally interested and want to know when we're going to
start taking orders. You can sign up for that and we'll keep you in the loop. If you want to
participate in the pilot program, there's a little bit of a longer form and that goes directly to us
and we'll get you added to the program. In the event that a retailer or a law enforcement person starts a pilot with you,
what are some of the use cases that you're looking at?
So what's a real-life use case if someone was to use this?
How would they actually deploy it?
What are some of the recommendations that you're making or your team is making?
So one of the advantages that we see with a skim reaper,
and we've talked to a number of banks and retailers and law enforcement agencies,
is that the skim reaper allows them to put testing for skimmers
in the hands of someone who's not an expert of looking for skimmers, for example.
So in the case of the New York Police Department,
they can take these skim reapers and they can give them to, say, patrol officers who can cover
a wider area and check more frequently than the small number of highly trained folks in the
Financial Crimes Task Force. And that's how we see this being deployed at retailers and banks as well. You don't necessarily need to go through extensive training to understand what to look for, how to check for a skimmer. You can simply swipe or dip the Skim Reaper into the payment terminal and get an accurate result. And not to give up your secret sauce of how the device works,
but does it look at the chip at all, or is it just focused on the mag stripe?
From a high-level standpoint, is there anything you could share
about the technical side of how it actually works?
Yeah, so fundamentally what the Skim Reaper does is it counts the number
of read heads that are present on the card acceptor. So, you know, you can imagine that you go to your bank's ATM and you put in your card and there is a magnetic stripe read head that's present in that slot.
But for what we call overlay or deep insert skimmers, these are kind of fully independent devices that go on or in the card slot.
They add, overwhelmingly, this attack adds an additional readhead. So when you put your card in, the ATM is reading it, plus the skimmer device is reading it.
And so what the Skim Reaper detects fundamentally is multiple read heads present in the slot.
Very cool.
And switching gears a little bit, what other research are you involved in related to retail crimes?
What can you tell me about trends related to returns or refund fraud?
Is that something that you're working on with your group? This is something that we're really interested in. So, you know,
outside of the kind of payment space that the Schem Reaper and the technology that we have
for detecting counterfeit cards exist in, we're also really interested in other types of fraud
that affects retailers. But in order to really make progress
on these problems, we need retail partners to help with us. So one of the challenges that we
have as academics is not being able to get a hold of large data sets for building systems that can detect this kind of fraud.
So I think that's kind of a typical thing we always deal with.
And I do think that's where the Loss Prevention Research Council has some benefit,
where we do get some reasonable sample sizes and some folks participating.
There's obviously a privacy concern out there, but it's always
very interesting to hear what in academia is going on. I think sometimes if you're sitting
on the other side of the fence, I spent over 20 years in retail and always struggled with,
is anybody else concerned with this? Because when you speak of refund fraud or return fraud or credit fraud, in some cases, it becomes a victimless crime because it's very hard for people to understand who's actually being hurt.
So I think that's a big one.
So from our perspective, Tom, contact us.
Tell us the kinds of problems that you have, And let's set up a meeting and talk.
Because, you know, I know in the case of, you know, privacy concerns and confidential data, you know, I have my own personal privacy and confidentiality concerns.
to help understand what data we need to be able to work on the problem versus what data could be potentially removed from the data set or obfuscated or changed in a way where we can still build solutions that work, but without necessarily having to give over a lot of sensitive data.
Great. I know that the listening audience is going to take note to that, and I wouldn't be surprised if someone reaches out based on that. When you talk about credit fraud overall, and this
is a loaded question, I'm aware of that. So when you think of some of the changes we made in the
United States with going to EMV or chip and pin, chip and signature rather. What are your thoughts on that? What have,
what, if any research have you done related to that? And where do you see that, you know,
going in the near future and then maybe more in the distant future?
Well, there's a lot of great research from the academic research from the mid 2000s on the
problems with EMV, the chip and PIN or chip and signature
protocol that's out there. But what we're seeing today are not necessarily, you know, the attacks
that we see here are not necessarily related to the technology per se. But in the case of,
let's take, for example, gas pumps in the U.S. You know, I've never used my chip at a gas
station in the U.S., but I'm sure a lot of your listeners haven't, too. And overwhelmingly,
that's because of the cost of changing out the terminals. And so EMV represents this huge cost
increase, not only for the merchants themselves, but also for the banks. You know, these cards cost on the order of dollars to produce versus magnetic stripes.
The terminals have to be replaced and so forth.
It's a very expensive deployment cost for this technology.
And so, you know, we're starting to see, you know, I wouldn't say a move away from it,
but we're adding to see, you know, I wouldn't say a move away from it, but we're
adding additional options for paying. You know, I know a lot of merchants, including some of those
that are listening, have rolled out their own QR code based payment and wallet mechanisms. We have
smartphone payments that are coming around as well. And each of these represents in some sense,
a lower cost of deployment than strictly moving to chips.
So I appreciate that. I know that's a loaded question.
There's a lot of pieces to it, but I think your answer adds value.
And I'm sure we'll want to have you back on the podcast to talk about some of the things that you're hearing with the contactless payment and
some of the smartphone movements. I travel internationally quite a bit. So what you see
in Asia and Europe are starkly different than here. It's actually there are some places in Asia
that I go to that you can't pay with anything but your smartphone. They don't even have an option
anymore. So it's definitely different.
Yeah. And there are a lot of challenges that come along with smartphone payments too. I mean,
one seemingly obvious one, but one we don't talk about a lot is this problem of identity.
You know, for a lot of us, especially your listeners, we tend to think of this is my smartphone and my smartphone is a one-to-one relationship with me.
But it's not hard to imagine families that have fewer cell phone devices or no cell phone devices for a family of more than one person, a family of two or three that shares a single device. And so,
you know, some of the problems that we see in payments are, you know, how do we, you know,
how do we link identity to this digital payment mechanism where it's not necessarily one-to-one?
Yeah, definitely. I think that that's definitely going to be the challenge. And to your point, I think the assumption is it's my phone, but even more often is what role does biometrics play? And I think the future is
full of a whole bunch of interesting payment things that are coming and constantly the
analogy out there that cash is dead, which I don't believe based on everything
I'm seeing, but I'm curious what the next wave is. And that's what we're working towards.
Fundamentally, that's where we want to get is what should the next generation of payment systems
look like? If we look at the history of payments so far, they've been getting progressively more expensive.
You know, I mentioned before that, you know, chips and EMV are expensive to deploy.
But in some sense, it's also expensive to deploy, you know, NFC and smartphone payments.
I mean, rather than taking a two cent credit card to the merchant, now we're taking an $800 phone.
And so this is likely to lead to classes of
security. And we don't want the most secure payment mechanisms to only be accessible to
those that can afford them. Yeah, that's a great point. And I think it's a point that's
left on deaf ears often. So I only really have one other question. And so for the greater
listening audience,
as we said, when we started this podcast, that we have a huge audience of retail professionals,
law enforcement, security professionals, and just folks perusing the podcast scene.
If you had one piece of advice for someone to identify skimming out in the wild, what would it be? Well, that's a great question.
So, Tom, you mean for identifying skimmers?
Yeah, so really for a consumer base.
So you mentioned gas stations, and I think that's primarily what you see in the news is this gas station at a skimmer.
So if there was something the average person when they're out
shopping, pumping gas, going to ATM could look for, what would your recommendation be to try
to protect themselves, you know, based on all your research that you've done?
So overwhelmingly, our research has shown that all of the things that are available to consumers
for finding skimmers fail in practice.
You know, you might say, well, I go to the gas pump and I pull on the card reader.
Well, you know, the vast majority of gas pump skimmers are actually inside the unit,
but also we know that the attackers, the criminals that are out there, are making these to where they stick on better, they clip on so that they're hard to remove.
And it's not really clear, you know, how hard you should have to pull on it to get, you know, a skimmer to come off.
But, you know, we've also deployed these tamper evidence seals.
I'm sure you've been to a gas station, Tom, that has a seal to show you, you know, if it's been opened. But we did this great work with the Florida Department
of Agriculture that's going to be published here in a couple of months that shows that in the vast
majority of cases where a skimmer is found in the unit, it's actually found with an intact,
correctly placed seal. So attackers and criminals are out there replacing the seals. And so my advice really to the consumers that want to, you know, best protect
themselves from skimmers, it's going to be avoid using a debit card wherever possible. Use a credit
card if you can. These tend to have stronger consumer protections in place for getting your money back in the
case of a skimmed card.
And especially, you're not using your own cash immediately.
So it's not hard to imagine that if you use a debit card at a gas pump or in a retail
location and it happens to get skimmed, what they're going to do with
that is try to withdraw cash.
They're going to, even the purchases they make with it with a debit card, effectively
come out of your bank account immediately.
And so what you're trying to avoid is the risk of not being able to have that cash on
hand to, say, pay bills or to make other purchases.
And a credit card helps you stay safe from those threats.
That is a great advice. And I'm sure everybody appreciate it.
I wanted to just thank you again for joining us on the podcast.
I'm sure that we're going to ask you to come back again.
You've been a great guest and I know that we'll get some feedback and some
questions. So thank you again for joining. Yeah, thanks. And to your listeners, please,
you know, reach out to me. I'm sure the folks that I'm sure we can get you my email address,
contact me. I'd love to talk with you about the problems that you have or give a talk or whatever,
you know, let's keep in touch.
Absolutely. Thank you.
So I'll say on behalf of my colleague, Tom Meehan,
our producer, Kevin Tran, the LPRC team. Thank you again,
Nolan Scaife for stopping by and helping all of us better understand the digital threats and what's being done out there. So everybody,
please let us know your questions, comments, suggestions, signing off off from Gainesville today, this is the LPRC Crime
Science Podcast. Thanks for listening to the Crime Science Podcast presented by the Loss
Prevention Research Council and sponsored by Bosch Security. If you enjoyed today's episode,
you can find more crime science episodes and valuable information at lpresearch.org.
The content provided in the Crime Science Podcast is for informational purposes only
and is not a substitute for legal,
financial, or other advice.
Views expressed by guests of the Crime Science Podcast
are those of the authors
and do not reflect the opinions or positions
of the Loss Prevention Research Council.