Digital Transactions Authoritative, insightful and timely information for payments professionals
A variant of a skimming device called a “shimmer,” which steals EMV chip card data, has been found on an ATM in Mexico, raising security questions as the United States converts to the EMV standard.
The shimmer incident was first disclosed Tuesday by security reporter Brian Krebs of the KrebsOnSecurity blog, who cited information from Damage Control S.A., a Mexico-based security and investigations firm. A so-called shimmer is a thin device that sits between the card’s chip and the chip reader when the cardholder inserts, or “dips,” a debit or credit card into the card slot. Akin to conventional skimmers on point-of-sale card readers, fuel pumps, and ATMs that steal magnetic-stripe payment card information, the shimmer in question was easily inserted into the ATM and reportedly could capture EMV card data.
The shimmer was installed on a Diebold Opteva 520, a cash dispenser for deployment in bank lobbies or off-premise locations. Details about the incident were sparse—KrebsOnSecurity didn’t say where the ATM was or if fraud occurred after chip cards were inserted into it. Nor is it known if the compromised ATM had a small camera or PIN-pad overlay to record card PINs as customers used the machine.
Still, the incident shows that EMV cards may not entirely solve the problem of card counterfeiting—the main problem they’re meant to address. EMV card data can be stolen by skimmers, but in contrast to mag-stripe cards, which are easy to copy, creating a counterfeit EMV chip from such stolen data is very difficult because of the chip’s added protections, including one-time codes.
But the data could be used to create fake mag-stripe cards. And data on a chip card’s back-up magnetic stripes can be stolen, too. Then clones could be used for cross-border transactions in non-EMV countries such as the United States, or in so-called fallback transactions when an ATM or POS terminal can’t read the chip and defaults to the back-up mag-stripe to process the transaction.
Fallback fraud occurred frequently in the United Kingdom as that country was going through its EMV transition about a decade ago, says Mary Ann Miller, a New York City-based senior director and fraud executive advisor at NICE Actimize, an Israel-based fraud-prevention and compliance-management firm. At the time, Miller was a senior risk-control executive at Lloyds Banking Group, one of the U.K.’s largest banks.
Many British banks, Miller explains, made the mistake of making the iCVV (integrated card verification value), a three-digit security code on the EMV chip, the same as the CVV on the back-up mag stripe. Unless the issuer had systems to alert it that the authorization request should have been coming from a chip, it might not have known that a fake card was being used.
“All the U.K. banks had to do was to update the cards with different values” for the iCVV and the CVV, says Miller. That took time, however.
Even if an ATM or POS terminal is compromised by a shimmer, proper management of iCVVs and CVVs by issuers as well as strong fraud-prevention procedures and policies “should equip you to decline those authorizations,” she says.
Shimmers and other methods of defeating the chip may show up more frequently in the United States as the country prepares for a major EMV point-of-sale liability shift this October and an ATM liability shift a year later. With those shifts, a merchant or ATM deployer that can’t process EMV transactions will bear liability for counterfeit fraud. “The shimmers, I think, are relatively new, although there’s been many, many other attempts to bypass EMV, particularly as the U.S. rolls out,” says Miller.
