Thieves Now Use “Shimmers” to Grab Chip Card Data

Criminals are doing new things to steal your credit and debit card information—in a really sneaky way. They’re using “shimmers.”

These are the newest form of card skimmers, only smaller, more powerful and practically impossible to detect. And even more stealthy, suspects are using bluetooth technology to install ‘disposable’ shimmers.

Unlike skimmers or overlays (devices that are placed over ATMs existing parts—the card reader, deposit intake area, keypad, etc.), shimmers (named because of its similarity to shim spacers that fill small gaps) are tiny devices placed inside the reader. Shimmers target the more-secure chip-based cards, specifically when you use an ATM or sales terminal’s dip reader.

skimmer-example

Skimmer (Photo courtesy Krebs on Security)

The old tech-skimmers
Card skimmers have been around for a while. Skimmers account for billions in consumer losses, according to ATM Marketplace. Skimmers are usually affixed to an ATM or gas station pump. They can capture and record the data from a card’s magnetic stripe. They’re almost always accompanied by a (small) camera so that the PIN can be recorded while it’s being entered.

Skimmers blend in with the existing equipment so well that they are hard to notice. But they can be spotted—you can check for some signs of tampering at the top of the ATM, near the speakers, the side of the screen, the card reader slot, and the keyboard. If something looks different; such as a different color or material, graphics that aren’t aligned correctly, or anything else that doesn’t look right (something that could be loose if gently pulled on)—consider using a different ATM.

Once criminals obtain a skimmer’s data, they create a counterfeit debit/credit card. And just how are counterfeit debit/credit cards created? By purchasing legal, readily-available blank card stock on the Internet for as little as $0.15 per card.

internal-skimmer-example

Razor-Thin Shimmer (Photo courtesy Krebs on Security)

The new tech-shimmers
In the U.S., financial institutions have been migrating away from magnetic strip to chip cards for more security. And more and more stores and ATMs are enabling their terminals to accept transactions using chip-enabled cards.

shimmer-example

Disposable Shimmer (Used with Bluetooth)

But the transition to chip has been slow. And in the meantime, criminals have found a flaw in the way the technology works. Shimmers are used to take advantage of this flaw. Information that shimmers intercept from the microchips have resulted in cloned cards, created with data compromised by the device.

According to the fraud prevention blog Fraud Fighter, “It may seem somewhat absurd that anyone can create anything that is thin enough to insert into the chip reader considering how thin a credit card is…But, unsurprisingly, enterprising criminals have figured out a way…”

WHAT TOWER IS DOING TO KEEP YOU SAFE

Proactively Cancels and Reissues Cards that have been suspected of being compromised.

Inspects ATMs daily for skimmer/shimmer devices.

Works with local and Federal Agencies in instances when a device has been uncovered.

Is Exploring New ATM technology that will reduce the risk of skimmers and shimmers being installed on Tower ATMs.

WHAT YOU CAN DO

Keep an eye on your bank/credit card statement as much as possible for any unauthorized charges.

Set text or e-mail usage alerts on your accounts.

Try to use ATMs/gas station pumps in well-known areas, and owned by well-known vendors.

When at the ATM, cover the PIN pad with your hand as you type in your PIN.

Resources: Fraud Fighter, TechCrunch, Bankrate.com, Krebs on Security