August 11, 2015

Fraud experts in Mexico have discovered an unusual ATM skimming device that can be inserted into the mouth of the cash machine’s card acceptance slot and used to read data directly off of chip-enabled credit or debit cards.

The device pictured below is a type of skimmer known as a “shimmer,” so named because it acts a shim that sits between the chip on the card and the chip reader in the ATM — recording the data on the chip as it is read by the ATM.

This card 'shimming' device is made to read chip-enabled cards and can be inserted directly into the ATM's card acceptance slot.

This card ‘shimming’ device is made to read chip-enabled cards and can be inserted directly into the ATM’s card acceptance slot.

The chip reading component includes the eight gold rectangular leads seen on the right side of this device; the electronics that power the data storage on the shimmer can be seen in black at the top of the image.

According to information from Damage Control S.A., a security and investigations company based in Mexico, this device was found inside a Diebold Opteva 520 with Dip reader (the kind of card reader that requires you to briefly insert your card and then quickly remove it). The device is inserted from the outside of the ATM and no access is required to the ATM internals. Damage Control, which disseminated the information via a service called CrimeDex, didn’t say whether this shimmer was accompanied by a component to steal card PINs, such as a hidden camera or PIN pad overlay.

Here’s a look at what this thing looks like while it’s sitting inside a compromised ATM’s reader (notice how the chip-reading components shown in the first image are obscured in this one by the ATM’s chip reader):

The shimming device, as seen inside of an ATM. Notice how the  chip-reading components shown in the first image are obscured in this one by the ATM's chip reader.

The shimming device, as seen inside of an ATM. Notice how the chip-reading components shown in the first image are obscured in this one by the ATM’s chip reader.

Cards equipped with a computer chip are more secure than cards which rely solely on magnetic stripes to store account data. Although the data that is typically stored on a card’s magnetic stripe is replicated inside the chip on chip-enabled cards, the chip contains an additional security components not found on a magnetic stripe.

A chip card. Image: First Data

A chip card. Image: First Data

One of those is a component known as an integrated circuit card verification value or “iCVV” for short. The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and using that data to create counterfeit magnetic stripe cards.

Banks can run a simple check to see if any card inserted into an ATM is a counterfeit magnetic stripe card that is encoded with data stolen from a chip card. But there may be some instances in which banks are doing this checking incorrectly or not at all during some periods, and experts say the thieves have figured out which ATMs will accept magnetic stripe cards that are cloned from chip cards.

“This suggests to me that the thieves plan to target an issuer where they know the CVV is not going to be checked,” said Charlie Harrow, solutions manager for global security at NCR, an ATM manufacturer.

For more on ATM skimmers and other fraud devices, check out my series All About Skimmers.

Update, Aug. 12, 3:29: Added language to clarify that Mexican security firm Damage Control reported the skimming attack via Crimedex, which is a service of video intelligence firm 3VR.


88 thoughts on “Chip Card ATM ‘Shimmer’ Found in Mexico

  1. Tech-Key

    Brian, just a heads up.
    Lately Gmail marks your emails as possible spam/scam (for me at least) with a message that says “Be careful with this message. It contains content that’s typically used to steal personal information. Learn more”
    They don’t go on the spam folder, just get a big red sign at the top.

    http://imgur.com/RQp4K5t

    Not quite sure why it’s doing that but it’s a shame because everyone who uses the internet or a credit card should probably be reading your articles.

  2. Dave L

    Berke,
    Well said. EMV card were never positioned to be the silver bullet to address all card fraud. To those touting 2FA, while certainly more secure, go talk to a Tier 1 or 2 merchant (a group that probably accounts for 60 – 70% of card transaction volume) and see how they feel about even a further 2 second delay in getting the customer out of the line so the cashier can start ringing up the next customer. The EMV process requires the transaction total to be sent to the reader before it can continue its process and the card must remain inserted until the transaction authorization decision is sent back to the terminal. Most merchants are saying this is adding at least 4 – 6 seconds to the end of the transaction.

    1. Vince H

      I noted this additional time in the US but not in Europe, actually the clerk told me to remove the card because it was so fast, actual faster than the usual swiping…

    2. mr x

      i surprised you even used (real) EMV in USA as the shops that own them most are likely unaware it actually supports it (you get dirty/confused looks when the card reader Forces them to emm insert it into the reader and Prove i am the owner) EMV+ sign pad is not proper way (just more ways to charge the shop owners for the plug in Sign pad that brake on you forcing you to buy another one off them, just a money making scam for the banks or card reader sellers)

      i norm wait until the card says transaction complete most of the time its done after you press enter

      in the UK its the Shell fuel stations that have the slowest, you must really wait until it says transaction completed as the stupid display flashes a lot in between actions with no info making it look like its done, and if you pull it before it completes it cancels the transaction and have to do it again (its the only place that has ever been a problem everywhere else its just put pin in press enter and off you go unless they are using dial up card reader)

      the New fast pay or tap and pay is nice for under £20 transactions,, food and drink places normally, but some shops are not keen on it as its classed as Customer Not Present and that means the Shop owner is liable for the full transaction if its fraud (chip and pin the customer has to prove it was fraud)

  3. Alan Murray McDonald

    Most important inf0 for travelers. How may I obtain a copy?

Comments are closed.