Shimming: The Latest Trick to Steal Your Payment Card Details

Shimming devices used in ATMs and pay machine are almost impossible to detect: Internet Scambusters #791

It sounds like a dance or an engineering technique, but shimming has a much more sinister purpose.

It’s a new technique for stealing your payment card details without you knowing.

In this week’s issue, we’ll tell you how it works and the steps you can take to avoid it.

Let’s get started…


Shimming: The Latest Trick to Steal Your Payment Card Details


By now, most of us know about and watch out for skimmers — cleverly-disguised devices attached to the front of the card slot in ATMs and point of sale (POS) machines like those on gas pumps and in stores.

But what about shimmers and shimming?

The relentless march of technology has enabled crooks to produce reading devices so thin they can actually fit inside the card slot and are virtually impossible to detect.

But don’t panic — yet. Shimmers are rare — although they first appeared in Mexico and Arizona two years ago — and they rely on an unusual combination of card technology to work effectively.

Even so, security experts say shimming is likely to be a growth crime in 2018, especially in the US, which lags behind many other countries in the introduction of card reading security technology.

In very simple terms, here’s how shimming works:

  • The crook inserts the paper-thin shim into an ATM or payment machine. It can fit into almost any reader, including the small devices we see and use in stores.
  • The shimmer can read inserted card details from the silver microchip most of us now have on our debit and credit cards.
  • The shim is easy to set up because the crook appears just to be putting a regular card into the machine.
  • The crook must remove the shim from the machine in order to read the data it has collected. But, again, this is quite easy — he looks to be just removing his own card.* The big problem for him is that payment card microchips can be copied but not cloned. However, the stolen data can be used to make an “old-style” magnetic stripe card.
  • One more “however”: the microchip has a different CVV number to the one used on the card’s magnetic strip, so the crook can’t use the correct CVV unless he also sets up a hidden camera to snap the user keying in the code.
  • Even so, the fake card with just a magnetic strip can still be used in stores that haven’t caught up with chip card technology yet and don’t require a CVV number (the three-digit one normally printed on the back of the card next to the signature).

It could take years before magnetic stripes eventually disappear from debit and credit cards and before all retailers have the right security procedures in place.

In the meantime, financial security experts suggest there are 5 things you can do to avoid falling victim to a shimmer.

1. If you sense some resistance when you insert your card, or it gets stuck, it’s possible or even likely there’s a shimmer inside. Don’t push. Try to use an alternative machine or payment/withdrawal method.

For instance, if it’s a point-of-sale card reader, you may be able to swipe your card instead. Ironically, the shimmer can’t read that.

Some stores also now accept PayPal at their point of sale.

At a bank, you can make your withdrawal via a “real” teller.

2. When withdrawing cash, use an ATM inside a bank or other building. Crooks are far more likely to insert their shimming devices in outside machines.

3. Cover the keypad with your hand or wallet when you key in the PIN.

4. Use contactless mobile payment services on your smart phone, such as Apple Pay or Android Pay. Many stores now accept this form of payment, so learn how to set it up and use it on your phone.

5. If it’s available and accepted at a store, use the new contactless “tap-and-go” feature on your card. This allows you simply to wave your card in front of some point-of-sale devices.

Tap-and-go is, in fact, the long-term solution to this and other skimming scams. But sadly, the US is way behind other countries in Europe as well as Canada in installing this technology.

However, experts expect to see tap-and-go expand rapidly in the next five years.

For now, ordinary skimmers remain the device of choice for robbery at the ATM or POS, so keep your eyes peeled for doctored machines.

And, in the case of both skimming and shimming, check your card account details online every day if you can, so you’ll be alert to the theft of your card number.

Fortunately, as we know, banks and card companies will normally stand behind the loss if your card is used fraudulently. But better to avoid the risk altogether if you can — don’t give those shimming sharks a chance!

Alert of the Week

Seniors and older drivers are once again being targeted by “wobbly wheel” scammers — crooks who turn up at gas stations and in parking lots.

They tell you they spotted your car wheel wobbling and, claiming to be mechanics, offer to fix the problem.

They may imply they’ll do it for free but then they’ll make up all sorts of stories to suggest they’re out of pocket, including saying they had to use parts they happened to have with them.

If someone offers to fix your “wobbly wheel,” politely dismiss them and take your car to a reputable repair shop to be checked.

Time to conclude for today — have a great week!