A shimming attack represents a sophisticated cyber threat targeting the security of chip-based payment cards. Unlike older skimming techniques that focused on the magnetic stripe, shimming specifically exploits the chip technology designed to enhance transaction security. In these attacks, a perpetrator inserts a shim - a paper-thin, almost invisible device equipped with a microchip and flash storage, into the card reader slot. This device is cunningly designed to intercept and store data exchanged between the chip card and the payment terminal during a transaction. Once the data is captured, it can be extracted by the attackers, who may then replicate the card’s details to perform unauthorized transactions or sell the information on the dark web.
The operation of a shimming attack can be delineated into several discrete steps:
Insertion and Installation: Culprits discreetly insert the shim device into the card slot of a point-of-sale (POS) terminal or an ATM. Alternatively, they may surreptitiously install malicious software that acts similarly to a physical shim.
Data Interception: When a chip card is used at the compromised terminal, the shim device or malicious software captures the transaction data, including the card’s details and sometimes even the PIN if the shim is sophisticated enough.
Data Extraction: The attacker later retrieves the captured data, either by physically removing the shim device or remotely accessing the information if a software-based approach is used.
Fraudulent Use: With the stolen data, criminals can create cloned magnetic stripe cards (since replicating the chip is considerably more difficult) or initiate unauthorized transactions online where only card numbers and specific details are required.
Originating as a response to the widespread adoption of EMV (Europay, Mastercard, and Visa) chip technology, shimming attacks have evolved due to the increased security measures against skimming. Initially, chip technology significantly reduced fraud with magnetic stripe cards by making it harder to clone chips than stripes. However, as attackers adapted, shimming emerged as a method to circumvent the chip’s security features, albeit with a lower rate of success due to the inherent security strengths of chip transactions.
To safeguard against shimming attacks, both consumers and businesses can adopt various strategies:
Shimming attacks, while less common than skimming due to the advanced security features of chip technology, represent a real threat to the integrity of digital transactions. By understanding how these attacks occur and implementing comprehensive preventative measures, both consumers and businesses can significantly mitigate the risk, ensuring a safer transaction environment for all involved. The continued evolution of payment security strategies, alongside vigilance and education, remains paramount in the fight against such cybersecurity threats.