Why Fraudsters Have Shifted to 'Shimming' AttacksIn Post-EMV World, Unattended Terminals are New Targets
As U.S. merchants shore up physical point-of-sale security by upgrading their terminals to accept EMV chip cards, attackers are turning their aim toward unattended self-service terminals, such as ATMs and self-service gas pumps.
See Also: Passwords Alone Aren't Enough
While the EMV fraud liability shift date for U.S. merchants was Oct. 1, Visa's and MasterCard's liability shift date for self-serve gas pumps is not until Oct. 1, 2017. For ATMs, the liability shift is Oct. 1, 2016, for MasterCard and Oct. 1, 2017, for Visa.
"Card shimming is not a vulnerability with a chip card, nor with an ATM."
Those EMV liability shift dates for the U.S. market are having a global impact on fraud.
In October, the European ATM Security Team reported that global card-skimming losses, which accounted for 131 million euros (U.S. $149 million) of the 156 million euros (U.S. $177.5 million) of ATM-related fraud losses reported for the first half of 2015, increased 18 percent during the first six months of 2015 when compared to the same period in 2014 (see Why ATM Fraud Will Continue to Grow).
And Jeremy King, international director of the PCI Security Standards Council, a featured presenter at Information Security Media Group's London Fraud Summit on Oct. 27, says the PCI Council is warning European banks and merchants to brace for upticks in e-commerce, POS, ATM and pay-at-the-pump fraud.
EMV is deployed in most European markets, King points out. But without tokenization and end-to-end encryption, fraudsters can still intercept relevant card data during any EMV transaction - and that's precisely what an emerging type of attack known as "shimming" is doing.
ATM manufacturer NCR Corp. has just issued a security alert about what it called "significant" increases this year in the reported number of ATM skimming attacks. The increase has been attributed to a number of factors, including new techniques that circumvent anti-skimming technology and EMV.
One of those techniques, "shimming," first raised alarms over the summer, after EMV-compliant ATMs in Mexico had been compromised.
A shimmer is a device that's placed inside the ATM's or self-service pump's card reader to intercept communications between the chip card and the chip reader. Information that can be intercepted includes the personal account number and expiration date.
In its alert, NCR points out that shimming attacks remain alive and well; but they're only successful if issuing banks fail to appropriately authorize card transactions.
"The attack is exploited by copying the captured chip data onto a magnetic-strip," NCR notes. "But correct implementation of EMV will detect this during authorization, thus preventing the attack."
NCR says card shimming, unlike typical card skimming, does not try to capture mag-stripe data. What's more, the data intercepted from a chip card cannot be reused to create a counterfeit mag-stripe card, "because chip data and mag-stripe data have different [card verification values]," NCR adds. "The only way for this attack to be successful is if an issuer neglects to check the CVV when authorizing a transaction. All issuers MUST make these basic checks to prevent this category of fraud. Card shimming is not a vulnerability with a chip card, nor with an ATM, and therefore it is not necessary to add protection mechanisms against this form of attack to the ATM."
Shimming losses can be prevented with proper transaction authorization, and traditional skimming attacks can be thwarted by simply having bank branch and retail staff regularly inspect ATMs and self-serve gas pumps.
Randy Vanderhoof, executive director of the Smart Card Alliance and director of the EMV Migration Forum, says shimming attacks have been well documented. Most banks, by now, should be well aware of how to detect a cloned card created with data compromised by a shimmer, he says.
"I believe there is ample information shared about such attacks among financial institutions and credit unions," Vanderhoof says. "The existence of lax security measures to prevent known vulnerabilities is going to be part of the learning curve that all card issuers, ATM operators and merchants have to deal with among the mirage of different threats that are out there. This not a reflection on the security of EMV, but, rather, a case of poor execution of security."
So, fair warning: We may see attacks against self-service devices on the rise. But fraud losses can be controlled if we continue sharing information about the attack trends we see and applying the lessons learned from other markets.