Thieves Now Use Shimmers to Steal Chip/PIN Card Data

Thieves Now Use Shimmers to Steal Chip/PIN Card Data

Somehow, using a physical card just feels safer, right? If you lose your wallet, that can be a problem, but you rarely feel comfortable typing your numbers into a website or speaking them on the phone or anything like that. Some of us may shred our receipts even if they don’t contain any sensitive data on them.

Using a physical card, well, it feels safer when you can hold something in your hand. At the very least, someone would have to push you down and physically steal the card from you in order to take your information, and you can just cancel your card before they can spend any of your hard-earned money.

Essentially we’re hardwired to feel that something that we have in hand is more safe. And with credit cards and debit cards, that’s partly true. All thieves want is the information on the card. A little piece of plastic doesn’t hold much actual tangible value on its own. So we tend to believe that as long as we’re using the actual plastic, then our information is safer than if we’re transferring just the data. It’s a lot easier to steal information than it is to steal a wallet.

But, even plastic carries some risks, and not just in the form of pickpockets. You can burn and shred all your paperwork, never speak your numbers aloud, only use your card in person, never online or over the phone, and it will still be entirely possible for a thief to steal the information on your card without the card ever leaving your hand. And, unfortunately, it might not always be easy to realize that this has happened until it is too late.

In any event, you need to be aware of the risks that are out there. In this case we’re talking about “shimmers,” a device used to swipe data directly from a card when you swipe it in a card reader or ATM.

shimmers vs skimmers

How Do Shimmers Work?

Essentially a shimmer is a little card-reader that can be tucked inside of an existing device. They’re very thin and discrete, so it’s easy to hide a shimmer inside of an ATM machine or the reader at a convenience store. When the ATM or card reader reads your card, so too will the shimmer. They are similar to “skimmers,” but much harder to spot than their bulky brethren. Shimmers first began to show up in 2015 but have recently become more popular among scammers.

Skimmers are part of the reason cards have been switching to being chip-based in recent years. At present there’s no easy way for thieves to get your information off of a chip. The skimmers are looking at the magnetic strips. The data can be taken from these strips and then used to create copies of the card that can be used in any store or at any ATM that still relies on strip readers.

Many stores still have yet to implement the new, safer standard. But even if you have a chip-based reader, the shimmers can still read the magnetic strip as the card passes over the shimmer. With skimmers it was easier to identify by pulling on the reader. These bulky devices were like a false front-end to the device that could actually be removed or at least easily identified by pulling on them. Shimmers are very small devices tucked neatly into the card reading slot and then removed later by the thieves.

How Can You Combat Shimmers?

The only way to be one hundred percent certain that a card reader does not contain a shimmer is to carry a little screwdriver around with you and go digging around in every slot you come across, but that’s not exactly a viable solution. You’re going to get kicked out of a lot of gas stations and banks trying to do this. But, this doesn’t mean that we’re all completely helpless to simply swipe our cards and hope for the best. There are some things that can be done on both the consumer and merchant’s ends to stay a step ahead of thieves using shimmers.

As a customer make a note if something feels off about a card reader. Although shimmers generally go undetected, a poorly installed shimmer can be easy to spot. If your card doesn’t slide in and out of a chip reader easily, then there may be a shimmer in there. You may want to avoid card readers that are not chip-capable.

In fact, it’s not a bad idea to keep cash on you at all times so that you always have an option besides plastic when you are confronted with a new swiper that you haven’t used before.

Of course there are other threats that you need to be aware of. If you’re heading to an ATM, for instance, it’s a good idea to stick to indoor machines where armed robbery is a little less likely. And if you are going to use the machine outside the bank, try to avoid doing so after dark. There’s probably an all-night convenience store or Wal Mart in your town. They might charge a small fee but it beats getting robbed. Yes, even in 2018, when we have high-tech hackers using razor-thin card-readers to steal your information, armed robbery remains one of the most popular forms of theft.

Of course the most popular form of identity theft is still the theft of the card itself. Thieves are like fishermen. They don’t necessarily target you, they just take what they can get. This means if you leave your wallet out on the table at a coffee shop and they see you take your eyes off it… Theft is, more often than not, a crime of opportunity. Many of these people may not even be career criminals, they just see an opening and they take it. They might never commit a serious crime again, but they see a misplaced credit card as free money and they’re not even thinking of the legal and moral ramifications.

You also want to go with reliable sellers more often than not. If you’re traveling or spending money in a part of town you don’t frequent, you generally want to use cash. A lot of the responsibility on credit and debit card security rests on the merchant’s shoulders, and a lot of merchants are really lax about it.

Chain locations tend to be a little safer because they take on a lot more liability risk. It can be hard to mend a damaged reputation, and that’s more important to a national chain than it is to someone who only has a business because they run the only gas station in a neighborhood.

So how does a merchant keep up their end of the security obligations?

The main thing they need to focus on is checking CVV’s through the dynamic CVV system. These are the little three digit numbers on the back of your card. There’s no way to get this number off of a shimmer since it is only designed to get data from the magnet strip. So when the CVV on the card does not match the one in the database, the merchant knows that the card they’re looking at is a fake. Again, not all merchants bother taking this step and thieves are most likely to focus on using those cards at stores where they can be fairly certain that the cashier isn’t going to check.

If you are a merchant, it’s very important to stay up to date on all standard security protocols. Protecting your customers is, of course, vital. If someone gets their information stolen at your shop, they’re going to find somewhere else to do their shopping. But beyond that there are also concerns of liability. It’s not unlikely to wind up in court, facing steep fines and possibly even jail time over lax security protocol.

Not to mention the chargebacks. If you run an unsafe cash register, you’re going to wind up with a lot of customers hitting you with chargebacks, and that’s going to hurt you a lot more than a few lost sales in the long run. So be sure to stay up to date on security measures for your card reader. And if you see anyone fiddling with your scanner in a way they shouldn’t be, you might want to go ahead and have them removed from your shop. It’s generally a good idea not to leave the counter totally unattended any time there are customers in the store.

In any event combating thieves is a collaborative effort between customers and merchants. Customers don’t want to get ripped off, merchants don’t want to get hit with chargebacks, and they definitely don’t want to get sued. Merchants can also give customers a call any time a purchase seems fishy. You also have the right to refuse service when purchases seem suspect. If someone comes into your store and buys thirty pairs of matching shoes, either they coach a little league baseball team, or they’re trying to make a purchase so they can resell on the black market, and they have to buy fast before the actual card holder is on to them.

credit card theft

The Future of Credit Card Security

The shimmer is probably a passing fancy. By 2020 we might not be worrying about shimmers at all. The emphasis is moving away from plastic and towards all-digital transactions.

When two people can tap their smartphones together to make a payment or you can pay from a console without having to take anything out of your pockets, why risk it with a plastic card that can be easily misplaced or stolen?

For the time being we still rely heavily on plastic cards. But these are increasingly becoming, like cash, a relic of an earlier time. Even our cards contain cutting edge computer chips instead of relying solely on magnet strips.

All of this being said, criminals tend to stay one step ahead. Hackers are always looking for security gaps, crooks won’t hesitate when they see an opportunity that is open to them. Even in a post-plastic world, we’re still going to see security concerns. Hackers may use readers and scanners to pick up on transferred information when smartphone transactions are made online or via wireless connection. And of course, they can always steal your phone and then find out how to unlock it with online tutorials.

We’re always going to have some reason or another to worry about our data when making a purchase. No matter how advanced the technology gets or how careful we are, there’s still going to be a risk. Luckily, that risk is generally manageable, and while you can’t guarantee that nobody will ever rip you off, you can at least make it a little more difficult for thieves, crooks and scammers, and they might just feel that you’re not worth the effort.

Leave a Reply

Your email address will not be published.