The PCI-DSS has led directly to the widespread use of the shimmer (or shim in the UK), and its use is widespread because it works, and it works because of the 20th Century thinking that has endured well past its sell by date, underpinned by the PCI-DSS, and it is still going strong in the 21st Century.
I have been looking at US examples of shimmer fraud, because one popped up on my YouTube feed and it appears to be a growth industry with a whole bunch of YouTuber security experts going nutz. Interestingly, an AI search specifically asking for evidence of UK shimmer fraud since 2016 returned practically nothing. I suspect, however, that the UK may have been the first region where shimmers were used as the UK was leading the world with chip technology. I remember one organisation that I worked for building a shimmer proof of concept – a bit too bulky to work in situ but easily deployable in the future with the miniaturisation of components.
So, let’s be bold and follow the shimmer rabbit, and then we can point the finger at the PCI-DSS.
The inevitable PCI-DSS preamble
The PCI-DSS is with us, and it’s likely to stay with us because should it become apparent that it is a scam and that it was always a scam (maybe a legal scam but a scam all the same), then a lot of organisations and individuals are going to be standing in line for what I believe to be justified lawsuits. Now of course, this is only my opinion, and you are free to call me a numptie, but I have been arguing this point for twenty years and apart from the bleating sheeple trying to humiliate me on the grounds that I am a numptie because I don’t understand it, the bleating sheeple have failed to present any compelling arguments.
“People are so easy to convince they’re doing the right thing, following the herd, waving the flag. Show them they’re wrong, and they’ll hate you for it.”
Charles Bukowski
I am more than willing and happy to be shown the error of my ways – that’s how we grow intellectually – and like any good scientist, I will update my thinking based on any presented coherent and verifiable evidence – heck, I don’t even care that much if it’s coherent or verifiable. So, if you have evidence and a rationale that stacks up, send it in my direction.
If you can’t rationalise your belief, consider that you may have been duped … you know it’ll make you feel better.
How does a Shimmer work?
Shimmers access and read data from a card using the chip’s contact interface, but you can also download android applications that will do the same with a contactless card.
The information available on a chip card is only accessible using what are called “tags”, and a tag is the label given to a chunk of information stored in the chip memory. In simple terms, if you know the piece of information you are looking for, and you know the tag for that piece of information, you can ask the chip for the contents of that tag, and it will give it to you. There is nothing nefarious going on, it’s what it’s designed to do.
For the shimmer scam to work effectively, it needs to fool both the chip and the ATM (or POS). It cannot simply read the chip as it would soon become apparent that there was an ATM (or POS) fault and out would come the engineer. The shimmer must act as a “man-in-the-middle”, passing data backwards and forwards between chip and device so as not to draw attention to itself. The “man-in-the-middle” approach means that the shimmer is able to pass information in both directions, extracting and saving what it needs in the process.
This process works, but it has NOT exposed ANY holes in the technology or the specifications of the technology. The issues are real, but the reasons for the issues lie somewhere else!
What Shimmers can’t do.
I mentioned tags, and if you know the tag, the chip will return the data sitting behind the tag. The tags are not secret, they are available in the EMV specifications, and you can even find them on the internet: https://emvlab.org/emvtags/all/ in a blog supported by University College London.
However, some data elements do not have tags; without a tag, the information is not accessible from the outside. For example, where offline PIN verification is the norm, the PIN is stored in the chip, in the clear! However, the PIN cannot be accessed from outside as the location is not given a tag, it can only be accessed by internal chip processes. There are also three encryption keys, unique to the card and derived from card data and a master key held by the issuer. These keys are called “Unique Derived Keys” (UDK), they play a key role in the security of all transactions, and they cannot be extracted from the chip. These keys are used to generate the transaction cryptogram, which is one of the security features that make EVERY transaction unique!
The information that would be needed to clone a chip card cannot be extracted from a chip card. You might want to consider the following as it will come up later: you would need the UDKs to create a true clone, and if you could retrieve the UDKs without the tag, you would also be able to read the PIN, and so you would not need cameras or keypad covers. Hmmm!
What Shimmers and Scammers can do!
Shimmers can grab all the data that is available to grab from a chip, and they can also grab the data generated by the chip as it processes the authorisation request. This is NOT a security hole; this is exactly how they are meant to work and exactly what they are meant to do.
In contrast to the PCI-DSS where card data is static, sensitive and must be protected, chip card data is dynamic, has no value, and therefore needs no special treatment.
There is only a small number of data elements that the shimmer scammer is interested in, and they relate primarily to MagStripe and the exploitation of weaknesses across the US banking networks – at least that’s the impression I am getting from looking at YouTube videos that expose errors in development and implementation that you might feasibly implement if you were naive or trying to save money.
The focus of this article is shimmers and how the shimmer scam or exploit is made possible because of the PCI-DSS – other scams exist that should equally be classed as the responsibility of the PCI-DSS, and these will be described in later articles.
I have to say at this point that all the scams exposed by the YouTube videos that I have seen (that aren’t clickbait) are preventable, and they are all preventable within the scope of the original and current chip technical specifications – you don’t need nothing extra!
As far as I can tell, the shimmer scammers are not writing chip cards. It is possible to create something that could pass as a chip card, in certain circumstances, but bank authorisation systems should also be capable of spotting them. If the scammers were writing chip cards, there are some heavy-duty technical hurdles they would have needed to jump, not least of which is the need for the keys!
It seems to me that the bit of data the shimmer scammers are going for is the image of the magnetic stripe in tag 57 – Track 2 Equivalent Data. Extracting this chunk of data would be the chip card equivalent of skimming a magstripe card, and the shimmer scammers would use it to create white plastic. However, if the issuer’s systems have been implemented correctly, this wouldn’t work, which I will explain later.
In EMV land, none of the data that can be extracted from a card is of any significance as without the keys, it’s all useless. This is why shimmer fraud doesn’t happen in the UK or the rest of the world, accepting the odd minor pocket of exceptions.
It’s all because of the PCI-DSS
Think back to the early 2000s, the UK and the rest of the world were heading down the EMV route because we could see that card fraud was on the increase, and this was because magstripe cards were so easy to clone. If I was that way inclined, I could have done it in my bedroom, we had card readers and writers in the office in Welwyn Garden City, and we even had an Olivetti ATM in the ATM test room that we could use to write our own cards using a bit of Olivetti software driving the video display and the card slot. So excited was I that I made myself an ATM card out of an Argos Gift Card, just because I could.
It was all too easy, we saw what was coming and embraced the new technologies.
At the same time, word from the US was totally anti-chip and I had many discussions, nay, arguments, following statements being made along the lines of magstripe being completely secure as all transactions were authorised online, which was clearly nonsense as US card fraud was increasing dramatically. The US denied all this and positioned itself firmly at the centre of the chip card third world.
In the years following 9/11 and the inception of the Department of Homeland Security, it was realised that card fraud was on the increase, and that much of the proceeds of that fraud was funding terrorism.
Instead of taking the lead from the rest of the world – and at this time, EMV was no longer a new technology, and it worked, and it was effective – the US elected to dig in and maintain the love affair with magstripe. Arguably, there were commercial reasons for this, which are discussed elsewhere, but the consequence was the implementation of the PCI-DSS, a security outline that, at the time, really wasn’t fully established. The US adoption of the PCI-DSS was instrumental in pulling it from being a collection of security features into an absolute must-have mandate for magstripe.
Since then, the US has focussed on magstripe technologies, even though the US has also been forced to adopt EMV and the inevitable chip card revolution. However, from what I have seen, US banks still appear to be implementing magstripe logic to the detriment of the cardholder, where they should be using chip card logic.
Every fraud scenario I have seen works to the shimmer scammer’s advantage because the checks and balances that would have been implemented had the US adopted EMV over magstripe are largely non-existent. The PCI-DSS requires that organisations impacted by PCI-DSS protect cardholder information, and specifically, cardholder information relating to magstripe cards and transactions. It is significant that it requires no more, and in nearly 400 pages of PCI-DSS requirements, chip cards or chip card data are not mentioned at all!
Is there any wonder that if a region is hell bent on maintaining magstripe idols, and if the mandated legislation is 100% focused on maintaining magstripe security, that region is inevitably going to lock itself to the last century.
The Facilitation of the Shimmer Scammer by PCI-DSS
I have inserted my card into an ATM that has been shimmed by a shimmer scammer, and the shimmer has done its magic. The ATM and the Issuer, and me, are completely unaware, so that bit has worked.
The shimmer scammer now has a bunch of data that has been extracted from the card but is probably not going to use it to make a chip clone, because the nature of EMV means that you can’t clone a chip card. There are things that the shimmer scammer could do to emulate a chip card using the shimmed data, but the emulation would always fail – unless the ATMs, POS devices and issuing banks were party to the scam transaction or complicit in its execution. All necessary safeguards are built into the chip card transaction chain, which is explicitly designed to reject invalid attempts to transact, but NONE of these safeguards are included in the PCI-DSS. They are not needed to pass the PCI audits, so why would a bank bother?
I think the shimmer scammer is going to use the data extracted from the chip, and specifically that belonging to tag 57 – the Track 2 Equivalent Data – to write a magstripe clone, just like I did with my Argos Gift Card in my bedroom.
EMV has considered this, but if you’re only interested in magstripe, how much do you really care?
If you want the background to the Card Verification Value, I have one elsewhere, but magstripe clones created from chip card data don’t work! At least, they don’t work if the card issuer has implemented what it says in the manuals, and in the Visa manuals from 2002 (which is the one I used back in 2002), Visa recommends the use of the iCVV.
The CVV (or CVC) is a verification value that was written to the magstripe and hidden in the track 2 discretionary data, with the CVV2 coming along later to help secure MOTO and internet transactions. The CVV2 is written to the signature panel and has a different value to the CVV, so they can’t be used interchangeably. If the track 2 equivalent data is a true copy of the data on track 2 of the magstripe, then when it is extracted from the chip, it will match the magstripe data perfectly and could therefore be used to create a magstripe clone.
If all you are looking at is the PCI-DSS, how would you know?
According to the Visa manuals in 2002, the Track 2 Equivalent Data as it appears on the chip in tag 57 should not be a copy of the Track 2 Data on the magstripe, and the difference should be derived from the input to the CVV calculation (I don’t think it’s been mandated yet). The CVV and the CVV2 use the same algorithm but with a different seed. The CVV as it appears in tag 57 should also use the same CVV algorithm but this time, with another, different seed – it’s all in the manuals – and the CVV in tag 57 is called the iCVV.
So, any chip card issued should be issued with a CVV, a CVV2 and an iCVV, and they should all be different. This means that if a magstripe “clone” is created using data shimmed from the chip, the magstripe will include the iCVV rather than the CVV. This card is not a magstripe clone and it’s putting its hand up to tell you that it is not legitimate.
The card issuer should be creating all three CVV values and applying them correctly. They should also be capable of identifying the source of the transaction data: did it originate from a chip or from a magstripe?
It is easy to spot a magstripe card cloned from a chip card because the CVV check will fail every time, unless the bank is using the CVV for the iCVV, which is possible and does happen.
All this information is available to the authorisation engine, unless maybe the network isn’t capable of carrying it.
This shimmer scam works because the chip infrastructure in the US allows it, in the UK it doesn’t, and this is why you will find very little reference to shimmer scams in the UK.
Shimmer Scams, Infrastructure Costs and Transaction Liability
There are several reasons for the US adopting the PCI-DSS over a progressive route to a chip infrastructure. We know how much the magstripe card had the support of the US card industry, but that wasn’t the only consideration. There was little appetite in the US to fund the infrastructure upgrades as it would all take its toll on the bottom line. There was also no incentive for a bank to issue chip cards if the ATMs (and POS) weren’t upgraded at the same time, and vice versa.
The PCI-DSS offered a potentially favourable solution to the banks in that it shifted most of the initial work to the merchants as that is where data breeches were happening, and transaction liabilities tended to be shifted to cardholders, especially if they used a PIN.
The infrastructure required to support the chip card transaction, and the cards themselves, was not cheap but across the world it was seen as a collective and shared industry cost that would quickly provide pay back in terms of fraud prevention, especially as fraud costs were escalating significantly.
There is more to the commercial argument, but you get the idea.
Conclusions – the Banks are Supporting the Shimmers
The support for the PCI-DSS as an approach to card and transaction security is misplaced and the result of putting profits before people. The PCI-DSS shifted primary financial responsibility for fraud to the merchants with issuers avoiding the potential liability shifts that a chip infrastructure would have applied.
Sticking with PCI-DSS has meant that US payment systems have been developed with persistent magstripe logic, and little appreciation for the paradigm shift in fraud prevention offered by chip.
Using chip data to create a magstripe card is only possible if the benefits of chip logic are dismissed in favour of magstripe – and magstripe is supported by the PCI-DSS.
The banks are supporting the shimmer scammers because they are choosing to focus on magstripe logic and processes, which can be audited against the PCI-DSS standards by auditors looking only for evidence of compromised magstripe information.
The banks have little incentive to fix this stuff, it will cost them money and whilst they can shift the responsibility to other parties, why would they want to spend it? From what I have seen, cardholders in the US appear to be resigned to adding remedial actions to their card transactions and employing a multitude of observational techniques, attempting to prevent themselves being impacted by fraud scenarios that have been allowed to proliferate by the banks.
The US collectively followed the PCI-DSS and in so doing perpetuated across the US and the rest of the world the inherent transaction weakness that is magstripe.
The focus on magstripe has led to a naive understanding of chip capabilities, leaving the door wide open to schoolboy fraud. If it wasn’t for the banks not caring enough about the cardholder, the shimmer scammer would have no foothold – as a scam, it’s very easy to fix.
