The US Mint Denver produces 30 million coins a day. Denes, the tooling department manager, discusses with us how production at this scale functions.
Stephen is on the hunt for the next step in his electrical engineering career and shares the shifts in the industry and what employers are looking for.
Relay manufactures hate this one simple trick that makes your “sealed” relays last longer! Except TE connectivity who has an note about this relay feature.
Patrick Traynor, CEO of Skim Reaper
Christian Peeters, CTO of Skim Reaper
The Skim Reaper in Action!
Parker is an Electrical Engineer with backgrounds in Embedded System Design and Digital Signal Processing. He got his start in 2005 by hacking Nintendo consoles into portable gaming units. The following year he designed and produced an Atari 2600 video mod to allow the Atari to display a crisp, RF fuzz free picture on newer TVs. Over a thousand Atari video mods where produced by Parker from 2006 to 2011 and the mod is still made by other enthusiasts in the Atari community.
In 2006, Parker enrolled at The University of Texas at Austin as a Petroleum Engineer. After realizing electronics was his passion he switched majors in 2007 to Electrical and Computer Engineering. Following his previous background in making the Atari 2600 video mod, Parker decided to take more board layout classes and circuit design classes. Other areas of study include robotics, microcontroller theory and design, FPGA development with VHDL and Verilog, and image and signal processing with DSPs. In 2010, Parker won a Ti sponsored Launchpad programming and design contest that was held by the IEEE CS chapter at the University. Parker graduated with a BS in Electrical and Computer Engineering in the Spring of 2012.
In the Summer of 2012, Parker was hired on as an Electrical Engineer at Dynamic Perception to design and prototype new electronic products. Here, Parker learned about full product development cycles and honed his board layout skills. Seeing the difficulties in managing operations and FCC/CE compliance testing, Parker thought there had to be a better way for small electronic companies to get their product out in customer's hands.
Parker also runs the blog, longhornengineer.com, where he posts his personal projects, technical guides, and appnotes about board layout design and components.
Stephen Kraig began his electronics career by building musical oriented circuits in 2003. Stephen is an avid guitar player and, in his down time, manufactures audio electronics including guitar amplifiers, pedals, and pro audio gear. Stephen graduated with a BS in Electrical Engineering from Texas A&M University.
Special thanks to whixr over at Tymkrs for the intro and outro!
Welcome to the macro fab engineering podcast where your guests Patrick Trainor and Christian Peters
and we're your hosts Parker, Dolman.
And Steven Craig,
this is episode 211.
Patrick Trainor is the CEO of skim Reaper and the desperate family preeminent chair in engineering in the Department of Computer and Information Science and Engineering at the University of Florida. Christian Peters is the CTO of skim Reaper and a PhD student in the Department of Computer and Information Science and Engineering at the University of Florida.
So thank you, Patrick and Christian for coming onto our podcast and so before we jump into skin Reaper, and and all that stuff is what what more stuff do we know need to know about you? Any interesting tidbits, hobbies, stuff like that.
I'm a former metal musician from Pennsylvania turned computer engineer. So my background ended up being going from that over to you know, working on electronics and all things like that.
So Stevens moving his webcam the show his amplifier back there. Oh, hell yeah.
Yeah, rock and roll.
I'm gonna say my my interests are significantly less metal. I am an ultra ultra runner, an ultra marathoner. So I like running, you know, distances beyond 26.2 miles for some reason.
What's the farthest you've written so far?
And December I finished my first 50 mile race.
Is that kind of like a double marathon or
now just it's a 50 miler, but it's pretty weird when you get to when you get to, you know, one marathon, you go great. Only one marathon left. Plus a little bit. No big deal.
I think that's 49 more miles than I've ever run
in your entire life. I tried to do couch to 5k once and I almost got there. And then I got the the couch.
That's good. It's like halfway there, guys.
Okay, okay, Patrick, good question. What is grim reaper?
So this grim reaper is a credit card skimmer detector. And it's roughly the size and shape of a credit card. And so you can carry it around and put it into the card slot before you'd put your own card in.
So you could detect, I guess, nefarious card reading devices in in like, what? What are the applications? Like? Where do we see these?
Yeah, so it turns out that card, skimming is pretty easy. And the goal here is to make a copy of your card. And so what we find in most cases is that the bad guys add a second read head in place. So what the skim Reaper does at a high level, is it figures out when you put that card into the slot? How many times is it being read. And so you can think about a traditional swipe reader, that's the kind of reader that you would get at a cash register, right, so thank you just, you know, one swipe from top to bottom, it should only be read once, if a skimmer is in place, it's going to be read twice that lets the bad guy get a copy. And for your transaction to go through so that you don't suspect anything malicious happening. If you're using a dip reader, that's what you do at an ATM or at a gas pump. You put the card in and it's red going in, and it's red coming out. So it should in the benign case be read twice in a breeder, and in the malicious case, four times,
how do these skimmers install this second head? And how do they how are they like gathering this information.
So the only thing that limits these folks is really their own creativity. And we see skimmers in really all shapes, sizes and form factors. So really, the only sort of necessary precondition for being at risk of skimming is taking a payment card. Right. So if you have, let's say, a device inside a shop, or it's an ATM, what they'll often do is they'll provide an overlay, so they'll go buy some spare parts on eBay and hollow it out and put their equipment to the line the inside of this additional overlay. And then they will literally overlay it on top of the thing that's supposed to be there. Now those are the ones that you know, if you take the common advice, you're supposed to tug on the card reader or wiggle it that that you're somehow going to find this thing. The other ones that are really scary are called Deep inserts. And what they do here is they look at something like a dip reader, and they will go and figure out the dimensions of the internals, then they will custom cut a piece of metal or plastic and then slide this deep insert skimmer inside and inside the card slot. So there's nothing to see there's nothing to feel. It's just a essentially a battery and some minimal processing components right there in the card slot. And there's nothing you can do about it.
So what about this move to go to a chip for a because I actually seen this pop up a couple times in here in Houston for pumps for gasoline pumps, which is where most people get their their credit card skimmed that some of them or something, move the chips. Does this help prevent that?
Yeah, not really. And the reason why is because the what I want your encourage your audience to do is take out a new your credit cards for your wallet and flip them over. And even if you have a chip on the front, you're going to have an A magnetic stripe on the back. And that's because magnetic stripe is the fallback, right when things go wrong when your chip gets dirty. What is the what is the payment unit tell you to do? All right, go ahead and swipe the card. So it's nice that you have the chip there. But while you might be putting it in, and while the chip might being be being read that magnetic stripe is still there, and the bad guys can pick it up.
Fun thing to add to that too. A lot of gas pumps that actually have the chip read logo on there actually don't read the chip. They're just using it to help you know which way to actually orient your card when inserting it. They actually aren't. They're just taking the magnetic stripe. So it's not reading the chip at all.
Yeah, there's there's a lot of security theater that goes on in this space where you know, it suggests that it might be using the chip. But if you're dipping the card and pulling it back out quickly, you're definitely not using the chip.
So what's behind the name skim Reaper? Because so when we first saw this at macro fab, we thought we were actually like producing devices to skim cards.
We're not, we're not making skimmers. It's funny, we've looked at SEC filings from the ATM industry. And they claim losses of north of $2 billion a year because of skimmers. You know, there are enough bad guys out there making these. They're certainly money to be made on that side. But you know, there are no bad guys out there. And so no, we're trying to find devices to stop that kind of thing from happening. We got really lucky to be honest with you, we happened to meet some detectives in the NYPD Financial Crimes Task Force. And we'd been working on prototypes and you know, helping to create devices that we thought would work. And we said, Listen, you know, would you ever have us come up? You know, could we come visit you check out what skimmers you have and maybe do a ride along? And they said yeah, sure, no problem. So we went up and spent about four days in Brooklyn eat donuts, did you get the nut nut it was very, very healthy, very healthy division. So at least we weren't offered any. But they were fantastic. I mean, had boxes and boxes for skimmers of every shape and size. Again, somewhere, you know, traditional overlays for ATMs. If you've ever been to New York or major city, you know that sometimes to get into the room where they have ATMs, they have a credit card swipe on the door, there were skimmers for the door, we recently got to see skimmers that they would fit over the units inside, like at a gas station or that you used to pay at a big box store. So you know when people give you that advice, hey, just just go inside and run your credit card in there. You get scammed there, too. It's it's not good advice. So we were lucky. And they they brought us up there. And we had four days to see how the pros did it. And it turned out that you know, if you are fortunate, and you can have full time detectives who have lots and lots of training, you have a chance, but even with four or five dedicated detectives, New York is a massive place. And what we realized is that, you know, we needed something that anybody could use that any vendor who couldn't necessarily spend 1000s of dollars, you know, 10s of hours training an employee who might turn over, they need a tool that can help them figure out if they have a skimmer or not.
So how did you in Patrick and Christian start? What was the beginning of this, this endeavor?
So this happened, this is Patrick, by the way, this happened? mostly out of shame and revenge. And what I mean by that is that
also you're telling me you're like the Batman of anti skimming?
Sure, I'll take that. Yeah, so
not the anti skimmer we need he's the anti skimmer we deserve.
That's right. That's right. Yeah. I mean, listen, I had my credit card stolen, so six times in three years, and I wasn't doing anything special or dangerous. I wasn't going to crazy places, you know, I travel. And I was being ripped off at big box stores at gas pumps, everywhere credit cards are taken. And it was kind of embarrassing, right? I'm a full professor at the University of Florida, I run a cybersecurity program. I'm supposed to be good at this. And yet, something was going wrong. When you talk to the academic side of the house, lots of people think like credit card scams, credit card skimming, this is all a solved problem. But when you talk to anybody who takes payments, or law enforcement, they're pulling their hair out about this, because they're getting hit all the time. And it's not just loss of money, it's damage to the brand that really hurts. I mean, how many of you want to go back to the store? Where you're pretty sure you got ripped off? Even if it's a brand that you like, or trust?
No, I refuse the US and Exxon here in Houston, because I've got scammed twice.
Yeah, there are certainly gas stations, there's even a big box store in town that I won't go to because my wife got hit at their ATM. They had an ATM on prem. They don't own that ATM, they don't monitor that ATM, but we got ripped off at that ATM. We don't shop there anymore. So you know, the loss to that, to that big box company, that big box store was, you know nothing right, except for all future purpose purchases that we're not going to make there. So that you know that frustration is really what fueled us. And we started off by trying to find skimmers anywhere we could. It's kind of funny, because, you know, we'd reach out to law enforcement initially, and they'd say, who are you? And why do you want to see the skimmers that we have? They were kind of like you guys, we thought, are you making skimmers. And so you know, we had to develop relationships with these folks, so that they would trust us to even look at these things. And to build our prototypes. And again, we're extremely grateful to the NYPD Financial Crimes Task Force, they absolutely gave us our break and helped us take our proof of concept and show that it actually worked.
You know, out of curiosity, have you found any skimmers in the wild yourself?
So not us personally. But the the cool thing about this is that this all blew up in the Associated Press, I guess back in May of 2017. And they they did this article with us. And they said okay, well, we're gonna wait and see if the NYPD find something, NYPD actually found a skimmer on an ATM, then they actually performed a stakeout. And they were able to wait until the person who placed it came back to remove it. And so they're able to make an arrest and conviction using our device. So more importantly, than us finding a skimmer. I mean, we've got, you know, hundreds of them here in the lab, somebody who's actually out there trying to stop the bad guys was able to do it and get a prosecution from it.
So this is kind of a side tangent is you ever worry that all those hundreds of skimmers are like skimming your stuff right now?
No, we know pretty well how they work. And we've we've damaged many of them intentionally,
I've dissected most of those and have wires attached a bunch of them, you know, try to dump all the memory on them and stuff like that. So, you know, there are there's pretty much non operational, hopefully, fingers crossed.
That was a question I was going to ask about that. Like how we I mean, obviously, this podcast isn't about how the skimmers work, but I was, I guess, whoever implants them comes back later and gets them. But have you ever seen any more advanced versions that they don't have to extract it to get the data?
Yeah, we have, we've, they actually they keep getting more and more advanced. So, you know, originally, a lot of these older ones, they'll have to come back and either like take take it out and you know, use serial or USB to get the data off of the memory. But you know, there's been a switch over the past few years that they've started to use Bluetooth. And you know, that still is not great, because you still have to come back and be kind of close to it, you know, sitting at least like in the parking lot or it like next door trying to like on your laptop trying to get all the credit card data. But what's really concerning is now you're seeing a lot of cellular based ones. So that's super easy to just put that in go and never come back and be anywhere in the world. And this thing with a burner SIM card in it is sending you credit card information via text message as people are using this thing. And those are the ones to really be concerned about.
I said before we jump into that, so Christian, how did you get involved into the project?
So I got involved by being totally fed up. With the snow in Pennsylvania, and applying to go to grad school in Florida, so that was the initial first step. But after that, once I, you know, came down to Florida, to start working with Patrick, he had this idea kind of before I had already got here. And then I was one of his first hardware engineering oriented students. And then when I got here, he kind of told me the idea, and I was, I loved it, I had been scammed many times, and I was all in for that. And, you know, kind of going off of like, his initials, like ideas, and, you know, try me trying to, like, play with different, you know, concept ID like models and early prototypes, and, you know, like acid washing PCBs by hand myself, eventually, we got something that, you know, it was really cool, it was kind of just like, the best of our, the two of our ideas, another student in the lab, who has since graduated, and kind of just this all came together, and this really cool project happened.
So um, I guess before we start jumping into, like, the hardware for skin Reaper, and how that works, is probably explain a bit more about how like skimmers actually fundamentally work. And then how does, because you said something about earlier about reading your chip twice or whatever, or your your, your scan stripe, stripe? Yes, twice. But then how do you detect that? Because that's kind of a passive thing. So how do you detect kind of a passive thing happening? Yeah,
so that was actually kind of quite challenging at first, because, you know, you'd think this is kind of like the IT guys were saying this passive, you know, in theory, this is just a magnetic field, that kind of happens, like with your card. But really, what it is, is on the back of your magnetic stripe card is just this strip of really weakly polarized magnetic material. And on that is just like a bunch of ones and zeros that make up your credit card number. So what's happening is, there's basically when when you have to get your card read, because of how weak that material actually is, the magnetic field, the read head has to touch it. Because if it's, you know, coming off of it, the further it is away, the more likely it is that you're gonna have a bad read, and someone's going to be putting a card in there over and over again, and then just get fed up and leave. So touching it is a must. So we kind of took advantage of that. And the design that we have basically works like a continuity meter. So when it's going through, it'll actually send a small voltage that will then go through the casing on the metal like metallic Reed head, which we also take advantage of that property because it has to be metallic, in order for it to actually induce the magnetic field and get that current. So we send a small, like current through there and measure it. And it actually bridges that connection on the PCB. And then by doing that, it signifies that it got red. And surprisingly enough, like after playing with this enough, we got this even work on some of the smallest redheads that they make, which are about 1.5 millimeter in diameter, which are pretty small.
Does a does your device in any way? cause issues with the readers? Or do they throw an error?
Yeah, we made sure of that. So occasionally, if it's actually trying to read the data, it'll say like more advanced machines will say like, error, couldn't read data. But it doesn't actually like damage anything or anything. It's a very small voltage. So nothing like that happens. We I definitely tested that pretty thoroughly before. We actually brought that to a product. That was definitely a huge concern at the beginning. Yeah, I
would guess a machine like cardreader you know, could handle some ESD. So
yeah, they're pretty heavily grounded. So it's there. I have yet to find one that has a problem with it. Well, I
guess I was wondering if they had security features that would say, Hey, you're trying to do something to me?
Oh, yeah. Well, they're actually ones that so recently, this was the thing that had happened one of our the people that we're working with right now that has purchased a few of the production scam Reaper units from us, they're trying to use them with ATM machines that a lot of banks have that have that feature where you know, it has a latch that when you put your card near it, it'll open up and then it'll take your card. So you know, we don't have the magnetic stripe card on there. So it wasn't opening originally for them. So they were like okay, well, can you do something for us so I kind of went back and found some magnetic tape that you can purchase online and we now are adding that to the skin Reapers so that way, you can actually open those doors even and it can get in there and actually check for skimmers even if it has features like that.
So the hardware itself like it's, you know, everyone knows that credit cards really thin and and how do you get all your electronics to kind of work with that? Is it the, the, you have all these electrons, I guess on the outside of the board when it goes in.
So it's actually yeah, that's kind of how we have right now is that it's actually all in the top left corner. And we've actually extended the PCB longer than a traditional credit card. So what that allows us to do is we can use it with both dip and swipe style readers, because those are the two pretty much that are everything. So the swipe is like the kind you find in like, you know, a store or like anywhere like that. And then the dip is the kind you're seeing at the gas stations where you actually insert it and then pull it out. So by putting it all on the top left corner, that allows us to do like, evaluate both readers. And it, can we have a mode switch on there, too. So you can switch between the two,
we actually refer to it as the backpack, because that's basically where it sits on the card. So internally, we call it the backpack.
So the part you're inserting is actually fr for PCB material, right?
It's just the about the same thickness as a credit card.
You know, just just to be fully nerdy, I actually have a, a dial indicator on my desk right here. And I pulled out a credit card and just measured it. And it's let's see here. It's It's about 30 2000s. Somewhere in that range. So you're having PCBs manufactured at that thickness?
Yeah, macro fab is able to do that for us. Basically, we're able to get pretty thin boards. One of the interesting things that, you know, came up with that, originally, when we were first designing, it was the concern that, you know, maybe this is almost too thin, where it's not going to be rigid enough to actually go through the reader. But this is actually the perfect thickness and it is exactly that of a credit card reef. Can we actually compare these two, like the ISO standards for credit cards and everything like that to make sure it was well within the range of tolerances and all that? And yeah, it actually is.
That's actually why would be interesting. What is the tolerance of a credit card?
Yeah, it's I believe, I'm trying to remember, I can't remember off the top of my head. But 10% Yeah, there is an ISO standard for it. Yeah.
I'm searching on Google right now. And I'm really liking to, like this might flag me, you know.
My concern all the time is my search history is super incriminating with that looks, its
credit card machines work.
We have so many searches for you know, for spare parts for ATMs. And again, we're the good guys for, we're just trying to make sure it works. In every possible device. I've
looked through so many user manuals for these ATM machines with like, exact specifications of like the card reader and everything it yeah, I hope no one ever sees that search history.
And by the way, for US manufacturing PCBs or getting someone to help us manufacture PCBs at this thickness was really a challenge. So we talk to a lot of people when so back to what I mentioned earlier, when we this, this blew up in the Associated Press, and the university was tracking this. And at the time, the original story got something like 550 million press impressions. So you can imagine over the course of, you know, two weeks, I think we got something like 2500 phone calls. And we got 1000s and 1000s of emails, it turns out that everybody's getting ripped off, and everybody hates skimming. And as Christian said, he, you know, he was acid washing PCBs. And, you know, we were laser cutting stuff. And, you know, we just it took us 10 to 15 hours to make a single device. And we realized we didn't have there was demand. And we didn't have anywhere close to the ability to actually meet that demand. And so going out, you know, talking to we we'd never professionally manufactured hardware before, who can help us do this. I mean, we probably had 15 phone calls, and at least twice that many emails, just just trying to find someone who could help us and macrophyte was great. They were very quickly figured out that they were the kind of a one stop shop for us.
So actually, let's go into that a little bit. So going from acid wash PCVs to a manufactured product is quite a process.
Oh, yeah, that was something else. That was a whole journey for me. Like especially just because so the most that I had done was all throughout college for me, you know, I was playing with like, you know, Arduino projects and stuff like that, and like breadboard and things, but I had never made a product like that. This was the first time for me doing that. And this was a totally different experience. For me. There were so many things that like I had never thought of that are come totally different from Just like, you know, building your own little prototype, to actually making something that's like a product. It's they're worlds apart. And it's, there's so many other things you have to be like thinking about, you know, it, how is this going to be used? How are other people going to use this not just myself? And, you know, how are we going to make this in a way that someone isn't just going to, like, destroy it or break it right away. These are like all things that like I never had to think about before.
So it was funny when we were up with the NYPD, if you if you look back at any of the original press releases, I think I think our LinkedIn page still has some of the original devices, we had this 3d printed box. And you know, 3d printing can only be so beautiful, right. And it had an LCD screen. And then it had a cable and a USB attachment to the card. And we just love this thing. And we're lab guys, right? So we're treating this thing with the utmost reverence, you know, it's got a case retreated gently. And then we gave it to the NYPD. And we saw how they used it. And you know that, I mean, they were pulling on the cord. And I remember after the first night that we gave to the gave it to the guys are Christian and I had to find a Home Depot and because we needed Gorilla Glue and electrical tape to put it back together. And we've we figured out pretty quickly. The thing that we built was great for the lab, guys. But it was never if people were going to use this it was never going to withstand, you know, normal use. And so after the the AP story hit, we kind of went back to the drawing board. And we talked to the, the 20 or so people who had an original one, and we refactored everything. So there was no more cable. We created this backpack where, you know, we had to put all the logic inside, it turned out what we thought was helpful this LCD screen. That was helpful for us. Nobody wanted to read, you know, the details. They just wanted, you know, a red light for bad. There's a problem. And you know, some other color with blue, because I'm red, green, colorblind, blue fourth, everything's okay. So we go no, go. Yeah, exactly. And then, you know, the people who are using this can put whatever process they have in place. Okay, so you found a skimmer. Now you shut down the ATM. And the question in the past. So we talked with a lot of, say, big box stores. And the state of the art before this was they give their employees a ruler. And they say, Listen, if the if the card reader is one eight of an inch longer than it's supposed to be, then you have a skimmer. And you should notify us well, I don't think any of us have ever been to a big box store where every register is open. Right? So the folks who are working there, you know, they're working hard, they don't necessarily have time to go around and carefully measure within an eighth of an inch, every single payment terminal. And so they weren't finding many, by you know, creating a tool that's robust that that gives a go, no go, then they can say, All right, now we're going to shut this down. Now we're going to call the police. If you have an ATM, now we're going to call out the vendor who will go inside and look. And before it was kind of like, you know, we think we have something, but we don't know. And you know, the service company? Who does this? It's going to be two days before they can come out. So do we shut down the ATM with the suspicion that there's a problem and lose business? Or do we leave it open? Because we can't be certain. And our goal is to bridge that gap and let them then do what they need to?
So the device? Is it really just that easy. You turn it on, stick it in? And an LED tells you yes or no?
Yeah, that's really all it is. Basically, you just turn it on, press the press a button to start detection, insert it, remove it like you would a normal credit card and just press the button one more time. And it'll tell you it's really we try to keep it as simple as possible. Even like going out for Patrick said before, when we brought this prototype to the NYPD, I had the LSVT big the LCD screen on it even saying like, the potential skimmer is like on the right side or on the left side. And they didn't care where it was like it didn't matter. If either way you're opening the thing up and taking the reader out. So I mean, it's we try to make it as simple and straightforward as possible. And even when we sell the product we include like a little like quick reference guide that says like, Okay, if all three lights are on, you are in the menu, like press the button again, and you'll be actually like you can start looking for skimmers.
Yeah, this was a big goal of ours again, we're lab guys and so we can take 80 hours of training.
You want all the debug information right there.
We love that kind of stuff, right? That's what we live for. It turns out normal people don't see that. They just don't want it's right. I mean, you know, we've got long headers enabled on our email and most people get frightened by that kind of stuff. And, and that's okay, right. That's okay. And so, you know, this was sort of two plus years in development. And there are a lot of technical details how you get this right, and you make it robust. And I make it durable. But at the end of the day, we want a five minute training program where anybody, right they start their first day, they might be making, you know, 10 $15 an hour, on the first day, hey, here's the skin Reaper, here's how you use it, I want you to show me using it. Great, you're now trained. And you can be part of our efforts to fight back against scammers.
So speaking of that, you said it's really easy used and but it took two years of development. So it was it was hard to develop, it's easy to use. So bridging that gap is engineering, right? So what kind of roadblocks that y'all have run into in the two years of developing this product, this product?
Well, it's the biggest roadblock, I think, for like, that I ran into when I was kind of like making all these different prototypes, and everything like that is just something that was a one, it just worked on all types of readers. And it worked all the time and was consistent. The problem is that these readers and like the redheads inside even a lot of the skimmers that I was saying before us, these read heads that are like one and a half millimeters in diameter. It's so precise, that even the ISO standard for where the magnetic trait like traces should line up. Because that magnetic stripe on the back of your card, there's three separate data traces on there. And each one has a specific width to it. And you know, not all readers read all three of those traces. And it's things like that, that it's just these little, the little things really kind of add up. And it's just making sure that the actual product is just everything that someone could ask for. And that it's just fulfills every single need for them, and that it doesn't miss a step. It especially for what we're dealing with, you know, it's if someone comes to us and says, Look, we use your product, and it didn't work. And there was a skimmer in there, we found out weeks later. That's, that's terrible. That's we don't want that to happen. So we spent quite a lot of time just kind of trying to make this perfect product that can just detect all of these, like the skimmers that are in there. Yeah, just
to add, I already talked to you about some of the usability challenges under redesign. We've, we've talked about this at a really high level. And you know, it turns out that tuning the parameters, that took a huge amount of work, right? I mean, yeah, hey, it's about counting the redheads. But like Kristin said, the diversity of readers, the diversity of redheads, right, the materials that are actually that they're made out of, you know, you can make a simple device that might if you get lucky, measure some of these things, but where we were able to bring this all together and make a precision detection device. That's what took two years. So we've I mean, we've evaluated 1000s. I mean, I don't think that's an exaggeration at all, but 1000s of different card readers of every size and shape that we can possibly find to make sure that this thing works. And I can't imagine
like, the skimmers themselves are like precision designed equipment to that work all the time as well,
you know that that's actually really surprising. I mean, some of these things you can tell are actually well engineered. They come from people who quite likely have an engineering background and who've built some embedded systems that, you know, that level of creativity and ingenuity, it never, it never ceases to amaze us. I mean, there are real engineers building these things. Yeah, there are some that are poorly put together to, but you know, it matters that their return on investment matters, right? If you're gonna put $1,000 worth of equipment together to steal credit cards, you want it to steal as many credit cards as possible. And so we also found, by the way, that there are websites, you don't even have to go to the dark web. And that's a scary place. You don't even have to go to the dark web to buy some of these things. So, you know, you said that you were worried we were making skimmers, we're certainly not. But there are other people out there who are selling them, and you can buy them with credit cards online. I guess they're for novelty purposes or something like that. But you know, so if you're not a talented enough engineer, and there are plenty of them out there who are doing this, you can buy the devices online from people who are
where to buy a credit card.
Yep, not putting that in my Google search history. Thank you very much.
It's too late for me.
So I got a question about the PCB. So did you What did you kind of go through with the design on the actual reading portion of that? Do you just have the end of it as exposed copper or did you do like a gold coat or a hard gold or what? What kind of worked best for you?
So right now it's actually just exposed copper and it kind of works. Super Well, for us, just as simple as that. We've, I've kind of played around with other ideas before too. And I mean, this is really just, this is all I really needs. I'm initially when I was, you know, as washing the PCBs myself, the copper was not holding up super great. But you know, now they're actually like production grade this copper holds up fine. Like there's skin Reapers that I have here like Demo units in our lab that probably have been swiped that almost 10,000 times, and the thing is still holding up perfectly like it was brand new.
Yeah, that was one of the things that when and no offense to Christian, he's awesome. But you know, when he was burning his hands with a soldering iron making these things, it was hard to get the devices that would work over you know, 10,000 swipes and again, that's why we knew that we needed professional help with the manufacturing in order to get that. So the devices that we have manufactured so far seem to hold up.
So back to my previous thing. I actually Googled that. And like the fourth link, I got an Alibaba link that I can get them for 350 bucks lalala, I can't.
No surprise, yes, that's actually relatively cheap compared to, you know, some of the things we've seen in, you know, some of the sketchy websites that are selling them for like 700 bucks to like $1,000, depending on what you're trying to get. Some of those deep inserts are real expensive. And some of those even two are only made with 10 snips. Precision the cut, though, because you know, you can tell that these people actually have the unit, but they're still doing it by hand. It's like they even have like jagged edges on them, too.
Yeah, we have one of these deep inserts here in the lab. And we always warn people beforehand until like, the edges are sharp. But you can you know, they can cut yourself on the edges. But you know, make no mistake that these folks who are doing this, don't just roll up to a random ATM and go, I think I'm gonna hit that. They they go to the ATM, they figure out what's the make and model? What's the card reader? Okay, they go back and they go, Hey, and they've got, you know, 10 different units? Do we have a deep insert that fits, you know, a double 700 series? Okay, yes, we do great. It's like this are great, and we have to machine it. But we know the exact layout of the internals of that card. So we can, we can create a custom inlay that we're going to shove inside. We
even heard from law enforcement before too, that a lot of these guys will actually have like when they finally get busted, and like they go to like where they were doing all this, they'll find these like full ATM units, where they were at that actually like, you know, they were using them for both precision cutting their skimmers and also training people to actually put them on as fast as possible,
holding classes on it. That's right.
You know, the thing is, like, I bet you the guys that are buying these things are probably not really concerned about like getting the most top quality item, you know, as long as it functions. That's all that matters there. They're not going to call the BBB and report these guys. Yeah.
That's the problem with crime, right is that if you get ripped off duty reported to you,
at the end of the day, it's to like, you just steal probably about just a couple credit cards, you've already recouped how much you spent on that thing. So I mean, even if it's like, then the police get it after a little bit of time, you still made your money.
So I went to your website, and I pulled up your, your user manual for for the device. And on page five, there's a full FCC statement about testing and and having it done. So can you talk about that? Like what do you had to go through to get something like this tested? And were they kind of like, what is this?
Surprisingly enough? There were no questions asked, but that I was really concern too. We had sent it to us to a small FCC testing facility in Pennsylvania. And, you know, they were super, like a great with I been in contact with us. And you know, we just sent it to them. And a week later, they just sent us all the documentation for it. It was I couldn't believe that they didn't say anything.
I want to guess if you're going through legal, legit channels, then they assume your device is legal and legit. Purpose has legal legit purposes.
It's funny, because I would think that too, but this is just a totally This is a similar story. But when we were even testing this with the NYPD, we're going around to different banks and trying out like our prototype, right? We are with a cop to The thing is though, you know, this is his kind of this is his main job is to look for skimmers and he doesn't want to be like showing off that he's a cop. So he goes around in civilian clothes, but still carries a badge. We went to this one bank in New York, and we were trying out the scam Reaper and one of like the manager that just comes out and is like, what are you guys doing? And he shows his badge and says like, you know, we're testing this thing. It's a new thing that The NYPD is going to be trying to try to find skimmers. She didn't believe him. She didn't. But she thought we were actually like trying to like mess with the ATM. And he had to give her his badge number and she called the precinct to verify that he was supposed to be there and who he was. So even going through the legal channels don't always work. Sometimes they're
just doing their job if someone called me and I would have done the same thing.
I was fine with it. I I actually appreciated it because it showed that she was concerned enough to be asking the right questions. But I just I think it's fine that even if we're going through the legal channels, that it's still concerning that you know, when you see someone going up to your ATM machine and starting to mess with them, we see some that looks like a skimmer, even though it's not.
Yeah, the funny thing, by the way about that story, too, is that was the sixth bank, we visited that day, and the manager just happened to be upfront. Nobody else, not a customer, not an employee, nobody else even, you know, stopped us or looked at us funny anywhere else we went. And that's the thing, by the way that, you know, these things can be installed so quickly. You know, we tell people, you know, look out for something suspicious. If you see any of the videos that we you know, we show something suspicious is did they touch the ATM? Right? Yeah, for an overlay in particular, you just walk up and go and stick it right on. And that's it. So there's nothing, and we've
all seen the quality of CCTV footage. So it's like you, it would look like the person is using the ATM. Exactly.
And they you know, they know they roll up, and I've got the hat pulled down sunglasses on hoodie sometimes. Alright, keeping their head down. They've been to these places before. Again, it's not nobody goes to a random bank and goes, I think I'll put a skimmer in here. Now, if they've done some recon, I need to figure out okay, yeah, this is, uh, this is the place and these are the units, I have an overlay that's going to fit these Exactly. So that when they come back and do it, you know, it's it's in and out in no time.
So I want to go back to what every almost three years ago now, in 2017, we had the article that came out about y'all starting out. So since then, how have y'all grown your business? Like your your strategy in that? Because there was a, there was a article that came out in Houston, about your product recently? And like, how are you all growing that from being two guys at at a university to this? Almost like nationwide company now?
Yeah. So just want to note that we started selling officially in August of 2019. And since that time, we're actually now deployed, we so we have customers in 19 different states. So it's happening pretty quickly. And I'd say the biggest thing we have going for us is that it turns out, people hate getting scammed. And so we have great, great partners in law enforcement, who you know, often by word of mouth are telling each other, hey, you know, if you need a tool to do this, it's got to be this can Reaper and and so we're having law enforcement reach out to us. And the great thing is when law enforcement is doing something like this, that's proactive, then they're they're talking to local media. So we've had stories in Houston and Tampa, in New York, in Miami recently, as well, in many, many more cities, where, again, law enforcement is taking the first big step. But ultimately, you know, we think that the responsibility here is on vendors, it's on retailers, because law enforcement can be everywhere at all times. And so we hope that, you know, that retailers are seeing these, these efforts by police and saying, you know, I have to put locks on my doors, I also have to make sure it's safe inside my store walls. I need this tool, I can't hope that law enforcement is going to come by, you know, twice a shift and make sure I don't have any skimmers. I mean, just it's just not going to work. So ultimately, you know, we're hoping that these media interactions that we have, inspire vendors to to take things a step further. And we actually have one customer who, hey, you know, if you have an alarm system, one of the strategies is you put the sticker for the alarm system on your window or a little sign outside. And one of our customers are puts our skim Reaper stickers on the window, and basically says, hey, look, don't skim here. Because we're going to we're going to catch you you're gonna lose your device, you might get arrested, take it down the street. And so our hope is that more vendors, more retailers say hey, we're more part of that club. We're looking and we're not going to get anything from our for our premises, protected by the skin Reaper. That's right.
You know, are there any legal ramifications of getting skimmed at a store and other Words like, say I shop at s Mart and I get skimmed at s Mart. Is that? Are they liable for that? As smart?
Yeah, so this is a challenging question. It? The answer is is a huge depends, right? So it depends if you're talking about a credit card or a debit card, oftentimes the banks push back onto the vendor. And they, you know, they take the loss, sometimes it's hard to trace back to where the skimming occurred. And so, you know, if, if the folks who are doing this use it as a direct cash out at the ATM, so they, they skim your card at eSmart. But then they go down the street, you know, to global bank, and hit their ATM, then you know, global bank is going to be out the $60,000, what's the average ATM holds so but you know, here in Florida, they're in Houston, one of the big problems is, it's actually skimming it fuel pumps, they often use that, that skimming to then go back to the gas station, and steal things like diesel. And so when they take that diesel, and they'll sell the diesel on either construction sites, or often, and we've learned from law enforcement will take the diesel and ship it across the streets of Florida to places like Cuba, or Venezuela, where you know, access to fuel, you know, certainly more difficult. And they'll make a lot of money doing that. So if you're also if you're a store, and you're also out product, whether it's diesel or something there, yeah, that's on you. If it's an ATM, the bank's going to take the hit. And ultimately, we're all going to take that hit in the interest rates that we pay. But even at a higher level, the thing we wanted to reinforce is, a lot of companies have insurance for this kind of thing. But that said, it's about damage to the brand to right we again, we all know that place where we got scammed, and we just won't go back there. So, you know, if you're willing to sacrifice all future sales to portion of your clientele, then you know, sure, let it happen, I guess. But we don't think most people want to do that.
Another question I have is this is kind of closing comments, I guess is so if someone buys your device, the skin Reaper, and they detect the skimmer, what do they do?
That's a great question.
Do they just rip their shirt off? And it's, it's their Batman outfit now.
I mean, we haven't heard of any
customers doing the machine.
It really depends. Because there's not necessarily a duty to report every state. When we work with law enforcement, you know, one of the things that they like to do is show the public, hey, we found this, and we're out there and we're protecting you. But you know, banks don't necessarily want to say yes, we had a skimmer and it's a problem. So, you know, what you do is going to be essentially based on your corporate or your your entity's policy, the very, very least, you know, shut down the unit, figure out how to get that thing out of there. And then figure out, you know, can we then work with law enforcement, which by the way, we strongly encourage, because it turns out, if you're getting ripped off, I walked around a mall recently, just checking, you know, who was using a specific brand and style of payment terminal. And it turns out that 80% of the stores that we walked into, were using the exact same terminal if you're getting ripped off, so is everybody down the line, or they're about to so working with law enforcement when you can to put out a warning, and to have the tools like this can rebrand place, so that you know as soon as possible. That's how ultimately, you make this an unprofitable game.
So I was coming more from the vigilante style like, like someone who's who's basically buying one of these the pop into the machine before they put their card in to make sure that they're not gonna get a skin so to speak. I guess you do at that point is call your local police non emergency number, I guess. Yeah,
exactly. Yeah, calling this
like telling the actual, like, place itself to they is probably good, because then, you know, they probably have some policy in place, and they can do something about it, you know, they could potentially just like, you know, send someone out there to go rip it out or something like that. I don't think they'd appreciate, you know, someone trying to go into themselves and rip it out. But, you know,
yeah, but we are official statement. We strongly recommend if, for example, you have one of these devices for personal use, and you find something, get law enforcement involved, you know, again, they they or someone at the state level likely has a lab. And when they go and try and make convictions, sometimes they can tie multiple of these incidents together, or use the same hardware, your your fingerprints are on multiple devices. That's ultimately you know, a big part of how you solve the problem is you make it such that catching these folks is doable.
You know, I could see this is probably way more complex than Now isn't necessary, but I could see a bit of a, like if you had an app on your phone, that you that if you do detect it, the device could talk to your phone and get a location and pin that and say, Here it is. And the only way you get access that is if the Reaper says, hey, yeah, this is a target.
What's funny is we actually played around with a similar concept, originally, when we're going through kind of different prototypes. And one of the skin Reaper prototypes actually was just a, it was a huge box, because, you know, I had put all these extra features in there that were totally unnecessary in the grand scheme of things. But at one point, it did have a GPS module in there. So it knew exactly where it was, you know, it had an SD card, because it was like storing all of its read data and everything.
Yeah, it's funny that we so one of the amazing lessons we learned from some of our customers was that. So if you do if you sell software, for example, you know, an integration with any non trivial company is going to take you months, right? Because whatever their stack is, it's complex. And so basically, people said, like, if you try to give us an app, it's going to take six to nine months to get approved, we want a thing that stands alone, so that we can decide, like, we don't even want you to know, unless we tell you, and we've had a hit. And so that became our MVP, or minimally viable product. And we were working on a version that, yeah, we can do audit logs and provide all that stuff. But again, the demand was high, you know, people wanted at least the ability to know locally if they had a problem, but you're, you're certainly thinking the way we were thinking first, and the customer has pushed us back the other way and said, just give us something that's completely standalone. There's no integration and do it fast.
Sounds like kiss right? Keep it simple, stupid.
Exactly. That's it.
That's what the NYPD told us a couple times when we had it.
So cool. Do you have anything else, Steven? No, I
think I'm good. All right.
So we're gonna sign out this podcast. So Christian, if you want to do that for us, actually,
right. Before we do that, where can people find out more about you guys?
Yeah, so we, we have a web presence. Of course, you can find us at www dot Schem reaper.com. And of course, you can Google us and see lots of our media coverage as well. Look for us on Twitter. We're skin Ribeiro.
And I'd like to thank you all again for coming up. I guess this is a lot of fun.
Hey, it's our pleasure. Thanks so much.
Yeah. That was the macro fab engineering podcast. We were your guests, Patrick Trainor and Christian Peters.
And we're hosts Park Dolan
and Steven Gregg. Let everyone take it easy.