How shimming works and how you can prevent it

Shimming is a malicious technique that allows criminals to steal EMV microchip data from bank cards to create fraudulent cards

If there is one economic sector that cybercriminals have always targeted, it is undoubtedly the banking sector. Why? Attacks against financial institutions and their customers bring direct economic benefits. Malicious actors have, therefore, designed and evolved techniques, tactics and procedures to adapt to technological changes and subvert the defensive measures of banking companies.

As a result, various banking fraud techniques such as skimming, shimming or the combined use of social engineering and malware to gain access to bank accounts coexist. As a result, bank fraud generates enormous problems for banks year after year and is one of the significant challenges facing the financial sector.

We will now look at key shimming, a technique that combines hardware and software to create fraudulent credit or debit cards and carry out illegitimate financial transactions. In addition, we will also look at the measures that banking companies and their customers can implement to prevent this type of fraud.

What is shimming?

Shimming is a banking fraud technique that affects credit and debit cards with an EMV microchip. Its origin is related to skimming, a technique used for many years to clone the information contained in the magnetic stripe of cards when inserted into an ATM slot.

However, shimming does not seek information from the magnetic stripe, a technology that is no longer in use, but from some cards’ EMV microchips. Thus, shimming allows the collection of transactions from a reader to the card chip. The information collected includes data that could later be used to create fraudulent magnetic cards.

What is the probability of success of shimming attacks today? Two factors are crucial to take into account:

• The effectiveness of the security mechanisms applied in the EMV operation implemented on the card.
• The secure transaction verification processes of banks.

How do criminals carry out shimming attacks?

Shimming attacks are executed through three basic steps or phases:

1. Criminals insert a small device into the slot of a POS (point of sale), dataphone or ATM that allows reading and retransmission. Hence, these are attacks in which software is designed, and hardware is needed to read the EMV microchip data.
2. Victims insert their credit or debit cards into the slots of:
   • ATMs located in low-traffic areas or away from bank branches.
   • Payment equipment is in outdoor areas, such as parking meters and vending machines.
3. Attackers use the information gathered by the malicious device to create fraudulent magnetic cards for withdrawing money from ATMs or making purchases.

What can citizens do to avoid becoming victims of shimming?

Although it may seem obvious, the best way to prevent shimming is by not inserting our credit or debit cards into any ATM or cashing device.

Fortunately, contactless technology has expanded in recent years. It is now possible to make payments without having to insert your card. In this sense, it is advisable to make contactless payments using mobile wallet applications (Apple Pay, Google Pay, Samsung Pay…), as these apps we can install on our smartphones have solid security protocols to prevent fraud.

What happens if contactless payment is not possible? You can opt for additional preventive measures such as:

• Always pay inside a commercial establishment or withdraw money from ATMs with video surveillance systems to prevent malicious actors from installing devices that allow shimming.
• Use trustworthy ATMs from reputable banks.
• Check the card insertion slots of ATMs or payment devices to verify on the spot that they have not been tampered with. What actions should be carried out as part of this check?
  • If inserting the card requires too much effort, the slot may have been tampered with.
  • Observe the card insertion slot to ensure that it is not misaligned.
  • Check if anything is blocking the insertion slot.
  • Look for any anomalies or unusual features in the card insertion component.

If a citizen thinks he has been a victim of shimming, what should he do?

Let us move from prevention to response to shimming fraud. If, despite the measures described above, a citizen becomes a victim of this kind of attack, he should:

• Immediately contact the card issuer to have the card invalidated as soon as possible and prevent criminals from stealing large amounts of money.
• Go to the police to report the fraud so that the security forces can investigate the crime and, in addition, enable the return of the money that has been stolen.

Additionally, it is always advisable to periodically review your banking transactions as a preventive measure. This way, we can identify possible unrecognised transactions made with a card we own.

What cybersecurity measures should financial institutions implement to combat shimming?

Credit and debit cards are becoming increasingly sophisticated, and security measures to protect them against shimming or skimming attacks are becoming more sophisticated. However, these attacks still occur. It is, therefore, crucial for financial institutions to:

• Generate signatures on non-static transactional data in the case of EMV payments.
• Ensure that the ICVC (Integrated Card Validation Code) defined in the EMV chip differs from the CVC1/CVV1 value specified in the magnetic stripe.
• Perform secure validation of card transactions, verifying the mandatory and correctness of all required data, especially for magnetic stripe payments. Especially if we consider that it has been noted in the past that some institutions did not validate the CVV1 value.
• Use cybersecurity specialists to design and execute technical audits to verify possible exposure to shimming attacks.

In addition, we must remember that financial institutions are subject to increasingly demanding cybersecurity regulation, as demonstrated by the approval of the DORA regulation that seeks to strengthen the cyber resilience of the European financial sector. This is why it is so important to contract advanced cybersecurity services such as a security audit of banking enviroments.