2

Recently shimmers made a lot of noise in the news and became popular to be installed in ATMs as they are very small. Can they be installed inside chip and pin devices? Or where else can they be installed? How to protect yourself from it?

UPDATE: By chip and pin devices I meant a type of chip and pin devices that are small and typically used to pay in restaurants, shops, etc. - POS terminals.

Like the one on the picture:

chip and pin device

Peter
  • 127
  • 7
  • Do you mean *skimmers*? Skimmers are devices that are typically found on gas station pumps and ATMs, fit over the existing card reader, and are used by thieves to collect credit card numbers. – Ogre Psalm33 Feb 11 '17 at 18:59
  • @OgrePsalm33 , shimmers works similarly to skimmers. Only you have to have a special card to download data from it. Just google images for shimmers and you will see how small they are – Peter Feb 11 '17 at 19:06
  • [Krebs On Security: ATM ‘Shimmers’ Target Chip-Based Cards](https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-cards/) probably answers the question, i.e. if it is possible and how to protect yourself. – Steffen Ullrich Feb 11 '17 at 19:20
  • 1
    @SteffenUllrich , the link answers the question about protection but there is no information about chip and pin devices. – Peter Feb 11 '17 at 19:44
  • 1
    @Peter: what exactly do you mean with "chip and pin device". The shimmer is installed in the ATM or POS terminal which is the device communicating with the chip on the card and which is reading the pin. And the article I've linked to shows and describes the shimmers which get installed there. Or do you mean the card itself? – Steffen Ullrich Feb 11 '17 at 20:07
  • @SteffenUllrich , I updated the question and added some clarification. Yeah, I meant POS terminal (just didn't know the exact name of that device). Because all the articles I read talk about ATMs and I was curious if it can be installed inside POS terminal (as it's small). – Peter Feb 11 '17 at 20:19
  • 1
    @Peter: In the article you will find image descriptions like *"A close-up of a shimmer **found inside a point-of-sale device** in Canada."* or *"Several shimmers recently **found inside Canadian point-of-sale devices**"*. Thus it is obviously possible. – Steffen Ullrich Feb 11 '17 at 20:28

1 Answers1

1

Its not possible to "skim" a chip'n'pin card in the regular sense, as the card does have a encryption key (EMV), that is used to calculate a response to a challenge sent from terminal, which will both be verifyed by the bank. The key is known only by the bank and by the card.

The name "shimmers" came from a portmanteu of the word "shim" and "skimmers", shim refers to something thin, think padlock shims that are used to open spring-loaded padlocks. The "skimmer cards" are so thin so they fit between the actual payment card and the reader. Such "smart card" shims are used also to illegally tamper with operator-locked mobile phones so they can be used with any operator. (basically, the shim will reside between the operator SIM and the phone, and "lying" to the phone that a SIM from the right operator is inserted)

However, there is 2 cases where a chip card can be misused, despite the security features:

1: Its possible to skim the details of the cards, EXCLUSIVE the CVV, as these are stored in clear-text on the card (its mainly required to store these details in clear-text as the bank must know which encryption key to use to verify the result of the transaction). This card number and expiry date can be used at any web shop where CVV is not required.

However, such a transaction would be easy to dispute, as according to standards, a initial transaction MUST have a CVV unless its a recurring transaction (CVV may not be stored anywhere). A bank can easily verify if you had any initial CVV enabled transaction with that merchant. (even if the initial authorizing transaction is later cancelled because the merchant don't want to charge right now, it still counts as a initial transaction)

Also, the merchant also very often takes the hit if VbV/3Ds is not used.

2: If a merchant does not have a valid online connection, the extra high security of the chip cannot be used. Instead a "offline transaction" will be used, where the card reader assert it has verified the PIN (or performed a signature transaction) correctly against the smart card, and supply a static signature/authorization code to the bank. Since the card reader has no means to verify a genuine card was used, it either has to deny all cards (so no goods are given to someone with a fraudulent card), or the bank has to accept all cards, including fraudulent ones (so a genuine card holder cannot use a fraudulent copy of his own card to gain goods and then claim he don't know anything of it).

This means, its possible to clone a chip card and use it in a offline terminal, along with the right PIN, or by signature.

The main defense to this is to require online verification of cards. Normally, a terminal is set to only allow a certain number of offline transactions before forcefully going into online mode (eg, refusing to process offline transactions). This number is then set by the aquirer, depending on the agreement with the merchant. In some cases, the terminal can request phone authorization, where the card will be validated "online" via a phone call made by the merchant. A issuer can also require online verification by setting certain flags and bits in the static data portion of the card, then a terminal that lacks a connection will refuse to process the transaction. (This can be set specific on transaction amount, and differently if PIN, signature or no cardholder verification is used)

Note that a "online only" card can STILL be used for offline processing if a terminal is incorrectly set up, eg not following the EMV standard. A bank that conforms to the EMV standard should then refuse to process such transactions, as the merchant was told at processing time that the bank will not accept offline transactions.

The article that was linked, refers to this second method. With "not verifying the dynamic CVV value", it means basically that the bank allows transactions to be processed offline, either by allowing offline transactions based on the flags, or processing offline transactions even tough the card's flags tells that it may only be used online.

Note that for offline transactions, CVV is never verified, not even magstripe CVV for a mag transaction. The reason is for the same reason I outlined above - if the cardholder modifies the CVV value on the card or produces a counterfeit copy of his card, the cardholder could then purchase goods and then claim the transaction was made with a counterfeit card, and then not having to pay for the goods.

Thats why an transaction with an invalid CVV or cryptogram response, that was made offline, MUST go trough if the card's flags indicate offline transactions is permitted, regardless of the validness of the response. (The invalid CVV or cryptogram response can however be used to automatically block* the card for future transactions)

*And same here: A bank MUST process a transaction made offline, on a offline permitting card, even if the card is barred (eg, you called into the bank's hotline and told them you lost your card) until a specific time passes. Theres a set limit of time that must pass before the card is definitely barred, this time is the interval the merchant has to update its blacklist. This is why transactions may appear on your account despite you have called and told them you have lost the card. The list of lost cards must be distributed to every offline terminal, and those might only be recharge its list of lost cards each 6/12/24 hours.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33