We have received reports of a new kind of skimming device that is designed to defeat EMV chip protections on ATMs. It is being called a “shimmer” because of its ability to shimmy in between a card’s EMV chip and the contact on an ATM.
These card-sized inserts can collect some of the data from chip-enabled cards which can then be used to make counterfeit magstripe cards. So far these attacks have been limited to Canada and Mexico, but history shows that word travels fast once a security weakness is determined.
In light of this information, FTSI and NCR have the following recommendations which will help financial institutions mitigate the risks posed by shimmers:
Financial Institutions Should Take the Following Steps to Combat Shimmers:
- Decline transactions that are missing CVV / CVC codes. One of the limitations of shimmers is that they don’t capture the unique codes needed to perform magstripe transactions and fraudsters are counting on you not to check.
- Develop rules specific to fallback transactions by working with your processors, if appropriate.
- Consider implementing EMV if you have not already. Despite some recent challenges, it is still the best bet against card-present counterfeit fraud.
- Regularly inspect your ATMs for foreign skimming and shimming devices that may have been added to your machines.
FTSI reminds you to always keep an eye out for suspicious persons loitering near your ATMs and if you suspect your ATM has been tampered with or attacked, please call the local authorities first as criminals may still be nearby.