Skip to content

ATM Fraud: Skimming vs. Shimming

Question: 
For several years now, the most prevalent form of ATM fraud has been “Skimming”, where a device is attached to an ATM that captures magnetic stripe data as the card passes into a machine. We recently heard of a new ATM fraud technique called “Shimming”. Are they the same thing?
Answer: 

As you correctly note, the term skimming is used to describe the act of capturing magnetic stripe data from the back of a credit or debit card, and it was quite prevalent in the mid to late 90s. The term “shimming” is a relatively new technique being used by fraudsters to capture the new chip data being used with the new EMV verification process that is being implemented by Euro, Mastercard, and VISA to combat ATM and point of sale fraud (see related article in this issue). Shimming works by compromising a perfectly legitimate card reader (like an ATM) by inserting a very thin flexible circuit board through the card slot that will stick to the internal contacts that read card data. The shim is inserted using a “carrier card” that holds the shim, inserts it into the card slot and locks it into place on the internal reader contacts. The carrier card is then removed. Once inserted, the shim is not visible from the outside of the machine. The shim then performs a man-in-the-middle attack between an inserted credit card and the circuit board of the ATM machine.

A recent security alert from NCR indicates the shimming activity has increased throughout the United States, since most other countries have migrated to the EMV technology to combat ATM fraud. According to the alert, “Data from a variety of sources show that 2015 has seen an alarming increase in card skimming attacks at ATMs. This trend also is consistent with reports of increases in card skimming attacks at other point of sale terminals, particularly the United States”. Unlike most of the skimmers that have been used over the years, the shimmers are almost impossible to see through a visual inspection of the ATM; however, banks can run a simple automated software check to see if any card inserted into an ATM is a counterfeit magnetic stripe card that is encoded with data stolen from a chip card.

Answering security questions is just one Bankers' Hotline benefit.
Learn more!

First published on 04/25/2016

Filed under: 

Search Topics