Using NEM's Catapult Blockchain and the Power of IoT to Combat Gas Pump Credit Card Skimmers

Using blockchain, smart contracts and IoT sensors together can protect gas pumps from skimmers trying to steal your credit card information.

Several gas station pumps
Illustration: © IoT For All

I was seated in the chair of my local bank, excitedly waiting to open a new bank account. As I was handed my new VISA debit card on the spot, I imagined the convenience that a powerful electronic payment solution would bring. Upon giving me the drill on my new card, the first words out of the bank manager’s mouth were:

“Whatever you do, never use this debit card at the local gas pumps!”

That’s right — I wasn’t allowed to utilize the convenience of my card at one of the simplest and seemingly harmless actions one can participate in.

She told me that there was a serious problem concerning the pumps — one which had affected her as well. I leaned forward in my chair out of curiosity, anticipating the reason as to why I wasn’t allowed to utilize my supposedly secure bank card.

The reason for this dire warning was actually quite simple — and shocking. Many of the gas station pumps in the area were known to be compromised with an illegal credit card logging device known as a “skimmer”. In the last year, the number of skimmers in the state of Florida rose by 27.6 percent. In South Florida alone, nearly 200 skimmers were found in gas pumps. When you take into account the amount of traffic that each pump gets, especially in more populous places, the threat this issue poses becomes much more significant.

With 29 million Americans pumping gas with credit cards every day, and an estimated amount of $1 million dollars worth of fraud per skimmer, this is a disruptive issue that needs serious technological intervention.

How Does Credit Card Skimming Work?

First things first — how do these things work?

Most prominent in the states of Florida and Texas, credit card skimmers are devices that are placed near the gas pump’s legitimate card reader. Frequently part of organized crime operations, they’re often placed on the inside of the gas pump’s cabinet. The devices then log this data wirelessly over Bluetooth or even a cellular GSM connection, where criminals obtain the credit card information. Due to the wireless nature of the skimmer, the criminal never needs to return to the pump to retrieve their skimmer.

Chip-based card readers are also in trouble; in the last year, devices known as “shimmers” have made their way into gas pump cabinets. These operate on the same principle as the skimmer, only they intercept card information from the supposedly secure chip-based card readers.

To combat this issue, many gas stations began placing “security seals” to indicate if a pump has been tampered with. However, these stickers are easily replaceable once taken off, as the criminal can simply order a pack of 500 stickers for $69 USD online, making it not a very effective method for informing the public.

How Can NEM Catapult and IoT Address Credit Card Skimming?

So, how can one solve this growing crime that affects millions of people?

The answer lies with the NEM Catapult blockchain. We battle a high-tech problem with a high-tech solution!

The use of blockchain (a distributed, trusted online ledger), with elements of the Internet of Things (IoT), can aid in authenticating and auditing gas pumps and their activities.

For this application, we can utilize the NEM Catapult blockchain, as it introduces several built-in mechanisms that will perfectly suit this application.

To solve this issue, a low-cost IoT “anti-skimming” device is placed within each gas pump’s cabinet. This device will be equipped with a door sensor and smart lock. This is able to log who, when, where and which gas pump was opened and (possibly) tampered with.

In order to identify if the operator is certified or not, each IoT device would also utilize an RFID (radio frequency identification) tag to authenticate the person opening the gas pump cabinet. This authentication is done on the Catapult blockchain via two steps:

First, the operator that scans the pump’s RFID tag must own a non-transferable token (called a mosaic in NEM) on the Catapult blockchain. This token is a corporate or government-issued token, meaning this person would have to be a certified operator in order to own this token. Each of these tokens is placed under a Catapult “namespace”, which uniquely identifies the entity who issued the certification token.

Each namespace on Catapult can only be owned by one entity, which verifies the legitimacy of the certification. For example, if the sender of the certification token is “shell-usa”, you can be certain that the operator was certified by Shell USA, and thus, is allowed to operate and open the pumps.

Second, the gas station must also enter into a one-time, timed disposable smart contract (called an Aggregate Bonded contract) that grants the operator a window of time to perform the necessary, legitimate maintenance. If both the operator and gas station owner sign this smart contract, the IoT device will make note of this on-chain. This smart contract will signify that the operator has indeed shown up and interacted with the cabinet with the gas station owner’s approval within the allotted amount of time.

Once this authentication process is complete, the IoT device logs the full interaction directly on the blockchain as a valid event between the certified operator and the gas pump. If an individual was unable to complete the above steps, the device will log this interaction as “invalid”, notifying the gas station owner and prompting for further investigation on that specific pump.

The blockchain will keep a verifiable ledger of the events of each gas station and each gas pump. This also makes it more difficult for anyone attempting to gain illicit access to the pumps.

Because each pump is now audited, customers can now verify the history of the pump by scanning the RFID tag, which will indicate whether the pump has been tampered with before. Crisis averted!

Blockchain and IoT Working Together

Using blockchain and IoT will enable businesses to not only protect gas pumps from skimmers but also other critical equipment that requires authorized and certified operators. The Internet of Things is a very powerful tool that can simultaneously create conveniences for us while helping combat crime and improve the quality of life.

NEM Catapult’s easy-to-use API layer makes the communication of IoT devices a breeze and guarantees a high level of security throughout the solution.

Bader and Bassem are the founders of IoDLT, a blockchain-powered IoT solution. For more information or business contact, please email

IoDLT (Internet of Distributed Ledger Technology) is a disruptive blockchain startup that utilizes NEM Catapult to secure and verify data coming from IoT devices.
IoDLT (Internet of Distributed Ledger Technology) is a disruptive blockchain startup that utilizes NEM Catapult to secure and verify data coming from IoT devices.