Home Advice & How-ToIdentity What Is Shimming? How Criminals Steal Your Credit Card Info
Home Advice & How-ToIdentity What Is Shimming? How Criminals Steal Your Credit Card Info

What Is Shimming? How Criminals Steal Your Credit Card Info

by Fred Decker

Not so very long ago, there were a lot of headlines about a type of data theft called “skimming.”  Criminals added their own illicit data-capture devices to legitimate ATM or payment terminals and used them to steal your card’s information.  The scammers would then duplicate your card and cheerfully max it out.  

The advent of chip cards was intended to provide a hedge against skimming and similar threats.  It has worked well, by and large, but criminals can now do an end run around your card’s chip-driven security features through a newer technique called “shimming.”  It’s not as obvious as skimming, so it’s harder to know if you’ve been victimized.  Here’s what you need to know about it.

Skimming and Shimming

Skimming was always a relatively clumsy operation.  Disassembling an ATM or payment terminal to install a bogus reader is seldom an option, so they were designed to install over the existing, legitimate card readers.  That meant there were typically telltale signs you could watch for, such as a bad color match with the rest of the machine or fit-and-finish issues. 

To get the PIN as well as the card number, scammers required a little extra ingenuity.  In retail settings they could simply “shoulder surf” and try to catch your PIN visually, by eye or with their phone camera.  At ATMs and unattended settings, they could install a pinhole camera to record your hand movements, or even a bogus PIN pad that would directly record the buttons you pushed. 

Chip cards made those attacks largely obsolete, because inserting your chip card in a retail terminal bypasses the swipe reader entirely, and ATMs won’t read the strip if a chip is detected.  Unfortunately, crime rings can afford to fund a lot of illicit research and development, and they found a way around some of the chip’s protections.  Instead of a bulky reader, they insert a tiny circuit board — a shim — into a chip-card reader, where it’s largely undetectable.  When you insert your card, it can read the information from your chip

Shimming Attacks Have Limits

The good news is that even a successful shimming attack can’t make a duplicate of your chip card.  The chip was designed with built-in security features that prevent it from being duplicated.  The bad news is that the chip contains all of the information that’s encoded in your magnetic strip, and that can be duplicated. 

So while scammers aren’t able to make a perfect copy of your credit card, they can make a “good enough” copy.  It’ll work in any ATM or debit terminal that still has swiping as an option, and of course it’s just as good as your original card for online shopping. 

The bottom line?  Scammers can still max out your credit in a hurry if you use your card in the wrong machine. 

Shimming Attacks: What to Look For

Spotting the shim is just about impossible, because it’s a tiny, wafer-thin board that’s inserted directly into the machine’s card slot.  The only tangible way to know it’s there is that your card may stick a bit when you’re trying to insert it.  That’s actually how one of the first shims was detected in the wild: a Canadian retailer testing its point-of-sale terminals noticed that cards weren’t inserting smoothly in one of them, and found shims when the terminal was disassembled. 

Most banks and retailers won’t be very sympathetic if you ask to tear down their machines, so you’ll need to rely on other methods to protect yourself.  Before you use a payment terminal or ATM, take a moment to look around and check for signs of cameras, a PIN-pad overlay or a potential shoulder surfer loitering nonchalantly in the vicinity.  If you do feel an unusual degree of friction when you insert your card, don’t take chances: use another machine instead. 

The machines most likely to be tampered with are those that aren’t monitored and aren’t in an employee’s line of sight (the back pumps at a gas station, for example), so avoid those if you can.  Retailers can take some steps to make shimming more difficult, but often if a shimmer is detected it’s because a vigilant customer reported spotting something dodgy. 

Spotting Trouble After the Fact

It’s always good to be vigilant when you’re using your card — especially in an unfamiliar place — but the harsh reality is that shims are really, really hard to spot.  If you’re ever the victim of a shimming attack, you probably won’t know it until your credit card’s evil twin is up and running. 

So, bad news: your first warning will often come when you have a purchase declined because you’re already at your limit.  Alternatively, you may recognize that something’s amiss when you look at your monthly statements or check your accounts online and find a number of purchases you didn’t make. 

Sometimes, to their credit (no pun intended), it will be your bank or credit card provider that sounds the alarm.  Those institutions are ultimately on the hook for any losses due to fraud, and they have suitably robust algorithms to detect unusual use on an account.  That might be an uncharacteristic buying pattern, or a rash of purchases outside your normal geographic area.  Either way, if you get an alert from your provider, take it seriously.

What to Do After a Shimming Attack

Your first few steps will be the same no matter how your card has been compromised.  First, reach out to the card provider’s fraud department and alert them — if they weren’t the ones to alert you — that there’s fraudulent activity on your card (don’t delay; it’s a lot harder to dispute charges after 60 days). Next, contact Experian, TransUnion and Equifax to place a fraud alert or credit freeze on your account at each of those credit-reporting agencies. 

After that, you’ll need to report your loss to the pertinent authorities.  Start with the FTC’s IdentityTheft.gov website, which will walk you through the creation of a useful step-by-step checklist designed to minimize the damage and speed your recovery.  You should also report your case to the FBI’s Internet Crime Complaint Center (IC3) and potentially to local law enforcement, if you haven’t been traveling and suspect that the criminals were operating locally. 

If you have reason to believe your card’s data was stolen through shimming, you should also give a heads-up to the retailer or institution where you think the attack took place.  This is easiest to spot if it’s a card you seldom use, because it narrows down the list of potential shimming sites pretty drastically.  Whatever the circumstances, be specific: lay out in detail the date and time of the suspected incident, and which machine you used.  It’s just possible that security footage from the site might have captured the shimmer in action. 

Don’t Forget the Merchants

After you’ve viewed your statements and learned where the cloned card was used, it’s often worth reaching out to those merchants.  If the transactions were conducted in person, there’s a chance the criminals may have been caught on camera or have left behind a clue that could lead to identifying them.  A few years ago, for example, the wife of one fraud victim used Spokeo to track down the criminal through a phone number he’d used, and forwarded his identity to the police. 

In the case of online purchases, the merchants may be able to provide useful information such as a delivery address, an email address or phone number that was used by the purchaser, or the IP address where the order originated.  None of these is necessarily conclusive in its own right (many can be faked), but taken together they can help tighten the net around a suspect. 

It’s not that police forces can’t or won’t run down this kind of information themselves, but a bit of (legal) citizen sleuthing on your part can help grease the wheels.  Police have lots of cases to juggle and prioritize, but you’re interested in just one.  If you can use Spokeo’s search tools to track down a phone number or an email address, that saves them the corresponding investment in time and effort. 

Protecting Yourself From Shimming

Proverbially, an ounce of prevention beats a pound of cure.  That’s definitely the case with shimming and skimming.  The best way to avoid both is also the simplest: if tapping is an available option, using your card or a payment app on your phone, do it.  A card that’s never inserted can’t be duplicated. 

Otherwise, your best defense is your own vigilance.  That includes physically checking the machine where you plan to use your card, as detailed earlier, and making a conscious choice to pick the safest locations: in a bank or store rather than outdoors or in a vestibule, and whenever possible in a place where either security cameras or staffers can keep eyes on their machines.  Conceal the PIN pad with your other hand as you enter your PIN, in case there’s a camera watching. 

Finally, be proactive and check your statements (and online accounts) diligently.  The earlier you can catch a potential scammer, the less scope they have to cause you trouble.