The shimming attacks are banking security issues that target EMV chip cardholders. The paper sized device with a microprocessor and flash memory inside it is inserted into the card reader or ATM to capture user data. The EMV chip on the card is taped by the shimmer to obtain the cardholder information. The shimmer do not require any external command interface to retrieve data. The shimmers are removed from the ATM or card readers to recover the stolen data. The stolen information is then sold on the Internet or used to clone the magnetic strip cards.
The attackers cannot create duplicate EMV chip cards using the stolen data since the EMV chip card requires unique transaction codes in each of its transactions. But the attackers are able to create a duplicate magnetic stripe card using the stolen data. These cards are further used in malls and stores that accept magnetic stripe cards. The shimmer once inserted into the device are hard to detect as it is inserted fully into the ATM or card readers, making it virtually invisible to the ATM user.
Shimmers acts like shim and sits between the chip of the card and the card reader in an ATM or POS device, which gives it the name shimmer. The microprocessors on the shimmers are programmed to operate as a chip-in-the-middle that relays the ATM commands to the EMV chip cards and records back the information from chip cards. Flash memory in the shimmer is used to store the data.
The shimming attacks started with the introduction of EMV chip card to the market as ATM skimming are not effective on EMV cards. Both card issuers and ATM operators play a significant role in preventing shimming attacks.
EMV chip cards have a component known as Integrated Card Validation Code (ICVC). The ICVC is also called Dynamic Card Verification Value. The ICVC differs from the Card Verification Value (CVV). The ICVC protects the chip card from the cybercriminals by not allowing them to create a counterfeit magnetic stripe card once the attackers steal the data through shimming attacks.
• Regular monitoring and checking the surroundings of the card slot to ensure that no additional devices are inserted into the card reader or ATM card slot.
• Inspect the ATM’s and the areas near the ATM for the unrecognized devices or unauthorized hidden cameras. If any of such illegal devices installed, inform bank authorities immediately.
• Ensure that the host network is checking for the card verification code in both chip-based and magnetic strip card transactions.
• Keep track of bank transactions regularly, inform the bank officials in case of any irregular transactions.
• The customer keys and codes should be issued to customers by the bank to ensure secure ATM transactions.
• While inserting the card, if you notice that the card reader is rigid than the standard grip, then there is a chance of the shimmer being present inside the card reader. During such scenarios, cancel the transaction and notify the respective authority.
• Using contactless transactions are the best way to stop shimming attacks. Contactless transactions such as tap-and-go, and mobile banking applications are the best way to protect from the shimming attacks since they are entirely immune to shimming.
• Using the ATM’s with proper security systems are best, as the attackers usually target the devices with fewer security systems such as off-limit retail ATM’s and non-banking ATM’s.
• Check for signs like physical damage or broken security tapes in the machine which might point to device tampering.
• Using a credit card is a better option than a debit card since credit cards do not provide the bank account details of the users.
• Assure that the cards are encoded using different verification values for magnetic stripe cards and EMV chip cards. It is crucial to ensure that the Integrated Card Validation Code (ICVC) of the EMV chip is different from the CVV value on the magnetic stripe card to make sure that if the EMV chip card data gets stolen, the attackers cannot use it to create a duplicate magnetic stripe card.
• Updating the hardware and the software of ATMs prevents the bank, card issuers, or users from being the victims of shimming attacks.
To protect your ATM network from fraud, the banking security experts at Netsentries have developed a series of hands-on vulnerability assessments that look at the entire ATM environment. We can identify software, hardware, and communication protocol vulnerabilities that can be exploited and provide remediation measures to effectively resolve them.
Please visit our website to know more about our ATM Security Assessment Services.
.svg)
