Shimming Is a New and Serious Threat in The World of Credit Card Fraud

Rachel Morey
April 7, 2017

A new threat to people with chip cards called "shimming" is causing problems with the newest credit card technology designed to prevent theft and identity fraud.

EMV, or “chip” cards are common, now. This new technology is supposed to keep us safe from the unpleasant surprise of an empty bank account or maxed out credit card. Thieves are using a new kind of technology to access the funds in chip cards, and it’s important to understand what to watch for.

The newest device criminals use to steal sensitive information from credit and debit cards is called a “shimmer.” It fits into the slot on an ATM machine, and is almost impossible to see from the outside. Installing this device doesn’t require access to the internal parts of the machines, so anyone can walk by and put a shimmer into an ATM machine with the intent of stealing money from people who use their chip card with that machine.

The EMV chip cards contain the same information as the less-secure magnetic strip cards they replace. The CVV information on magnetic cards is upgraded to a more secure iCVV format that is impossible to decode with a shimmer when cloned to a magnetic strip.

The CVV has three versions. CVV1 is the information encoded into the magnetic strip on the card. CVV2 is the three-digit number next to the signature line on the back of the card. CVV3 is the information encoded into the chip on the card. The CVV3 is often also referred to as the iCVV. Each time the card is used in person, the CVV3 generates a different code that in theory prevents thieves from stealing the CVV3 information and using it over and over to make unauthorized purchases with the card. CVV1 information is simple to skim with a magnetic card reader. It has information about the owner of the card and the card itself that allows people who use a skimming device to capture that information to use the card number and name associated with the card. It’s easy to purchase blank credit cards on the Internet and transfer that information to that card’s magnetic strip.

CVV2 information is relatively easy to lift with malware that records the keystrokes of the card owner when they are shopping online. The CVV2 didn’t do a lot to help with card fraud, though.

With CVV3, the correct code is hypothetically only known to the card issuer. Even though chip cards are fairly new, criminals have figured out a way around the supposedly impermeable layer of security.

Hypothetically, when the information is removed from the shimmer, thieves would find themselves wading through a bunch of useless gibberish. Some banks don’t do a great job of checking iCVV information, which presents an opportunity for criminals who use the shimming device.

Shimmers must fit into a POS terminal or ATM slot, so they have to be less than 0.1mm tall. A human hair is .01mm thick. This device allows criminals to bypass the CVV3 completely, and send a message that there is not a chip card associated with the account, and that the magnetic strip on the card will have to do. A swipe-based transaction is then allowed, giving thieves access to funds that were supposed to be protected by the new chip technology.

Here’s what you can do to protect yourself from card shimming:

• Avoid stand-alone ATM’s in convenience stores and on the street. These are not checked as often as ATM’s located at bank sites.

• Watch bank accounts and credit card accounts closely for signs of fraud and report any unauthorized charges, immediately

• Carry a back-up card associated with a different account so that if your main credit card is compromised you won’t be stranded or penniless.

• Block the view of the PIN pad at an ATM machine with your body or your other hand when putting in your secure PIN number. This won’t protect you from shimming, but it will keep your bank account funds from being accessed directly.

Card shimmers are nearly impossible to detect unless the machine is taken apart and inspected. Protecting yourself may be difficult, but being aware of the problem will help you stop card fraud right away if you are a victim.

See all posts →