Out with Skimming, In with Shimming?

HIGHLIGHTS
Skimming horror stories are nothing new. Tales of consumers unwittingly inserting their cards at ATMs with fraudulent technology frequently pervade headlines. Fake card inserts, keypads and other devices have all been fitted on ATMs, giving them the look of the real deal while quietly collecting consumers’ data.

Skimming horror stories are nothing new. Tales of consumers unwittingly inserting their cards at ATMs with fraudulent technology frequently pervade headlines. Fake card inserts, keypads and other devices have all been fitted on ATMs, giving them the look of the real deal while quietly collecting consumers’ data.

Gradually, skimming devices have become smaller and smaller, making them more challenging to detect. These innovations have proved costly for credit unions and consumers alike. In 2015, ATM compromises increased 546 percent from the previous year.

Now, a new wave of skimmers threatens to cause trouble in the U.S. Called shimmers, these devices capture EMV chip card transaction data. Hidden within ATMs, shimmers are virtually undetectable. According to John Buzzard, CO-OP’s industry fraud specialist, this means shimmers have the potential to be even riskier than previous skimming iterations.

“Out of sight, out of mind can also apply to shimmers,” said Buzzard. “Common indicators of skimming devices, such as dangling wires, out-of-place stickers and unusual scratches, may not be present. This makes it far more difficult to identify shimmers.”

Fraudsters place the miniscule shimming devices directly next to ATMs’ chip readers. Powered by a microprocessor and flash memory, each device is well equipped to pick up card data – including account numbers and expiration dates. The attack’s subtlety makes it highly unlikely the chip reader will even pick up a disturbance.

While the data collected cannot be used to counterfeit chip cards, it can be used to make fake magnetic-stripe cards. Criminals will likely attempt to take advantage of this vulnerability by using the counterfeit cards for fraudulent purchases. Merchants who have not yet implemented EMV chip technology, in particular, may see these purchases come through.

Detecting fake cards created through shimming can be relatively easy for credit unions, however. The card verification values (CVVs) on the fake cards will not match the integrated card verification values (iCVVs) of the actual chip cards. By checking the CVVs on transactions, credit unions can more quickly weed out fraud.

With a presence in both Mexico and Canada already, it seems only a matter of time before shimmers start making their way to the U.S. To best prepare for this, credit unions are advised to consider taking the following steps.

  • Conduct physical ATM examinations. Video or PIN-capture devices may be in place to accompany shimming devices. Any foreign objects should be noted and removed immediately.
  • Implement anti-shimming equipment. ATM manufacturers may offer protective plates to help deter criminals from attaching shimmers.
  • Reissue EMV chip cards with new numbers. Issuing chip cards with new card numbers and expiration dates also triggers new CVV and iCVV values. Even if consumers had been victimized by shimming, any captured card information would become void.
  • Utilize fraud prevention resources. Credit unions partnering with CO-OP have access to FICO Card Alert Service (CAS). This resource helps identify skimming points of compromise involving stolen magnetic-stripe cards and PINs.

The emergence of shimming technology serves as a stark reminder of how quickly fraudsters can innovate. By being agile in their ability to recognize and adapt to changing fraud trends, credit unions will be better equipped to stay one step ahead.

To learn more about how to optimize today’s most advanced security innovations, download CO-OP’s eBook below.