I had the opportunity to discuss the problem of card skimming at length in a recent interview with Fox 26 Houston. The piece hinged on a particularly startling new stat: there’s been a 700% spike in the card skimming activity since 2021.
What’s most concerning is that this surge in skimming attacks have occurred even despite EMV mandates. So, what’s going on? Are skimmers making a comeback?
Yes and no. While traditional skimming is still on the decline, a new practice called card “shimming” is taking its place.
Credit card shimmers are devices designed to illegally capture data stored inside EMV-compliant debit and credit cards. Shimmers are very small, thin devices that can be inserted into a card terminal and can read EMV microchip data, much in the same way that skimmers can read magstripe data.
Shimmers vs. Skimmers
Skimmers and shimmers both fit inside the card terminal directly between the card and the reader. These devices are so tiny that they’re very difficult for users to detect.
Where they differ is that skimmers rely on the static information stored in magnetic stripe cards to steal card credentials. That data can then be copied and uploaded to a counterfeit magstripe card. If you don’t swipe, they can’t copy or clone this data.
Shimmers, on the other hand, capture data located inside the EMV microchip that is embedded into your card. The data collected will then be offloaded wirelessly via a small radio module attached to the device.
What Can We Expect?
Shimmers are much less common than skimmers, at least for now. As EMV chips increasingly become the standard, though, it’s only a matter of time before shimmers become a much bigger problem.
Shimmers are still relatively new. We don’t have a way to accurately diagnose the scale of the risks associated with these devices.
We can say that we’ll begin to see more shimming attacks in the near future. How bad the problem might be remains to be seen. The implications, however, are pretty serious.
Given all the time and resources poured into EMV mandates, we could be back at square one for in-person fraud. Not only that, but we must also contend with surges in card-not-present fraud resulting from the initial EMV liability shift. Online scammers won’t leave online channels and go back to brick-and-mortar; they’ll just take advantage of the opportunity to commit more fraud.
How to Prevent Credit Card Shimming
Cardholders should opt for the newest security features whenever available. Specifically, they should look for gas stations, grocery stores, and shops that allow for the use of contactless NFC (near-field communications) technology to complete transactions. Also, consider using mobile wallet apps like Apple Pay or Google Pay, which also facilitate contactless payments.
As for merchants, one can encourage more effective fraud prevention methods by turning away from outdated technology in favor of more secure options.
- Discourage Use of Magstripes: Shimmers are ineffective without a functional magstripe reader to complete the crime. For instance, if a customer needs to pay with a card that lacks an EMV chip, merchants should revert to checking the user’s ID and matching it to the card in question. Better safe than sorry.
- Go Contactless: Although contactless payments utilize the same CVV3 technology as EMV chip cards, that data isn’t accessible through a physical skimmer. It’s almost impossible to access through wifi or some other wireless means.
- Enable Mobile Wallet Payments: Mobile payments like Apple Pay and Google Pay are also impervious to shimming scams and for the same reasons. Without a physical card to insert, a shimmer cannot read the data.
However this plays out, card shimmers may very well shape the future of card-present payments. The sooner you embrace the technology that can deter these attacks, the better.