As chip-based payment cards become the norm, criminals are shifting tactics to use shimmers rather than skimmers to steal money from automated teller machines.
“Shimmers have been slowly nudging skimmers aside as the number of EMV implementations increases nationwide,” Flashpoint’s Isaac Palmer wrote.
Skimmers are small devices that fit over an the machine’s card reader and copy data from the card’s magnetic stripe. Criminals interested in stealing from ATMs would install these devices over the real card reader and wait for people to swipe their cards through the reader. When someone swipes a card through the reader that has been tampered with, both the card reader and the skimmer sees the information on the magnetic stripe. Criminals would then take the stolen information to create cloned cards and use them in other locations.
However, growing use of chip-based cards and the Europay Mastercard Visa (EMV) payment implementation and chip-based cards, meant skimmers are no longer as effective. Chip cards theoretically cannot be cloned because of a component in the chip--integrated circuit card verification value (iCVV) which protects against the copying of data from the chip. Instead of looking at the magnetic stripe, criminals are using shimmers, a thin-device typically positioned between the chip and the chip reader, to capture data from the chip.
“Shimmers have been slowly nudging skimmers aside as the number of EMV implementations increases nationwide,” Palmer said.
The Secret Service estimate $1 billion are stolen every year by criminals using skimming devices. This is a lucrative revenue stream and makes sense that criminals are adapting to new technology.
There was “growing interest” in shimmers in criminal forums and marketplaces, as evidenced by advertisements for custom-built shimmers and videos describing where to place shimmers, Palmer said.
One way to deal with criminals intercepting card details through the reader was to install the Card Protection Plate (CPP) inside the ATM to prevent objects from being inserted inside a reader. Bypassing CPP is difficult and “it’s highly unlikely an attacker would be able to open the device and remove the CPP,” Palmer said.
A shimmer could be thin enough to bypass CPP, and if the bank is not properly verifying transactions, such as authenticating iCVV, then criminals would be able to steal card data. However, Flashpoint said CPPs are still the best defense against ATM shimming attacks, especially if installed with an optional tamper switch. The switch will mitigate any attacks that might move or put added pressure on the CPP and trigger an alarm.