Shimmers and Skimmers: Fraudsters Find Opportunity in EMV Chip Cards

by Brian Riley 0

fleet card

Just after the U.S. Market re-carded almost a billion payment cards, dark, new technologies attempt to reduce fraud effectiveness.  Chips were designed by French banks in the mid-1980’s to counteract counterfeit fraud.  In some instances,  the magnetic stripe on pre-paid cards could recode information garnered by a card-skimmer.  The Skimmer would capture mag-stripe data, and the fraudster would merely recode the magnetic stripe data onto the card.

Visa and Master card report significant reductions in counterfeit fraud since EMV chips rolled out in the U.S. market, but the benefit may be short-lived as this article states.   Moreover, the new buzz-word that identifies the criminal act evolves from “skimming” to “shimming.”  Instead of copying the magnetic stripe data, shimming attacks the EMV chip.

  • EMV chip cards addressed the vulnerability of magnetic strip credit cards, namely credit card skimming. In this scam, a device is physically attached to a gas pump, ATM, or point of sale machine to capture your account information without your consent.

  • Once this information is obtained, a counterfeit card can be created to make purchases or withdraw cash from your account.

  • However, consumers who upgraded to chip cards may have prematurely breathed a sigh of relief, because thieves have found a new way to exploit chip-enabled cards through credit card shimming instead of skimming.

The potential risk here is not the chip itself but rather on the issuing bank’s execution of setting up the card security.  Banks must trigger encoding functions on the card to be adequately secured.

  • An important distinction is that skimming devices read information from the magnetic strip on the back of the card, while shimmers contain microchips specifically designed to capture data contained in the EMV chip as soon as you insert your card into an ATM or point of sale machine.

  • Credit card skimmers are often bulky and wobbly, but shimmers are paper-thin. While you might be able to identify a credit card skimmer since it sits on top of the original card reader, the unfortunate truth is that you cannot see a shimmer with your naked eye.

  • It is installed in the card reader itself, often by a crook pretending to make a transaction.

  • While this might sound like the EMV cards have failed, there is more to the story. Chip cards still contain an additional level of security that magnetic strip cards lack, but if a bank fails to perform a critical verification step, then you might have a problem.

There are a few takeaways.  Fraudsters are just as innovative than banks.  They look for holes and exploit weaknesses. These criminals are just as creative as bank programmers and waste no time in their attacks.  Banks, payment networks, and vendors are persistently developing new techniques, such as tokenization, and you can be sure fraudsters are not far behind.  Predictive tools like FICO Falcon and ACI’s Proactive Risk Manager remain key tools to manage the function and prosecute the infiltrators.

Overview by Brian Riley, Director, Credit Advisory Service at Mercator Advisory Group

Featured Content