Remember the card skimming wave, in which fraudsters attach false fronts to outdoor ATM and gas pump point-of-sale terminals to harvest the details off your card’s magnetic stripe and clone your card?
The bad guys are back with a new, improved data pickpocketing technique called shimming, in which they secretly insert a shimmer, a paper-thin, card-size shim containing an embedded microchip and flash storage into the “dip and wait” card slot itself, where it resides unseen to intercept data off your credit or debit card’s EMV chip. Although the scammers can’t use that purloined chip data to clone an actual chip card (for reasons we’ll discuss shortly), they can clone a mag stripe version that’s fully capable of defrauding banks and merchants who may not be paying close attention to their card security protocols.
What makes shimmers potentially more effective that skimmers? They can easily be inserted into indoor, in-store POS terminals, where they record the data being shared between the card’s chip and the terminal. What’s more, when the scammers periodically collect the shim to harvest its bounty, they appear to be doing nothing more than paying at the terminal.
Both scams gained momentum domestically as the United States ramped up for what has turned out to be a slow, rocky and ongoing transition from mag stripe to chip cards, contributing to a record 15.4 million victims of U.S. identity fraud in 2016.
Shimming: An invisible, yet still-rare, hack
Shimmers made their debut two years ago in Mexico and Arizona. The most recent North American case turned up in January in the Vancouver, British Columbia, suburb of Coquitlam. But it wasn’t a ripped-off consumer who blew the whistle, according to the Royal Canadian Mounted Police (RCMP).
How to protect yourself from shimmers
- Use the contactless tap-and-go feature on your credit or debit card instead of swiping or inserting your card.
- Use contactless mobile services such as Apple Pay or Samsung Pay to tap and pay.
- If you’re withdrawing cash at a bank, go inside to a teller.
- Use ATMs in banks rather than more vulnerable standalones.
- Cover the keypad with your hand when entering your PIN.
- Don’t proceed with a transaction if your card encounters resistance when it is inserted.
- Contact the bank, merchant and your card issuer is you suspect your card has been compromised.
“This retailer was doing daily checks to make sure everything was working properly on their four POS machines, and during one of those checks, they noticed that the test card they use wasn’t going in and out smoothly,” explains RCMP Cpl. Michael McLaughlin. “So they took the machine apart and found this shimmer inside. It’s a really good illustration of how a basic, low-tech technique can defeat high-tech crime.”
McLaughlin says that short of experiencing similar difficulty when inserting a card, there’s little to warn consumers that a card reader may contain a shim. “Unless you can really get a good look inside that little slot where your card goes, you’re probably not going to see a shimmer from the outside,” he says.
While the threat is invisible, it’s not as dire as it may seem.
“We don’t want people to panic over something like this,” cautions McLaughlin. “We’ve only found the one instance in our jurisdiction, it’s a brand-new technology and isn’t particularly widespread. You’re much more likely to get your wallet stolen.”
What happened to my “safer” chip card?
But wait — aren’t chip cards supposed to be more secure than those mag stripe relics?
Yes — and, ironically, shimming helps illustrate why, according to Nick Billett, senior director of global research and development for Diebold Nixdorf, a global banking and retail solutions company.
The reason: Each EMV chip card issued has two sets of digital card validation codes: a CVC for the magnetic stripe and a different, integrated CVC (or iCVC) for the EMV chip. Card issuers keep both codes on file, as well as a secret dynamic code unique to that chip, to verify the authenticity of every card transaction.
As a result, it’s impossible to clone a chip card. While skimmers and shimmers can create a cobbled-together mag stripe clone, it won’t buy them anything with merchants and banks that are following standard card security protocols. And those noncompliant operators who aren’t watching the store are fast diminishing as U.S. cardholders trade in their mag stripes for chips.
“The EMV mechanism is such that you can authenticate that that card is real and that it hasn’t been tampered with. Taking the data from a shimmed card doesn’t get you that data,” Billett explains. “If you look at the reports from Europe based on when EMV was introduced, going back 10 years now, their cure for redemption fraud in skimming is way, way down and dropped pretty much consistent with the EMV rollout. So hopefully we can get there very soon.”
The only U.S. terminals that would be fooled by a shimmed card are fast disappearing, according to Mastercard spokeswoman Beth Kitchener. In fact, Mastercard’s EMV partner Visa estimates that counterfeit fraud has declined by 50 percent at chip-enabled merchants, according to Visa vice president of risk and authentication products Stephanie Ericksen.
Because cards that have been cloned through shimming must rely on their mag stripe and not a chip to commit fraud, “shimmed cards can only be used in in-store retail environments that have not upgraded to EMV chip technology,” Kitchener notes.
Can tap-and-go save the day?
OK, so maybe the odds are very slim that your card will ever be shimmed and cloned. What steps can you take to mitigate even that remote risk?
In addition to closely monitoring your account for unauthorized purchases and setting text and email alerts and maximum ATM withdrawal limits on your cards, you may want to explore a tap-and-go contactless card or mobile pay apps such as Apple Pay or Samsung Pay rather than dip your chip.
“Tap-and-go or contactless cards would also help eliminate skimming or shimming,” explains Kitchener. That’s because each tap-and-go transaction uses limited banking information that prevents it from being used for fraud.
It was easy for Canada’s RCMP to recommend that consumers switch to tap-and-go, given that 95 percent of the cards up north support contactless payments and 8 out of 10 Canadian retailers have terminals with Near Field Communication (NFC) capability — a wireless technology that allows data to be exchanged between two different devices, such as a cellphone and a credit card terminal, from a short distance away.
Contactless payment forms are “actually very secure,” the RCMP’s McLaughlin explained. “Each tap transfers very limited banking information, which can’t be used to clone your card.”
Contactless cards are still the exception rather than the rule in the U.S., due in part to the rocky rollout of EMV and the reluctance of many banks and merchants to pay extra for terminals with an NFC antenna.
They are, however, expected to flood the U.S. soon. Contactless card shipments, which numbered 25.5 million in 2015, are expected to balloon to 405 million in 2021, according to a study released in November 2016 by ABI Research.
Whether you dip or tap, in the rare case you fall victim to a “shimmer,” rest assured: Both Visa and Mastercard have got your back.
“Cardholders should try their best to protect themselves from fraud. If this isn’t possible, they are protected by zero liability, which ensures they are never held responsible for fraudulent purchases,” Kitchener says.
Editor’s note: This story, “The new card skimming is called ‘shimming’” originally was posted on CreditCards.com.