Hackers Favoring Shimmers Over Skimmers for ATM Attacks

Cybercriminals are increasingly using shimmers instead of skimmers in attacks targeting automated teller machines, Flashpoint reports. 

Skimmers are small devices nearly indistinguishable from legitimate card readers, which have been designed to steal the data from the card’s magnetic stripe, thus allowing hackers to clone cards. These devices can fit over an existing card reader and are typically difficult to notice. 

The widespread implementation of the Europay Mastercard Visa (EMV) payment method via chip cards, prevents the use of skimmers by storing data on integrated circuits. Attackers are now focusing on capturing data from the chip, and this is where shimmers enter stage. 

First detailed in 2016, these thin devices are much smaller than skimmers and are usually positioned between the chip and the chip reader inside an ATM or point-of-sale system. They include flash storage and a microchip and store copied payment card data, which is then dumped onto the magnetic stripe of a fraudulent card.

“Shimmers have been slowly nudging skimmers aside as the number of EMV implementations increases nationwide,” Flashpoint reveals. 

Chip cards in theory cannot be cloned due to an integrated circuit card verification value (iCVV), which differs from the more familiar CVV number stored on magnetic stripes. iCVVs prevent the copying of magnetic-stripe data from the chip, and the creation of counterfeit magnetic stripe cards using the data.

Another security measure is the presence of a Card Protection Plate (CPP) inside an ATM. This security mechanism is meant to prevent objects from being inserted inside the ATM card reader and is difficult to bypass, even with a shimmer. 

However, the mechanism can be bypassed, depending on whether the bank is properly verifying transactions, specifically the iCVV, Flashpoint says. 

Attackers take advantage of improperly implemented EMV chip card standard to target less secure configurations, such as Static Data Authentication (SDA) EMV cards, which are slowly being replaced with Dynamic Data Authentication (DDA), and Combined Data Authentication (CDA).

“There is growing interest in custom-built shimmers advertised in online illicit communities. Some vendors also sell tools to detect CPPs and produce videos describing their shimmer placement and removal tools,” Flashpoint notes. 

The security firm considers CPPs to be the best mitigation for ATM shimming attacks at the moment, but also says that device software and hardware should be regularly updated, given that attackers often target older models that typically include outdated security features. 

An optional tamper switch should be installed when CPP is used, and proper EMV/CVV checks should be performed on all transactions. Furthermore, ATMs should be placed in well-lit and monitored locations, so that any tampering attempts could be easily noticed. 

Related: The Latest Threats to ATM Security

Related: WinPot ATM Malware Resembles a Slot Machine