Where there’s a will there’s a way. Criminals will always find a way to get what they want. Everytime we add another layer of protection against credit card fraud, adept criminal minds will set out to crack it. When credit and debit cards were switched to cards embedded with EMV chip technology they became a lot harder for criminals to hack. Those criminals soon realized that the skimmers they used to copy the customer’s card information from the magnetic stripe on the card wouldn’t work anymore, so they found a way to create a new device to try to hack the EMV chip.
Enter shimming. Were not talking about the little piece of wood you use to make a door frame straight or level a washing machine. Shimming is a new technique used to gather information from an EMV chip card by slipping a paper thin recording device into the slot where the chip card is inserted.
This device is so thin and unnoticeable that it can easily be inserted into any wireless reader or EMV chip card terminal slot when someone is not looking. And then removed just as easily. It would look to most bystanders that they were just making a payment as normal. The super thin device is able to read and store some of the information in the EMV chip and magnetic stripe on the card.
This would obviously be much more prevalent where terminals are not directly in front of a cashier. A gas station terminal for instance almost any time, but especially at night, is a perfect target for a less than scrupulous person to pull off and insert a shimmer while going completely unnoticed. But, as evidenced by the rampant pick pockets of Italy, people are cunning.
The good news is credit card shimming isn’t exactly widespread.
Probably because in no way is this a perfect crime. EMV chips are more secure, and the exact way they are made to be secure is what helps to foil the whole system. Each EMV chip card is protected by two validation codes, one for the mag stripe and an integrated validation code, or dynamic CVV, for the the chip itself. Both codes are kept on file at the issuing bank where a third dynamic code unique to that chip is also kept. Because that data is hidden from the shimmer they are only able to clone the card with a mag stripe and not a chip. This makes the card impossible to use at a retail location that has updated to the EMV chip enabled terminals, but it would completely fool an old out of date swipe only terminal.
A few simple precautions can help to protect businesses and consumers from falling victim to credit card fraud due to shimming.
Just taking a little bit of time and thought can help lower the likelihood of getting caught in this trap. All businesses should make sure that they have updated their terminals and their POS systems to accept EMV chips. Also, regularly checking your terminals for anything irregular will help to keep the incidence down. Oftentimes, when one of these devices has been installed in a terminal EMV slot it will cause some resistance or make it a little hard for the card to slide into the slot easily. If this is the case have it checked immediately. Because the counterfeited card is cloned with a mag stripe and not a chip it would not be able to be used at a terminal that accepts EMV. When the person tries to use the mag stripe swiper on the terminal the system would recognize that it was a card that was issued with an EMV chip and ask for the customer to insert the chip, which since it is a cloned card there would not be one. These cards still, however, can be used online and at retailers that are still using outdated equipment.
For consumers looking to protect themselves while using terminals in higher risk situations there are also a few easy precautions that can be taken. If you have been fighting off using your digital wallet because you don’t understand it or you don’t believe it is safe this is a perfect time to throw away all those excuses and get yourself set up and familiarize yourself with the technology. know a woman who commutes quite a distance to work every day and therefor ends up stopping for gas in a rush on her way to work.
Although she has been a victim of the older practice of credit card skimming no less than five times she still refuses to set up and use her Apple Pay! There is really no reason not to start making payments using touchless, or contactless, payment technology.
Making a payment through NFC with a digital wallet such as Samsung Pay or Apple Pay will save you from having your information stolen from the EMV chip. Because these digital transactions use tokenization to communicate transaction information that is unique to each transaction is it impossible for the shimmer to capture the information.
It also pays to pay attention to your surroundings and watch your own back. Be careful at freestanding or outside ATMs, taking care to actually cover your hand while typing in your PIN since thieves often install a camera near the pad. Whenever possible go inside to withdraw money where the machine is likely to be watched over a little more closely or just go straight to the teller.
As always, if you have any concerns that your card might have been compromised make sure to contact your bank, the credit card issuer and don’t forget to let the merchant know as well.
Just because they are using sophisticated technology to commit fraud doesn’t necessarily mean you need sophisticated tech to thwart it.
Simply paying attention to your surroundings, keeping your eye out for irregularities and performing a good physical check on your machines can go a long way to keep a business and it’s customers safe from fraud.
Bankcard Brokers takes security very seriously. We always make sure we are taking every precaution available to protect our customers. We strive to not only stay on the cutting edge of new technology but to use that technology to help our customers succeed.
For more tips on how to protect your business from fraud or if you have yet to update to the more secure EMV/NFC capable terminals give Bankcard Brokers a call and we’ll have you up and running in no time.