Skimmers are miniature devices that are inserted into ATM card readers. Skimmers read data from magnetic tapes of bank cards, which can then be used to "clone" these cards. However, the growing popularity of the EMV standard for chip card transactions has forced cybercriminals to gradually move away from the use of skimmers. Since the data on EMV cards is not stored on magnetic tape, but on an integrated microcircuit, skimmers cannot read them. But shimmers can.
For the first time, it became known about shimmers back in 2016. These devices are much smaller than skimmers and are usually placed between the chip and the chip reader in ATMs or PoS terminals. With the advent of EMV, shimmers began to gradually replace skimmers, according to information security company Flashpoint. There is currently a lot of demand for customized shimmers offered on underground forums, according to the researchers.
In theory, chip cards cannot be "cloned" due to the iCVV check value, which is different from the CVV on magnetic tapes. iCVV prevents the copying of data from the chip and the creation of "cloned" cards.
Another security measure is to protect ATMs with Card Protection Plate (CPP). This mechanism makes it impossible to place any objects in the card collector, and it is very difficult to get around it, even with the help of shimmers. However, according to Flashpoint, workarounds still exist, and they depend on how carefully banks verify transactions, in particular iCVV.
Incorrect implementations of the EMV standard make it easier for attackers to attack less secure Static Data Authentication (SDA) cards, which are gradually being replaced by Dynamic Data Authentication (DDA) and Combined Data Authentication (CDA). Some shimmer sellers on clandestine forums even offer CPP detectors, as well as tools for inserting and extracting shimmers from ATMs.
