ATM Security: Skimming vs. Shimming

ATM Security: Skimming vs. Shimming | Diebold Nixdorf Blog

By now, anyone who works with card readers in just about any capacity is aware of skimming threats. But a less-well-known approach, known as “shimming,” is starting to pop up.

So what’s the difference between skimming and shimming?

Skimming is typically recognized as any type of fraud that “skims” the information off the magnetic stripe on a credit or debit card. It can occur on dip and motorized card readers, and over the years, skimmers have gotten smaller, more efficient and harder to detect (we created ActivEdge in response, a solution that thwarts all known methods of skimming).

Shimming refers to an attack that captures data by tapping directly into an EMV chip. A small, flat device containing a microprocessor and flash memory is inserted inside the card reader itself. The circuit is energized through engagement with the chip while it’s in the card reader, and the device “sniffs” the data – there is no command interface. It’s very likely the attack will not be detected by the card reader, however the device must be extracted from the ATM for thieves to retrieve the data.

This can give industry vets cause for concern – after all, aren’t EMV chips supposed to mitigate the vulnerabilities of magnetic stripes? The reality is that there are measures in place to thwart this type of fraud; as long as your organization is following appropriate protocols, shimming SHOULD NOT deter you from migrating to an EMV-chip enabled network.

ATM operators and card issuers both play a role in thwarting shimming attacks.

Operators:

  • Inspect both dip and motorized card readers regularly for devices in or around the card slot and transport areas.
  • Inspect the fascia of the ATM and areas near the ATM for hidden cameras/unrecognized devices.
  • Ensure that the host network is checking applicable card verification codes as part of both magnetic stripe and chip-based transaction authorization processes.

Issuers:

  • Ensure cards are encoded using different card verification values for EMV vs. magnetic stripe.

It is important to note that the EMV-based Track 2 Equivalent data, iCVC (integrated card validation code) value, stored on the EMV chip does not include the same CVC value as stored on the magnetic stripe. This means that even if the chip data is compromised, it cannot be used to create a counterfeit magnetic stripe card.

The bottom line? EMV chip-enabled cards are safer than cards equipped with only a magnetic stripe. And magnetic stripe skimming remains – by far – the most prevalent form of fraud at both ATMs and POS systems. Encourage your consumers to look for opportunities to use their chip-based payment options, and make sure your own network is ready to serve consumers in the safest manner possible. Our experts can help you put together a plan that works for your organization’s unique needs.

Get more information on managing EMV fraud in this checklist from MasterCard . Have other questions about security? We can get you answers.