Undetectable ATM shimmers used to steal Chip Based Card worldwide

Pierluigi Paganini November 02, 2017

Crooks continue using skimmers in card frauds, these devices are becoming even more sophisticated, last wave of attacks leverages on so-called Shimmers.

Crooks continue to skimmers in payment card frauds, these devices are becoming even more sophisticated.

The number of cyber attacks against ATM involving so-called ‘insert skimmers’ is increasing. Insert Skimmers are wafer-thin fraud devices designed to fit invisibly inside the ATM card slot.

Insert Skimmers are able to capture card data and store it on an embedded flash memory.

In July, the popular investigator Brian Krebs reported in some cases the use of insert skimmers that were able to transmit stolen card data wirelessly via infrared.

The infrared is a short-range communication technology, every day we use it when we change TV program with a television remote control.

Krebs cited a case that has happened a few weeks before in the Oklahoma City metropolitan area where at least four banks were victims of ATM attacks involving insert skimmers.

Latest warning is arriving from Canada where experts observed a new wave of attacks using sophisticated ATM skimming devices called ‘Shimmers.’ The Shimmers are skimming devices that could be used to steal data from chip-based credit and Debit cards while cardholders use them in POS (Point-of-sale) terminal.

Shimmers, and more in general insert skimmers are substituting bulkier skimmers, as explained by Const. Alex Bojic of the Coquitlam RCMP economic crime unit.

SHIMMERS Dark_THUMBNAIL

“A major Coquitlam business now includes daily testing of its computerized point-of-sale terminals as part of its security routine. On January 11, 2017, one of those routine daily checks found that a test card was sticking inside the terminals. When the terminals were opened, they contained four very slim, plastic card ‘shimmers’ that contained microchips meant to illegally capture the banking data on your credit or debit cards. If the data had been successfully stolen it could have been used to create fake credit or debit cards.” reads the blog post published by the Coquitlam RCMP economic crime unit.

“The Coquitlam RCMP Economic Crime Unit (ECU) says these new, tiny card shimmers make the once-bulky, overlay systems called ‘skimmers’ virtually obsolete. You can’t see a shimmer from the outside like the old ‘skimmer’ versions says Cst. Alex Bojic of Coquitlam RCMP ECU, businesses and consumers should immediately report anything abnormal about the way their card is acting. That’s especially true if the card is sticking inside the machine.

insert skimmers

The shimmers have been used in attacks against POS Machine located in retailed stores and other public areas.

“Most skimming devices made to steal credit card data do so by recording the data stored in plain text on the magnetic stripe on the backs of cards. A shimmer, on the other hand, is so named because it acts a shim that sits between the chip on the card and the chip reader in the ATM or point-of-sale device — recording the data on the chip as it is read by the underlying machine.” wrote Krebs.

The crimes were initially reported in in Canada, but law enforcement is warning financial institutions worldwide.

The shimmers work by fitting inside a card reader, then they are able to record information from chip cards.

The ATM shimmers attacks exploit the fact that some financial institutions apparently don’t correctly implement the EMV chip card standard.

According to gbhackers.com, ATM giant NCR Corp wrote in a 2016 alert that an essential condition for the success of this attack is if a bank card “issuer neglects to check the CVV when authorizing a transaction”.

“All issuers MUST make these basic checks to prevent this category of fraud. Card Shimming is not a vulnerability with a chip card, nor with an ATM, and therefore it is not necessary to add protection mechanisms against this form of attack to the ATM.”

[adrotate banner=”9″] [adrotate banner=”12″]

 

Pierluigi Paganini

(Security Affairs – insert skimmers, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment