1

Correct me if I'm wrong, but before EMV cards were introduced in the U.S., thieves would use card skimmers on ATMs and point-of-sale (POS) terminals (such as gas pumps) to steal the CVV1, which would allow them to create counterfeit cards and purchase things in stores, but they would still be unable to purchase things online, because they lacked access to the CVV2 number on the back of the card.

What I don't understand is how card shimmers work? Based on what I've read on the issue, there are three types of CVVs; CVV1, which is located on the magnetic stripe of a debit or credit card; CVV2, which is the number on the back of Visa cards; and CVV3, which is a dynamic value that's stored on the chip of EMV cards. Specifically, what kind of CVV does a card shim steal, and how can a thief make a magnetic stripe counterfeit card of an EMV card using a shim? Wouldn't the thief need access to the CVV1 located on the magnetic stripe?

Lastly, can card skimmers still steal the CVV1 of EMV cards, when, for instance, I decide to swipe the card at an old gas pump, instead of "dipping" the chip part of the card?

Edit: Just to be clear, the way this would work is, it would allow a thief to make a counterfeit magnetic stripe credit or debit card, with some special code on the magnetic stripe that would be able to fool an EMV point-of-sale terminal into forwarding the information on the counterfeit card to the card issuer, which would then decide whether or not to approve the transaction.

jojo5389
  • 21
  • 2

1 Answers1

1

Someone has done research on your question. In a whitepaper named "It Only Takes A Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem"(pdf).

Researchers create magstripe versions from EMV and contactless cards: Banking industry loophole reported more than a decade ago still remains open and ripe for exploitation today.

The way it works is shimmer records the signed static data produced by the card in order to identify itself to the terminal. The data contains identifying details about the account, account holder and the issuing bank. These details are enough to reproduce a fraudulent magstripe card. What that data lacks is CVV1 for the magstripe and PIN.

What shimmer makers discovered that some banks treat CVV1 as optional and still accept the magstripe transaction even if the CVV1 is incorrect. To learn PIN, shimmers downgrade how cardholder verification should be performed as the communication between the card and terminal is not authenticated.

The issuer sets priority for the acceptable ways that can be used for cardholder verification.

  • 4 - Online PIN verification

  • 3 - Offline encrypted PIN verification

  • 2 - Offline Plaintext PIN verification

  • 1 - No PIN verification

  • 0 - Manually compare cardholder signature (deprecated)

Terminal and card agree on priority level which is supported by both. Shimmer downgrades the supported methods to offline plaintext verification and learns the PIN. However, the decision is made by the card and it can reject the transaction if the terminal doesn't support encrypted PIN verification.

Another method is to capture heatmap of the PIN pad just after the customer leaves. This approach is quite easier and scalable.

Most of the banks today set atleast offline encrypted PIN verification for point of sale devices and without correct CVV in magstripe transaction, it is declined. But some banks are not enforcing this standard.

defalt
  • 6,231
  • 2
  • 22
  • 37