EMV (Europay, Mastercard, Visa) chips were introduced to enhance the security of payment cards and combat fraud, including skimming attacks. While
shimmers (a type of skimming device designed to target EMV cards) represent a significant threat, EMV chips are still far more secure than magnetic stripe cards. Below, we’ll explain how EMV chips work and why they make shimmers less effective compared to traditional skimming methods.
1. How EMV Chips Work
EMV chips generate
dynamic, encrypted data for each transaction, making it extremely difficult to clone or reuse the card information. Here’s how they function:
a) Dynamic Authentication
- Each time an EMV card is used, the chip generates a unique cryptogram (a one-time code) specific to that transaction.
- This cryptogram includes:
- Transaction-specific details (e.g., amount, timestamp).
- A counter to prevent replay attacks.
- Encrypted information that authenticates the card.
b) Two-Way Communication
- The chip communicates with the payment terminal in a two-way authentication process:
- The terminal verifies the authenticity of the card.
- The card verifies the legitimacy of the terminal.
c) Encryption
- All communication between the chip and the terminal is encrypted, making it nearly impossible for attackers to intercept and decode the data.
d) Offline Authentication
- Some EMV chips can perform offline authentication using stored cryptographic keys. This allows transactions to be processed even when the terminal has no internet connection.
2. Why Shimmers Are Less Effective Against EMV Chips
While shimmers can capture static data from the chip during a transaction, they cannot fully replicate the dynamic, encrypted functionality of EMV chips. Here’s why:
a) Static vs. Dynamic Data
- Magnetic Stripe Cards : Magnetic stripes store static data (e.g., card number, expiration date) that can be easily cloned and reused.
- EMV Chips : EMV chips generate dynamic data for each transaction. Even if a shimmer captures static data (e.g., card number), it cannot replicate the dynamic cryptogram required for authentication.
b) Inability to Clone the Chip
- Shimmers can only capture static data from the chip, but they cannot physically clone the chip itself. Without the chip's ability to generate dynamic cryptograms, the stolen data is incomplete and unusable for most modern transactions.
c) Limited Use of Stolen Data
- Criminals who use shimmers typically create magnetic stripe clones of EMV cards. However:
- Many modern ATMs and terminals reject magnetic stripe transactions if the card has an EMV chip.
- Transactions that require chip-and-PIN authentication cannot be completed with a cloned magnetic stripe card.
d) Enhanced Security Protocols
- Banks and payment networks have implemented additional security measures to detect fraudulent transactions. For example:
- Real-time monitoring flags suspicious activity, such as multiple failed PIN attempts or transactions in unusual locations.
- Fraud detection algorithms analyze patterns and block potentially fraudulent transactions.
3. Limitations of Shimmers
Even though shimmers can bypass some aspects of EMV security, they face several limitations:
a) Regional Differences
- In regions where EMV adoption is widespread (e.g., Europe, Canada), magnetic stripe fallback transactions are rarely allowed. This makes it harder for criminals to use cloned magnetic stripe cards.
- In regions with partial EMV adoption (e.g., some parts of the U.S.), shimmers may still exploit legacy systems that support magnetic stripe transactions.
b) Need for the PIN
- To use a cloned magnetic stripe card, criminals still need the cardholder’s PIN. Without the PIN, the card is useless for most transactions.
c) Detection and Prevention
- Anti-shimmer technology, such as sensors in card readers, helps detect and prevent shimmer attacks.
- Regular inspections and upgrades to ATMs and POS terminals reduce the risk of shimmer installation.
4. How EMV Chips Reduce the Impact of Shimmer Attacks
Even if a shimmer successfully captures static data from an EMV chip, the stolen information is far less useful than data from a magnetic stripe card. Here’s why:
a) Dynamic Cryptograms
- EMV transactions rely on dynamic cryptograms that change with each transaction. Since shimmers cannot capture or replicate these cryptograms, the stolen data cannot be used for chip-and-PIN transactions.
b) Encryption
- The communication between the chip and the terminal is encrypted, making it nearly impossible for shimmers to decode the transmitted data.
c) Fallback Restrictions
- Many payment networks and banks have disabled magnetic stripe fallback transactions for cards with EMV chips. This means that even if a criminal creates a magnetic stripe clone, it will likely be rejected by modern terminals.
d) Fraud Monitoring
- Banks and payment processors monitor transactions for signs of fraud. If a cloned card is used, the bank can quickly identify and block the fraudulent activity.
5. Why Shimmers Still Pose a Threat
Despite the enhanced security of EMV chips, shimmers remain a threat due to the following factors:
a) Legacy Systems
- Some ATMs and terminals still allow magnetic stripe fallback transactions, especially in regions with partial EMV adoption.
b) Human Error
- Users may inadvertently reveal their PIN through hidden cameras or keypad overlays, enabling criminals to use cloned cards.
c) Exploiting Weaknesses
- Criminals often target older or poorly maintained ATMs and terminals that lack anti-shimmer technology.
6. How to Protect Yourself from Shimmer Attacks
Even though EMV chips make shimmers less effective, it’s still important to take precautions:
a) Use Contactless Payments
- Whenever possible, use contactless payment methods like Apple Pay, Google Pay, or tap-to-pay cards. These methods are much harder to compromise than chip or magnetic stripe transactions.
b) Inspect the ATM
- Look for signs of tampering, such as loose components or unusual objects near the card reader.
- Wiggle the card reader to ensure it is securely attached.
c) Cover Your PIN
- Always shield the keypad with your hand while entering your PIN to block hidden cameras.
d) Monitor Your Accounts
- Regularly check your bank statements for unauthorized transactions.
- Enable transaction alerts to stay informed about account activity.
e) Report Suspicious Activity
- If you suspect an ATM has been compromised, notify the bank or ATM operator immediately.
7. Conclusion
EMV chips significantly enhance the security of payment cards and make shimmers far less effective than traditional skimming methods. By generating dynamic, encrypted data for each transaction, EMV chips prevent criminals from cloning cards or reusing stolen information. However, shimmers still pose a threat in regions with legacy systems or weak security measures.
To stay safe:
- Use EMV-enabled cards and contactless payments whenever possible.
- Stay vigilant when using ATMs and report any suspicious activity to your bank.
By understanding how EMV chips work and taking proactive steps, you can protect yourself from shimmer attacks and other forms of card fraud.
EMV chips kill card cloning – Dynamic codes make stolen data useless.
1. Dynamic Authentication (One-Time Cryptograms)
2. Chip-and-PIN/PIN-Only Authorization
3. No Magstripe Fallback in Secure Regions
5. Declining Profitability for Criminals
Key Takeaways
