{"id":6419,"date":"2017-01-27T16:17:19","date_gmt":"2017-01-28T00:17:19","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/27\/news-256\/"},"modified":"2017-01-27T16:17:19","modified_gmt":"2017-01-28T00:17:19","slug":"news-256","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/27\/news-256\/","title":{"rendered":"ATM ‘Shimmers’ Target Chip-Based Cards"},"content":{"rendered":"

Several readers have called attention to warnings<\/a> coming out of Canada about a supposedly new form of ATM skimming called “shimming” that targets chip-based credit and debit cards. Shimming attacks are not new (KrebsOnSecurity first wrote about them in August 2015<\/a>), but they are likely to become more common as a greater number of banks in the United States shift to issuing chip-based cards. Here’s a brief primer\u00a0on shimming attacks, and why they succeed.<\/p>\n

\"Several<\/p>\n

Several shimmers recently found inside Canadian ATMs. Source: RCMP.<\/p>\n<\/div>\n

Most skimming devices made to steal credit card data do so by recording the data stored in plain text on the magnetic stripe on the backs of cards. A shimmer, on the other hand, is so named because it acts a shim that sits between the chip on the card and the chip reader in the ATM \u2014 recording the data on the chip as it is read by the ATM.<\/p>\n

Data collected by shimmers cannot be used to fabricate a chip-based card, but it could be used to clone a magnetic stripe card. Although the data that is typically stored on a card\u2019s magnetic stripe is replicated inside the chip on chip-enabled cards, the chip contains an additional security components not found on a magnetic stripe.<\/p>\n

One of those is a component known as an integrated circuit card verification value or \u201ciCVV\u201d for short — also known as a “dynamic CVV.” The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and using that data to create counterfeit magnetic stripe cards.<\/p>\n

\"A<\/p>\n

A close-up of a shimmer found on a Canadian ATM. Source: RCMP.<\/p>\n<\/div>\n

The reason shimmers exist at all is that some banks have apparently not correctly implemented the chip card standard, known as EMV (short for Europay, Mastercard and Visa).<\/p>\n

“The only way for this attack to be successful is if a [bank card] issuer neglects to check the CVV when authorizing a transaction,” ATM giant NCR Corp.<\/strong> wrote in a 2016 alert to customers. “All issuers MUST make these basic checks to prevent this category of fraud. Card Shimming is not a vulnerability with a chip card, nor with an ATM, and therefore it is not necessary to add protection mechanisms against this form of attack to the ATM.”<\/span><\/p>\n

Here’s a look at the shimmer I wrote about back in August 2015, which was discovered inside an ATM in Mexico.<\/p>\n

\"This<\/p>\n

This card ‘shimming’ device is made to read chip-enabled cards and can be inserted directly into the ATM’s card acceptance slot.<\/p>\n<\/div>\n

This shimming device was removed from an ATM in Europe in 2015:<\/p>\n

\"An<\/p>\n

An ATM shimmer. Source: European ATM Security Team (EAST).<\/p>\n<\/div>\n

Once you understand how stealthy these ATM fraud devices are, it\u2019s difficult to use a cash machine without wondering whether the thing is already hacked. The truth is most of us probably have a better chance of getting physically mugged after withdrawing cash than encountering a skimmer in real life. However, here are a few steps we can all take to minimize the success of skimmer gangs.<\/p>\n

-Cover the PIN pad while you enter your PIN.<\/p>\n

-Keep your wits about you when you\u2019re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible.<\/p>\n

-Stick to ATMs that are physically installed in a bank. Stand-alone ATMs are usually easier for thieves to hack into.<\/p>\n

-Be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on a weekend \u2014 when they know the bank won\u2019t be open again for more than 24 hours.<\/p>\n

-Keep a close eye on your bank statements, and dispute any unauthorized charges or withdrawals immediately.<\/p>\n

If you liked this piece and want to learn more about skimming devices, check out my series All About Skimmers<\/a>.<\/p>\n

https:\/\/krebsonsecurity.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"


Several readers have called attention to warnings coming out of Canada about a supposed new form of ATM skimming called “shimming.” Shimming attacks are not new (KrebsOnSecurity first wrote about them in August 2015), but they are likely to become more common as a greater number of banks in the United States shift to issuing chip-based cards. Here’s a brief primer on shimming attacks, and why they succeed.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10642],"tags":[11115,11116,11117,11118,10644],"class_list":["post-6419","post","type-post","status-publish","format-standard","hentry","category-independent","category-krebs","tag-atm-shimmer","tag-atm-shimming","tag-icvv","tag-ncr-corp","tag-other"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6419","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6419"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6419\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6419"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}