Cybercriminals Switch from Skimmers to Shimmers

Skimmers are small devices inserted into ATM card slots to read data from the magnetic stripes of bank cards. This stolen data can then be used to “clone” the cards. However, the growing popularity of the EMV standard for chip cards has forced cybercriminals to gradually move away from using skimmers. Since EMV cards store data on an embedded chip rather than a magnetic stripe, skimmers can no longer read this information. That’s where shimmers come in.

Shimmers first came to light in 2016. These devices are much smaller than skimmers and are typically placed between the chip and the chip reader in ATMs or point-of-sale (PoS) terminals. With the rise of EMV, shimmers have started to replace skimmers, according to cybersecurity company Flashpoint. Researchers say there is currently very high demand for customized shimmers on underground forums.

In theory, chip cards cannot be cloned because of the iCVV (integrated Card Verification Value), which is different from the CVV found on magnetic stripes. The iCVV prevents copying data from the chip and creating “cloned” cards.

Another security measure is the Card Protection Plate (CPP), which makes it impossible to insert any foreign objects into the card slot, making it very difficult to bypass, even with shimmers. However, according to Flashpoint, there are still ways to get around this protection, depending on how thoroughly banks check transactions, especially the iCVV.

Due to improper implementations of the EMV standard, attackers find it easier to target less secure cards using Static Data Authentication (SDA), which are gradually being replaced by Dynamic Data Authentication (DDA) and Combined Data Authentication (CDA). Some shimmer sellers on underground forums even offer CPP detectors, as well as tools for installing and removing shimmers from ATMs.