Thieves now use “Shimmers” to grab Chip/PIN card data

Just when you thought it was safe to slip your card in a slot ATM skimmers have gotten just a bit smarter. New devices called Shimmers can now read your card number and, in certain instances, access your card’s chip. While the technique isn’t new – Shimmers began appearing in 2015 – they are still a huge security hole and far more dangerous than standard skimmers.

Because Shimmers are so thin they can disappear inside of an ATM or card reader. The data read when the chip is activated cannot be used to create a chip-based card but because some of the magnetic data is passed during the read process you can use Shimmers to easily recreate dumb magnetic cards.

PIN and Chip cards use a system called dynamic CVV which makes them harder to crack than standard cards. However, some banks and vendors “have apparently not correctly implemented the chip card standard, known as EMV (short for Europay, Mastercard and Visa)” said Brian Krebs.

“The only way for this attack to be successful is if a [bank card] issuer neglects to check the CVV when authorizing a transaction,” wrote NCR Corp. wrote in a 2016. “All issuers MUST make these basic checks to prevent this category of fraud. Card Shimming is not a vulnerability with a chip card, nor with an ATM, and therefore it is not necessary to add protection mechanisms against this form of attack to the ATM.”

The bottom line? Always check the ATM and your surroundings for weird stuff. Sadly, simply pulling on the card reader might not work anymore because these thinner readers can slide right into the slot and hide there, waiting for your card.

ca-shim2