Fraud experts in Mexico have discovered an unusual ATM skimming device that can be inserted into the mouth of the cash machine’s card acceptance slot and used to read data directly off of chip-enabled credit or debit cards.
The device pictured below is a type of skimmer known as a “shimmer,” so named because it acts a shim that sits between the chip on the card and the chip reader in the ATM — recording the data on the chip as it is read by the ATM.
The chip reading component includes the eight gold rectangular leads seen on the right side of this device; the electronics that power the data storage on the shimmer can be seen in black at the top of the image.
According to information from Damage Control S.A., a security and investigations company based in Mexico, this device was found inside a Diebold Opteva 520 with Dip reader (the kind of card reader that requires you to briefly insert your card and then quickly remove it). The device is inserted from the outside of the ATM and no access is required to the ATM internals. Damage Control, which disseminated the information via a service called CrimeDex, didn’t say whether this shimmer was accompanied by a component to steal card PINs, such as a hidden camera or PIN pad overlay.
Here’s a look at what this thing looks like while it’s sitting inside a compromised ATM’s reader (notice how the chip-reading components shown in the first image are obscured in this one by the ATM’s chip reader):
Cards equipped with a computer chip are more secure than cards which rely solely on magnetic stripes to store account data. Although the data that is typically stored on a card’s magnetic stripe is replicated inside the chip on chip-enabled cards, the chip contains an additional security components not found on a magnetic stripe.
One of those is a component known as an integrated circuit card verification value or “iCVV” for short. The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and using that data to create counterfeit magnetic stripe cards.
Banks can run a simple check to see if any card inserted into an ATM is a counterfeit magnetic stripe card that is encoded with data stolen from a chip card. But there may be some instances in which banks are doing this checking incorrectly or not at all during some periods, and experts say the thieves have figured out which ATMs will accept magnetic stripe cards that are cloned from chip cards.
“This suggests to me that the thieves plan to target an issuer where they know the CVV is not going to be checked,” said Charlie Harrow, solutions manager for global security at NCR, an ATM manufacturer.
For more on ATM skimmers and other fraud devices, check out my series All About Skimmers.
Update, Aug. 12, 3:29: Added language to clarify that Mexican security firm Damage Control reported the skimming attack via Crimedex, which is a service of video intelligence firm 3VR.