I am sure that this video is aiming to educate its viewers on protecting themselves against ATM fraud. Its effectiveness, however, is undermined by technical inaccuracies and a superficial grasp of how payment networks, card processing systems, and banking infrastructure (should) operate.
It looks like the scams discussed in this video are limited to the USA, because it’s unlikely they would work anywhere else.
A line by line analysis of the shimmer scam
Follow the video and read the story. Then, draw your own conclusions.
We can miss out the first few lines as they are setting the scene, presenting a story about you visiting a gas station and then finding your accounts drained in the morning.
And the Sherlock Homie makes the point that YOU did everything right, you didn’t swipe your card, you used the chip, so what’s going on?
Shim or Shimmer
He’s talking about shims, or shimmers if you’re in the US, but they are the same thing. A shim sits in the ATM card slot, undetected by the ATM and invisible to you, and like a man in the middle, it listens to the conversation between the chip and the ATM card reader.
These shims are highly sophisticated devices – developed using a considerable amount of ATM know-how and EMV application knowledge – that passes transaction data from chip to ATM and back again, but stores only the data needed for “cloning” cards. Authorisation data generated in the course of the transaction has very little value but would occupy a significant amount of the available memory space when compared to the data retrieved from the chip. It would also add significant overheads to any wireless transmissions from shim to receiver.
Shimmer Attacks on the Increase – in the US
Spot the clip of Jimmy’s card being cloned using a magstripe card reader. It is certainly possible to copy, and then very easy to clone a magstripe card, but the data content of the magstripe is very different to the data content of the chip.
Interested in the information stored on a Payment Card? Have a look at the Payment Monkey Introduction to Payment Cards.
Around about this time in the video, Sherlock Homie makes the point that these attacks are on the increase and they are happening across the country. This is true on both counts, but what is much more interesting is that it’s mainly happening in one country and that country is the US.
It is also easy to argue that much of the card fraud in the US is caused by the banks failing to implement chip card technology properly, with the retailers, network operators and cardholders allowing them to get away with it. This fraud isn’t happening in the rest of the world – a bold statement but on the whole, accurate!
Chip Card Data Content
A shimmer is a high-tech version of a skimmer. True, they can both extract data from a plastic payment card but there is one significant and fundamental difference, accepting that there is more chip data than the equivalent magstripe data. The difference is that every bit of information encoded onto a magstripe can be read, copied and used to create a clone whereas not all the data used by the chip card can be accessed from the outside. There is information contained in the chip and available to the chip processors that cannot be read by a shimmer, or any other device or process!
The scammer, using a shimmer, to collect chip data, does NOT have enough information to be able to clone a chip card – this is not possible because some of the data used to generate an authorisation request is hidden.
So when the Sherlock Homie says that the scammers can make a “PERFECT CARBON COPY OF YOUR DEBIT CARD“, it simply IS NOT true!
There is a caveat, however. It is technically possible to extract the magstripe data from a chip card and use this to “clone” a magstripe card from your chip card. However, this is ONLY possible if the bank has set up the chip cards INCORRECTLY or has failed to implement the simple authorisation checks that would identify the “cloned” magstripe as a chip-derived counterfeit.
Shimmers – a US phenomenon
Shimmers are not showing up everywhere. They are showing up in the United States because that’s where the easy pickings are. They don’t show up much in the UK, for example, because the systems in the UK don’t support the shim processes.
Of course, you can extract the data from a chip in the UK just as easily as you could in the US – the data is meant to be easily accessible, that’s how it works! However, in the UK, you can’t do anything with the data, because that’s how the UK (and the rest of the world) have implemented their payment systems. The US could do the same but choose not to!
PIN Stuff
Now, this PIN stuff. Yes, they do install tiny cameras and yes, they do install fake PIN Pads, and yes, they may even be peering over your shoulder, but the PIN is only a small element of chip security. It it is not possible to clone a card using the data that can be collected from a chip, then the PIN argument is irrelevant.
The PIN argument is used by the banks as a deflection mechanism, passing transaction responsibility to the cardholder when it should sit with the issuer. Of course, this doesn’t apply if you lose your card and it has your PIN written on it. Hmmm! That’s your fault!
And just for good measure, the PIN can be anything between 4-digits and 12-digits long. See how long is a PIN? for more.
Banks are not your friend.
Accountability
It’s about accountability.
It sure is, but I’ll say again because it needs to be said. We use the same technologies, but this fraud does not happen in the UK.
I designed one of the first Chip and PIN issuing services in the UK, in 2002, and we issued 12.5 million cards. We got everything right, nearly! We (I) initially made an EMV implementation schoolboy error, along with most of the other UK issuers, because we hadn’t implement the Card Verification Values properly. In our defence – and the design was reviewed and the mistake was missed – we were essentially first in the world, so the odd error could be expected. The schoolboy error allowed magstripe clones to be created using data extracted from the chip, which is what we are seeing in the US, 23 later. We fixed this unfortunate feature quickly, before too much damage had been done, but learned the lesson.
The ability to clone a magstripe card from chip darta is caused by a configuration error on the part of the issuing bank. It’s been known about since 2003 and it’s easy to fix.
It’s about accountability.
Sound Advice – on the whole
DO NOT USE YOUR PIN
This is the issuing bank deflecting responsibility for the transactions. The PIN is only of value if the scammer has a viable card, and that’s the responsibility of the issuer.
It is sensible, however, to keep it under wraps.
SKIP THE SWIPE AND THE CHIP – INSTEAD USE TAP TO PAY
If the cards are implemented and personalised properly, it rally makes no difference.
AVOID SKETCHY OR ISOLATED ATMS
Another example of deflection. If the cards were issued according to the appropriate card standards, it does not matter how shabby the ATM might look. The integrity lies in the transaction.
SET UP REAL TIME TRANSACTION ALERTS
Sensible, but again the recommendation is a deflection technique. A properly implemented card system would not suffer this avoidable fraud activity, and it shouldn’t be the responsibility of the cardholder to monitor the bank’s operations.
Can’t hurt though as it might help you cut down your own spending.
ALWAYS CHECK YOUR CARD READER
Reasonable advice, but if the shimmer wasn’t a viable fraud proposition, they wouldn’t be in widespread usage.
This is preventable
The scammers are stepping up their game. The banks should too!
Explore the Future of Payments
The global payment ecosystems continues to evolve with technologies like AI, tokenisation, and real-time payments.
Stay ahead of the game by diving deeper into the world of payment processing.
Have questions or need expert insights? Contact us.
