Payment Card Holders Need to Beware of Shimming Attacks

Rather than swiping a payment card, most retailers are switching to chip-based cards in recent months. Unfortunately, this new method of payment which should add more security to the concept of card transactions, has become a target for skimming criminals. This new method, called shimming, is making headway in Canada right now. Experts predict this trend will expand to the United States, and possibly even Europe, in the coming months.

Retailers Need To Be Aware of Shimming Attempts

The method of card shimming may sound rather strange, yet is easy to explain. Whereas traditional skimmers steal credit card data by recording the magnetic stripe on the back of the card, shimming devices work quite differently. Instead, this is a small device that sits on top of the chip reader in the ATM or the PoS system, which records all data stored on the payment card chip as it is entered into the machine.

One thing to keep in mind is how shimmers cannot be used to create pin-based cloned payments cards directly. That being said, this attack vector should not be underestimated by any means, as it can still be used to clone the magnetic stripe in question. Since most merchants still swipe payment cards, criminals can use this method to make fraudulent purchases. Rest assured these criminals will try to make the most of the information obtained through shimming.

Even though chip-based payment cards present additional security, such as an integrated CVV code, it appears none of these security measures are sufficient to keep attackers at bay. The iCVV is different from the card verification value found on the back of the card, and should – theoretically – protect against the copying of magnetic stripe data. Unfortunately, it is this iCVV which is of such great interest to criminals.




For those who are wondering why shimmers exist, the answer is very simple. Some banks have incorrectly implemented the EMV standard. This also means not every payment card will be vulnerable to this type of attack, but there are quite a few payment cards which suffer from this bad implementation. To be more precise, not all bank card issuers check the CVV code when authorizing a transaction.

As one would come to expect from any physical device capable of reading sensitive card data, it is virtually impossible to spot. ATMs are far more prone to shimming attacks, simply because no one bothers to check the slot where they enter the payment card. Point-of-sale terminals are slightly trickier to ‘alter”,  as it requires physical access to the terminal in question.

Customers can reduce the risk of a shimming attack by taking some very simple precautions. Never withdraw cash from an ATM not located inside a bank building, and cover the PIN pad while entering your code. Additionally, withdrawing cash on the weekends is quite risky, as thieves tend to install shimmers during a weekend. Using a payment card is always a risk and criminals come up with new and creative ways to make life even more difficult.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.