Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Favoring Shimmers Over Skimmers for ATM Attacks

Cybercriminals are increasingly using shimmers instead of skimmers in attacks targeting automated teller machines, Flashpoint reports. 

Cybercriminals are increasingly using shimmers instead of skimmers in attacks targeting automated teller machines, Flashpoint reports. 

Skimmers are small devices nearly indistinguishable from legitimate card readers, which have been designed to steal the data from the card’s magnetic stripe, thus allowing hackers to clone cards. These devices can fit over an existing card reader and are typically difficult to notice. 

The widespread implementation of the Europay Mastercard Visa (EMV) payment method via chip cards, prevents the use of skimmers by storing data on integrated circuits. Attackers are now focusing on capturing data from the chip, and this is where shimmers enter stage. 

First detailed in 2016, these thin devices are much smaller than skimmers and are usually positioned between the chip and the chip reader inside an ATM or point-of-sale system. They include flash storage and a microchip and store copied payment card data, which is then dumped onto the magnetic stripe of a fraudulent card.

“Shimmers have been slowly nudging skimmers aside as the number of EMV implementations increases nationwide,” Flashpoint reveals

Chip cards in theory cannot be cloned due to an integrated circuit card verification value (iCVV), which differs from the more familiar CVV number stored on magnetic stripes. iCVVs prevent the copying of magnetic-stripe data from the chip, and the creation of counterfeit magnetic stripe cards using the data.

Another security measure is the presence of a Card Protection Plate (CPP) inside an ATM. This security mechanism is meant to prevent objects from being inserted inside the ATM card reader and is difficult to bypass, even with a shimmer. 

However, the mechanism can be bypassed, depending on whether the bank is properly verifying transactions, specifically the iCVV, Flashpoint says. 

Attackers take advantage of improperly implemented EMV chip card standard to target less secure configurations, such as Static Data Authentication (SDA) EMV cards, which are slowly being replaced with Dynamic Data Authentication (DDA), and Combined Data Authentication (CDA).

“There is growing interest in custom-built shimmers advertised in online illicit communities. Some vendors also sell tools to detect CPPs and produce videos describing their shimmer placement and removal tools,” Flashpoint notes. 

The security firm considers CPPs to be the best mitigation for ATM shimming attacks at the moment, but also says that device software and hardware should be regularly updated, given that attackers often target older models that typically include outdated security features. 

An optional tamper switch should be installed when CPP is used, and proper EMV/CVV checks should be performed on all transactions. Furthermore, ATMs should be placed in well-lit and monitored locations, so that any tampering attempts could be easily noticed. 

Related: The Latest Threats to ATM Security

Related: WinPot ATM Malware Resembles a Slot Machine

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...