WASHINGTON–Another report indicates that chip cards can be hacked.
Security blogger Brian Krebs reported that fraud experts in Mexico have discovered a new ATM skimming device that can be inserted into the mouth of the cash machine’s card acceptance slot and used to read data directly off of chip-enabled credit or debit cards.
The tech is called a “shimmer” because it acts a shim that sits between the chip on the card and the chip reader in the ATM — recording the data on the chip as it is read by the ATM, Krebs explained.
Krebs reported that according to Damage Control S.A., a security and investigations company based in Mexico, this device was found inside a Diebold Opteva 520 with Dip reader–readers used for EMV cards that require consumers to briefly insert their card and then quickly remove it. Krebs said that Damage Control didn’t say whether the shimmer was accompanied by a component to steal card PINs, such as a hidden camera or PIN pad overlay, Krebs said.
Krebs added that FIs can run a simple check to see if any card inserted into an ATM is a counterfeit magnetic stripe card that is encoded with data stolen from a chip card.
“But there may be some instances in which banks are doing this checking incorrectly or not at all during some periods, and experts say the thieves have figured out which ATMs will accept magnetic stripe cards that are cloned from chip cards,” said Krebs.
“This suggests to me that the thieves plan to target an issuer where they know the CVV is not going to be checked,” Charlie Harrow, solutions manager for global security at NCR, an ATM manufacturer, told Krebs.