The move to chip-based cards has created a higher barrier for hackers seeking to steal payment information — and a stronger challenge for cybersecurity professionals who want to prevent them from finding ways around those obstacles.
Attackers had been relying on skimmers, tough-to-spot devices that steal card information from the magnetic strip as users insert the cards into an ATM or gas pump. With the advent of EMV chips, hackers are beginning to turn to “shimmers,” very thin cards that contain an embedded microchip and flash storage.
These devices can be slotted directly inside card readers and are difficult to spot due to their sleek profile. They can remain in place for weeks or months, as regular data downloads allow criminals to create fake cards and make fraudulent purchases.
Some attackers are even using “virtual skimmers,” placing malware on a device remotely to gain information without even touching the device.
One Skimmer Holds Data on 80 Credit Cards
While there is little data yet on the relatively new shimmer technology, the U.S. Secret Service recovers between 20 and 30 skimmers a week, with each skimmer containing information on 80 cards, NBC News reports.
“There is growing interest in custom-built shimmers advertised in online illicit communities,” notes a blog post on the Flashpoint website. “Some vendors also sell tools to detect CPPs [card protection plates] and produce videos describing their shimmer placement and removal tools.”
Hackers can’t use the devices to clone chip cards, but they can replicate the data from cards’ magnetic strips, which is enough to engage in fraudulent activity, notes CreditCards.com.
In addition to inadvertently providing the material for that fraudulent activity, retailers may also find themselves on the receiving end, as fraudulent cards created with the stolen data show up in their stores.
University of Florida researchers have developed ways for retailers to spot those cards. They found that account data encoded on legitimate cards is typically imprinted in uniform, consistent patterns, while cloned cards are usually created by hand with inexpensive equipment that results in “jitter” in the placement of digital information on a card’s strip.
The research is particularly promising for preventing the creation of fraudulent gift cards, reports Krebs on Security, because gift cards aren’t embedded with chips due to the added expense. The solution, which focuses on magnetic strips rather than EMV chips, also works to detect fraudulent debit and credit cards.
Physical Security Measures Can Stop Credit Card Data Thieves
At the most basic level, stores can decrease their risk of falling victim to fraudulent cards — and, by extension, processing payments that are based on credentials stolen from people who may be their own customers — by implementing EMV chip technology if they haven’t already.
To reduce the risk of shimming, retailers can implement contactless payment systems, including tap-and-go credit cards and mobile pay, which make it impossible for shimmers to read card data, reports CreditCards.com.
If retailers and ATM operators prefer to rely on physical payment terminals, there are other steps to take. Retailers can physically attach card readers to checkout counters, preventing the device from being stolen and hindering attempts at tampering. One option for this approach is a Kensington lock, which can physically tether card readers to a secure connection via a port lock.
On the high-tech side, retailers can work with technology partners to create a GPS-based or wireless digital perimeter that automatically disables point-of-sale terminals if they’re taken outside of a store. Retailers can also create whitelisting rules that allow a payment terminal to physically function only when it is being used in conjunction with trusted and approved applications.
For a simpler solution, retailers should implement a secure process for managing keys that allow servicing on payment terminals. They can also check their payment terminals daily to see if anything is amiss. In fact, that’s how one Canadian retailer discovered shimmers on its own card readers.
“This retailer was doing daily checks to make sure everything was working properly on their four POS machines, and during one of those checks, they noticed that the test card they use wasn’t going in and out smoothly,” Canadian law enforcement officer Michael McLaughlin told CreditCards.com. “So they took the machine apart and found this shimmer inside. It’s a really good illustration of how a basic, low-tech technique can defeat high-tech crime.”