Staying Ahead of the ATM Thieves – Maybe – as Shimming Gets More Sophisticated

Shimming is the newest con designed to skim a person’s credit card number, PIN and other info when one swipes a card through a reader like an ATM machine. The shim is the latest attack being used by criminals to steal info at the ATM or other Pin Entry Device. According to Diebold, “The criminal act of card skimming results in the loss of billions of dollars annually for financial institutions and card holders. Card skimming threatens consumer confidence not only in the ATM channel, but in the financial institutions that own compromised ATMs as well.” Shimming works by compromising a perfectly legitimate card reader (like an ATM) by inserting a very thin flexible circuit board through the card slot that will stick to the internal contacts that read card data. The shim is inserted using a “carrier card” that holds the shim, inserts it into the card slot and locks it into place on the internal reader contacts. The carrier card is then removed. Once inserted, the shim is not visible from the outside of the machine. The shim then performs a man-in-the-middle attack between an inserted credit card and the circuit board of the ATM machine.

According to reports, Visa has revoked security approval for two Ingenico card readers (3070MP01 and i3070EP01), apparently in response to successful modification by skimmers. By introducing additional electronic components, the skimmers were able to store and later retrieve credit card details and PIN numbers. The compromised PIN entry devices (PEDs) are reported to be old models primarily used in the United states. Visa has also published a list of other PEDs which do not meet the PCI standard and are frequent targets of skimming attacks. Although this type of attack is not a new phenomenon, Visa’s response is, according to industry experts, surprising. The report states that this is the first time a specific vendor has been named and the first time Visa has admitted that a PCI-compliant retailer has fallen victim to an attack. The specifications contained in the Payment Card Industry Data Security Standard (PCI DSS) are intended to prevent attacks on computers and credit card systems. Although the number of compromised PEDs appears to be on the rise, an internal Visa memo states that approval of the devices was revoked as a purely precautionary measure.

Ideas on fighting this theft? Email zaludreport@bnpmedia.com