Posts Tagged: iCVV


27
Jan 17

ATM ‘Shimmers’ Target Chip-Based Cards

Several readers have called attention to warnings coming out of Canada about a supposedly new form of card skimming called “shimming” that targets chip-based credit and debit cards. Shimming attacks are not new (KrebsOnSecurity first wrote about them in August 2015), but they are likely to become more common as a greater number of banks in the United States shift to issuing chip-based cards. Here’s a brief primer on shimming attacks, and why they succeed.

Several shimmers recently found inside Canadian ATMs. Source: RCMP.

Several shimmers recently found inside Canadian point-of-sale devices. Source: RCMP.

Most skimming devices made to steal credit card data do so by recording the data stored in plain text on the magnetic stripe on the backs of cards. A shimmer, on the other hand, is so named because it acts a shim that sits between the chip on the card and the chip reader in the ATM or point-of-sale device — recording the data on the chip as it is read by the underlying machine.

Data collected by shimmers cannot be used to fabricate a chip-based card, but it could be used to clone a magnetic stripe card. Although the data that is typically stored on a card’s magnetic stripe is replicated inside the chip on chip-enabled cards, the chip contains an additional security components not found on a magnetic stripe.

One of those is a component known as an integrated circuit card verification value or “iCVV” for short — also known as a “dynamic CVV.” The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and using that data to create counterfeit magnetic stripe cards.

A close-up of a shimmer found on a Canadian ATM. Source: RCMP.

A close-up of a shimmer found inside a point-of-sale device in Canada. Source: RCMP.

The reason shimmers exist at all is that some banks have apparently not correctly implemented the chip card standard, known as EMV (short for Europay, Mastercard and Visa).

“The only way for this attack to be successful is if a [bank card] issuer neglects to check the CVV when authorizing a transaction,” ATM giant NCR Corp. wrote in a 2016 alert to customers. “All issuers MUST make these basic checks to prevent this category of fraud. Card Shimming is not a vulnerability with a chip card, nor with an ATM, and therefore it is not necessary to add protection mechanisms against this form of attack to the ATM.” Continue reading →


11
Aug 15

Chip Card ATM ‘Shimmer’ Found in Mexico

Fraud experts in Mexico have discovered an unusual ATM skimming device that can be inserted into the mouth of the cash machine’s card acceptance slot and used to read data directly off of chip-enabled credit or debit cards.

The device pictured below is a type of skimmer known as a “shimmer,” so named because it acts a shim that sits between the chip on the card and the chip reader in the ATM — recording the data on the chip as it is read by the ATM.

This card 'shimming' device is made to read chip-enabled cards and can be inserted directly into the ATM's card acceptance slot.

This card ‘shimming’ device is made to read chip-enabled cards and can be inserted directly into the ATM’s card acceptance slot.

The chip reading component includes the eight gold rectangular leads seen on the right side of this device; the electronics that power the data storage on the shimmer can be seen in black at the top of the image.

According to information from Damage Control S.A., a security and investigations company based in Mexico, this device was found inside a Diebold Opteva 520 with Dip reader (the kind of card reader that requires you to briefly insert your card and then quickly remove it). The device is inserted from the outside of the ATM and no access is required to the ATM internals. Damage Control, which disseminated the information via a service called CrimeDex, didn’t say whether this shimmer was accompanied by a component to steal card PINs, such as a hidden camera or PIN pad overlay.

Here’s a look at what this thing looks like while it’s sitting inside a compromised ATM’s reader (notice how the chip-reading components shown in the first image are obscured in this one by the ATM’s chip reader): Continue reading →