Not so very long ago, there were a lot of headlines about a type of data theft called \u201cskimming.\u201d Criminals added their own illicit data-capture devices to legitimate ATM or payment terminals and used them to steal your card\u2019s information. The scammers would then duplicate your card and cheerfully max it out. <\/p>\n\n\n\n
The advent of chip cards was intended to provide a hedge against skimming and similar threats. It has worked well, by and large, but criminals can now do an end run around your card\u2019s chip-driven security features through a newer technique called \u201cshimming.\u201d It\u2019s not as obvious as skimming, so it\u2019s harder to know if you\u2019ve been victimized. Here\u2019s what you need to know about it.<\/p>\n\n\n\n
Skimming was always a relatively clumsy operation. Disassembling an ATM or payment terminal to install a bogus reader is seldom an option, so they were designed to install over the existing, legitimate card readers. That meant there were typically telltale signs you could watch for, such as a bad color match with the rest of the machine or fit-and-finish issues. <\/p>\n\n\n\n
To get the PIN as well as the card number, scammers required a little extra ingenuity. In retail settings they could simply \u201cshoulder surf\u201d and try to catch your PIN visually, by eye or with their phone camera. At ATMs and unattended settings, they could install a pinhole camera to record your hand movements, or even a bogus PIN pad that would directly record the buttons you pushed. <\/p>\n\n\n\n
Chip cards made those attacks largely obsolete, because inserting your chip card in a retail terminal bypasses the swipe reader entirely, and ATMs won\u2019t read the strip if a chip is detected. Unfortunately, crime rings can afford to fund a lot of illicit research and development, and they found a way around some of the chip\u2019s protections. Instead of a bulky reader, they insert a tiny circuit board \u2014 a shim \u2014 into a chip-card reader, where it\u2019s largely undetectable. When you insert your card, it can read the information from your chip<\/a>. <\/p>\n\n\n\n The good news is that even a successful shimming attack can\u2019t make a duplicate of your chip card. The chip was designed with built-in security features that prevent it from being duplicated. The bad news is that the chip contains all of the information that\u2019s encoded in your magnetic strip, and that can<\/em> be duplicated. <\/p>\n\n\n\n So while scammers aren\u2019t able to make a perfect copy of your credit card, they can make a \u201cgood enough\u201d copy. It\u2019ll work in any ATM or debit terminal that still has swiping as an option, and of course it\u2019s just as good as your original card for online shopping. <\/p>\n\n\n\n The bottom line? Scammers can still max out your credit in a hurry if you use your card in the wrong machine. <\/p>\n\n\n\n Spotting the shim is just about impossible, because it\u2019s a tiny, wafer-thin board that\u2019s inserted directly into the machine\u2019s card slot. The only tangible way to know it\u2019s there is that your card may stick a bit<\/a> when you\u2019re trying to insert it. That\u2019s actually how one of the first shims was detected in the wild: a Canadian retailer testing its point-of-sale terminals noticed that cards weren\u2019t inserting smoothly in one of them, and found shims when the terminal was disassembled. <\/p>\n\n\n\n Most banks and retailers won\u2019t be very sympathetic if you ask to tear down their machines, so you\u2019ll need to rely on other methods to protect yourself. Before you use a payment terminal or ATM, take a moment to look around and check for signs of cameras, a PIN-pad overlay or a potential shoulder surfer loitering nonchalantly in the vicinity. If you do feel an unusual degree of friction when you insert your card, don\u2019t take chances: use another machine instead. <\/p>\n\n\n\n The machines most likely to be tampered with are those that aren\u2019t monitored and aren\u2019t in an employee\u2019s line of sight (the back pumps at a gas station, for example), so avoid those if you can. Retailers can take some steps<\/a> to make shimming more difficult, but often if a shimmer is detected it\u2019s because a vigilant customer reported spotting something dodgy. <\/p>\n\n\n\n It\u2019s always good to be vigilant when you\u2019re using your card \u2014 especially in an unfamiliar place \u2014 but the harsh reality is that shims are really, really<\/em> hard to spot. If you\u2019re ever the victim of a shimming attack, you probably won\u2019t know it until your credit card\u2019s evil twin is up and running. <\/p>\n\n\n\n So, bad news: your first warning will often come when you have a purchase declined because you\u2019re already at your limit. Alternatively, you may recognize that something\u2019s amiss when you look at your monthly statements or check your accounts online and find a number of purchases you didn\u2019t make. <\/p>\n\n\n\n Sometimes, to their credit (no pun intended), it will be your bank or credit card provider that sounds the alarm. Those institutions are ultimately on the hook for any losses due to fraud, and they have suitably robust algorithms to detect unusual use on an account. That might be an uncharacteristic buying pattern, or a rash of purchases outside your normal geographic area. Either way, if you get an alert from your provider, take it seriously.<\/p>\n\n\n\n Your first few steps will be the same no matter how your card has been compromised. First, reach out to the card provider\u2019s fraud department and alert them \u2014 if they weren\u2019t the ones to alert you \u2014 that there\u2019s fraudulent activity on your card (don\u2019t delay; it\u2019s a lot<\/em> harder to dispute charges after 60 days). Next, contact Experian, TransUnion and Equifax to place a fraud alert or credit freeze on your account at each of those credit-reporting agencies. <\/p>\n\n\n\n After that, you\u2019ll need to report your loss to the pertinent authorities. Start with the FTC\u2019s IdentityTheft.gov<\/a> website, which will walk you through the creation of a useful step-by-step checklist designed to minimize the damage and speed your recovery. You should also report your case to the FBI\u2019s Internet Crime Complaint Center (IC3)<\/a> and potentially to local law enforcement, if you haven\u2019t been traveling and suspect that the criminals were operating locally. <\/p>\n\n\n\n If you have reason to believe your card\u2019s data was stolen through shimming, you should also give a heads-up to the retailer or institution where you think the attack took place. This is easiest to spot if it\u2019s a card you seldom use, because it narrows down the list of potential shimming sites pretty drastically. Whatever the circumstances, be specific: lay out in detail the date and time of the suspected incident, and which machine you used. It\u2019s just possible that security footage from the site might have captured the shimmer in action. <\/p>\n\n\n\n After you\u2019ve viewed your statements and learned where the cloned card was used, it\u2019s often worth reaching out to those merchants. If the transactions were conducted in person, there\u2019s a chance the criminals may have been caught on camera or have left behind a clue that could lead to identifying them. A few years ago, for example, the wife of one fraud victim used Spokeo to track down the criminal<\/a> through a phone number he\u2019d used, and forwarded his identity to the police. <\/p>\n\n\n\n In the case of online purchases, the merchants may be able to provide useful information such as a delivery address, an email address or phone number that was used by the purchaser, or the IP address where the order originated. None of these is necessarily conclusive in its own right (many can be faked), but taken together they can help tighten the net around a suspect. <\/p>\n\n\n\n It\u2019s not that police forces can\u2019t or won\u2019t run down this kind of information themselves, but a bit of (legal) citizen sleuthing on your part can help grease the wheels. Police have lots of cases to juggle and prioritize, but you\u2019re interested in just one. If you can use Spokeo\u2019s search tools<\/a> to track down a phone number or an email address, that saves them the corresponding investment in time and effort. <\/p>\n\n\n\n Proverbially, an ounce of prevention beats a pound of cure. That\u2019s definitely the case with shimming and skimming. The best way to avoid both is also the simplest: if tapping is an available option<\/a>, using your card or a payment app on your phone, do it. A card that\u2019s never inserted can\u2019t be duplicated. <\/p>\n\n\n\n Otherwise, your best defense is your own vigilance. That includes physically checking the machine where you plan to use your card, as detailed earlier, and making a conscious choice to pick the safest locations: in a bank or store rather than outdoors or in a vestibule, and whenever possible in a place where either security cameras or staffers can keep eyes on their machines. Conceal the PIN pad with your other hand as you enter your PIN, in case there\u2019s a camera watching. <\/p>\n\n\n\n Finally, be proactive and check your statements (and online accounts) diligently.\u00a0 The earlier you can catch a potential scammer, the less scope they have to cause you trouble.\u00a0<\/p>\n\n\n\n Not so very long ago, there were a lot of headlines about a type of data theft called \u201cskimming.\u201d Criminals added their own illicit data-capture devices to legitimate ATM or…<\/p>\n","protected":false},"author":112,"featured_media":26508,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[810],"tags":[],"class_list":["post-26507","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-identity"],"yoast_head":"\nShimming Attacks Have Limits<\/h2>\n\n\n\n
Shimming Attacks: What to Look For<\/h2>\n\n\n\n
Spotting Trouble After the Fact<\/h2>\n\n\n\n
What to Do After a Shimming Attack<\/h2>\n\n\n\n
Don\u2019t Forget the Merchants<\/h2>\n\n\n\n
Protecting Yourself From Shimming<\/h2>\n\n\n\n
Sources<\/h3>\n\n\n\n
\n