As you know, the modern banking system is not perfect. And there are people who use it for their own ends. Fraudsters tirelessly invent new and original ways to steal funds from citizens from payment cards.
What is shimming?
Today shimming is one of the most dangerous methods of fraud with bank "plastic", which is an improved version of the well-known skimming. Thanks to this technology, an attacker can easily find out the number and PIN-code of his victim's card using an ATM. Cisco emphasizes that every year bank customers lose millions of dollars from this type of fraud, which is especially popular in Europe.
How the shimmer works
The device itself - a shimmer - is a flexible thin "shim" board (0.1 mm; thinner than a human hair), which is discreetly inserted into the card reader of the self-service terminal using a carrier card. The board connects to contacts that read information from the magnetic stripe, and does not interfere with the normal servicing of bank cards. Thus, the fraudster receives all the necessary data entered by the users of the ATM, after which he makes duplicate cards and empties other people's card accounts.
If earlier, to copy information from cards, criminals had to use bulky covers on ATMs (skimming devices), then shimming devices are absolutely invisible from the outside. Such devices are rather difficult to manufacture, but experts say that some criminal groups were able to establish the production of "shims".
What is the situation in Russia
The new method of fraud is quite actively practiced in some European countries. According to Ivan Strigin, a systems engineer at Diebold in the Russian Federation and the CIS, no cases of the use of this technology in our country have yet been reported.
Thus, on the territory of Russia, shimming has not yet been able to replace skimming or phishing, which is popular among fraudsters (installing mechanical devices on ATMs - probes and hooks that prevent the client from removing the card from the card reader). In our country, cybercriminals prefer to use other, cheaper, methods of stealing funds from payment cards:
How to deal with shimming
If traditional methods can be used to counteract skimming (do not share the PIN code with third parties and do not write it down on the back of the card, cover the keyboard with your palm when entering a password, connect SMS informing about card account transactions, use ATM machines located in public places and located under security, do not leave a receipt in the terminal, pay attention to the appearance of the ATM device, set limits on expenditure transactions, etc.), then the user cannot protect himself from shimming attacks, since external devices cannot be detected.
Market participants recommend purchasing cards with built-in chips, since it is extremely difficult to copy data from a chip (scammers do not undertake to counterfeit new generation cards, since it is very expensive and difficult). When using "plastic" with a microprocessor, the ATM performs authorization not according to the data of the magnetic stripe, but according to the data of the chip. If the device cannot perform authorization by the microchip, it creates an operation of the "Fallback" type. In almost all cases of fraud with chip cards, the responsibility will lie with the credit institution serving the ATM, and the client will be able to protest such an operation and return the money.
What are ATM manufacturers and banks doing
To counter all currently known skimming attacks on ATMs (including shimming), ATM terminal manufacturers develop and implement anti-skimming solutions and remote monitoring services (for example, Diebold ATM SecurityProtectionSuite). To combat fraud, innovative devices are used that create an electromagnetic field around the self-service terminal and prevent the skimmer / shimmer from reading data from the magnetic stripe of the payment card in the card reader. Thus, the personal information of the owner of the "plastic" is safe. But it is worth remembering that such advanced ATMs are installed mainly in large cities.
Banks, in turn, are massively switching to the issue of cards with a built-in chip. A new-generation card can be obtained instead of the traditional BOD with a magnetic stripe upon its expiration, or it can be issued at any time as a supplement to the current account. The use of a microprocessor can significantly increase the level of protection of the "plastic".
According to experts, despite the launch of new technological solutions aimed at maximizing the protection of confidential data of bank clients, the level of fraud continues to grow. Therefore, market participants recommend that Russians use the card to pay for purchases in trade and service enterprises, and not to withdraw cash from an ATM.
Banking technologies are constantly improving, and fraudsters who invent new ways to steal funds from citizens do not stand still. Thus, in order to protect themselves and their savings from the encroachments of intruders, clients of financial institutions need to constantly keep abreast of current trends, follow the news and remember the basic security rules when using payment cards.
What is shimming?
Today shimming is one of the most dangerous methods of fraud with bank "plastic", which is an improved version of the well-known skimming. Thanks to this technology, an attacker can easily find out the number and PIN-code of his victim's card using an ATM. Cisco emphasizes that every year bank customers lose millions of dollars from this type of fraud, which is especially popular in Europe.
How the shimmer works
The device itself - a shimmer - is a flexible thin "shim" board (0.1 mm; thinner than a human hair), which is discreetly inserted into the card reader of the self-service terminal using a carrier card. The board connects to contacts that read information from the magnetic stripe, and does not interfere with the normal servicing of bank cards. Thus, the fraudster receives all the necessary data entered by the users of the ATM, after which he makes duplicate cards and empties other people's card accounts.
If earlier, to copy information from cards, criminals had to use bulky covers on ATMs (skimming devices), then shimming devices are absolutely invisible from the outside. Such devices are rather difficult to manufacture, but experts say that some criminal groups were able to establish the production of "shims".
What is the situation in Russia
The new method of fraud is quite actively practiced in some European countries. According to Ivan Strigin, a systems engineer at Diebold in the Russian Federation and the CIS, no cases of the use of this technology in our country have yet been reported.
Thus, on the territory of Russia, shimming has not yet been able to replace skimming or phishing, which is popular among fraudsters (installing mechanical devices on ATMs - probes and hooks that prevent the client from removing the card from the card reader). In our country, cybercriminals prefer to use other, cheaper, methods of stealing funds from payment cards:
- installation of a miniature video camera next to the ATM to steal the PIN-code and personal information of the client;
- interception of the PIN code during its transfer from the keyboard to the ATM computer using wire taps in the ATM or remote recording of electromagnetic radiation from the wiring of the self-service terminal;
- manipulations with the ATM OS - hackers invade the ATM computer network and receive information about card accounts (for this, virus programs are created that spread through the Network and can harm the ATM computer);
- capture and withdrawal of cash from the bill acceptor.
How to deal with shimming
If traditional methods can be used to counteract skimming (do not share the PIN code with third parties and do not write it down on the back of the card, cover the keyboard with your palm when entering a password, connect SMS informing about card account transactions, use ATM machines located in public places and located under security, do not leave a receipt in the terminal, pay attention to the appearance of the ATM device, set limits on expenditure transactions, etc.), then the user cannot protect himself from shimming attacks, since external devices cannot be detected.
Market participants recommend purchasing cards with built-in chips, since it is extremely difficult to copy data from a chip (scammers do not undertake to counterfeit new generation cards, since it is very expensive and difficult). When using "plastic" with a microprocessor, the ATM performs authorization not according to the data of the magnetic stripe, but according to the data of the chip. If the device cannot perform authorization by the microchip, it creates an operation of the "Fallback" type. In almost all cases of fraud with chip cards, the responsibility will lie with the credit institution serving the ATM, and the client will be able to protest such an operation and return the money.
What are ATM manufacturers and banks doing
To counter all currently known skimming attacks on ATMs (including shimming), ATM terminal manufacturers develop and implement anti-skimming solutions and remote monitoring services (for example, Diebold ATM SecurityProtectionSuite). To combat fraud, innovative devices are used that create an electromagnetic field around the self-service terminal and prevent the skimmer / shimmer from reading data from the magnetic stripe of the payment card in the card reader. Thus, the personal information of the owner of the "plastic" is safe. But it is worth remembering that such advanced ATMs are installed mainly in large cities.
Banks, in turn, are massively switching to the issue of cards with a built-in chip. A new-generation card can be obtained instead of the traditional BOD with a magnetic stripe upon its expiration, or it can be issued at any time as a supplement to the current account. The use of a microprocessor can significantly increase the level of protection of the "plastic".
According to experts, despite the launch of new technological solutions aimed at maximizing the protection of confidential data of bank clients, the level of fraud continues to grow. Therefore, market participants recommend that Russians use the card to pay for purchases in trade and service enterprises, and not to withdraw cash from an ATM.
Banking technologies are constantly improving, and fraudsters who invent new ways to steal funds from citizens do not stand still. Thus, in order to protect themselves and their savings from the encroachments of intruders, clients of financial institutions need to constantly keep abreast of current trends, follow the news and remember the basic security rules when using payment cards.
