New ATM Hack ‘Shimmer’ Steals Data, Sits Undetected Inside Card Slot
Security researchers have discovered that ATM hackers are using a new form of card data gathering thin device which acts as a “shim” between the card and the ATM chip reader.
ATM hackers are becoming pretty sophisticated with their modus operandi these days and are getting success in cheating the unlucky victims with high tech gadgets.
This kind of hacking was brought to light by a team of fraud experts in Mexico who discovered that ATM hackers are nowadays using a new form of wafer thin device termed as “shimmer” that has been enabled to gather the card data from ATM machines.
On Wednesday, Krebs On Security reported about this sophisticated ATM skimming device which is inserted into the ATM card slots from where it can read the data directly from the chip-enabled credit or debit cards.
This unobtrusive device acts as a bridge or shim between the card (credit or debit) and the ATM chip reader and hence the name “shimmer”.
This technology is extremely advanced and impressive too because it is difficult to detect this shim, also it does not hamper the chip reading process of the ATM machine.
The chip reading device comprises of some eight gold rectangular leads which collects the data from the card and some electronics which helps to power the data storage on the shimmer.
A security and investigations Mexican firm, Damage Control S.A. reported that the device was found inside a Diebold Opteva 520 with Dip reader (the kind of card reader that requires you to briefly insert your card and then quickly remove it). Usually hackers insert this advanced device from outside of the ATM and it is not connected to the internal parts of the ATM as it can get all the information from this location and need not have access to the internal of the ATM.
As of now it is not not known if the shimmer was provided with some component such as PIN pad overlay or hidden camera to steal the card PINs.
According to Krebs On Security: “Cards equipped with a computer chip are more secure than cards which rely solely on magnetic stripes to store account data. Although the data that is typically stored on a card’s magnetic stripe is replicated inside the chip on chip-enabled cards, the chip contains additional security components not found on a magnetic stripe.”
Normally, the cards are provided with ‘iCVV’ value (integrated Circuit Card Verification) which helps in ‘card verification mechanism’ and this protects the cards from being copied or duplicated. When hackers use these shimmers, they are able to bypass this mechanism and thus are able to produce an ATM clone which can be used later to successfully withdraw cash from ATM machine.
Techcrunch reports say that the information gathered by these “shimmers” not only allows the hackers to retrieve the data but they can also replicate the ATM chip along with the magnetic strip.
Banks are expected to check regularly if any card inserted in their ATM slots are counterfeited by encoding it with the data stolen from a chip card. However, it seems there are instances where some banks are skipping this process or following some incorrect process of inspecting their ATM machines for the ‘card skimming devices’.
Experts conclude that the crooks are attacking those ATMs which easily accept the magnetic strip cards that have been cloned from chip cards. It indicates that these hackers have figured out which banks are negligent and not following regular inspection of their ATM machines.
According to Krebs On Security, these banks even seem to be ignoring the withdrawals which happen by using the cloned ATM cards because of its location and thinness.
As of now, it is unclear as to which Mexican banks are affected with these “shimmer” devices and also whether the technology has already reached to other parts of the world.
Banks have not yet given their comments on this new ATM threats; hence we would advise the ATM users to be very much careful when they attempt to withdraw cash from ATMs because these shimmers are difficult to be detected and cannot be pushed or pulled from the ATM card reader unless customers use specific tweezers to pull them out from the ATM card slots!