Payment Card Skimmers (Shimmers)

A payment card skimmer or credit card skimmer is a device installed on credit card readers by criminals and used to collect and steal credit card data. This credit card data can then be used by criminals to make fraudulent purchases.

Skimmers are often found at automated teller machines (ATMs), gas stations, restaurants, retail stores, and other locations where card data is collected. Payment card skimmers may also include the installation of a camera so that ATM card holders can observe PIN numbers during entry. It is often the case that fake overlay card keypads are placed over the actual keypads. These fake keypads are well designed and very difficult to detect. In addition, they may blend into the overall design of the ATM or gas pump. 

Credit card skimmers also depend on reading the data from the magnetic stripe on a credit card or ATM card. This data includes the card number, expiration date, and the cardholder’s name. 

Once this data is captured, it can be extracted later to support fraud and theft of assets. The thief can use this information to make purchases using retail internet websites. These are called card-not-present transactions. They usually have enough information to make a duplicate fake credit card. This skimmed data is sent to criminal organizations internationally, where counterfeit credit cards are manufactured. Card data can also be used to support identity theft. This data can help them set up additional fraudulent accounts in your name or even arrange for loans. Finally, they always have the option of selling the information on the dark web using the internet. 

So, where do these charges go? Directly to the monthly statement for the individual whose card data has been stolen! Most of us need to get more used to monitoring the details of our monthly statements and watching for fraudulent transactions. The software run by credit card companies uses machine learning and AI to monitor transactions and will often spot these unusual charges on your account, especially if they are coming from two diverse geographic locations on the same day!

How can you identify a credit card skimmer?

Credit card skimmers can often be spotted visually because the fake overlay credit keypad is placed manually, by a criminal, during a period when they believe they are not being observed. The criminal also doesn’t generally put fake overlay keypads in place at all of the gas pumps, so you may be able to look around the nearest pumps and quickly discern a peculiarity. 

The fake overlay keypad is often held in place by double stick tape, a friction fitting, or perhaps externally placed tape, possibly resulting in slight but noticeable misalignment between the fake and the actual keypad, which is beneath it. The criminal doesn’t have much time to put the phony overlay keypad in place, so often, the fit isn’t quite right. Or, when you touch the keypad, there may be unusual play or movement – it may almost seem loose. If the buttons seem too hard to push, a warning sign may be caused by installing a fake overlay keypad. There are also generally inspection stickers that are taped on the panel. These may also be damaged, which provides a good warning sign of tampering. 

In general, recognized bank ATMs are to be preferred over non-bank ATMs. You typically find these non-bank ATMs inside small retail outlets, bars, hotel lobbies, gas stations, and other similar locations. Also, use a credit card that provides certain protections for you and is generally safer than Debit cards. Debit cards, and the capture of your PIN, enable criminals to drain your bank account. This type of account is a more complicated type to recover from. Federal law generally limits credit card losses. Some credit card companies offer non-liability or zero-liability terms. If the card data or card is stolen, you will likely not be held liable for any authorized fraudulent charges.

Chip-based credit cards are the safest

In general, the new generation of chip credit cards is the safest, but only if you use them and don’t use the optional magnetic strip on the cards. In theory, these became mandatory for use, even in gas stations, towards the end of 2020, but in practice. 

So what’s a shimmer?

Shimmers are devices that criminals use to capture data, even on the new chip-based cards. Instead of being mounted on the card keypad, a shimmer is placed inside the card reader. A shimmer is an electronic chip engineered to the tolerances required to fit into the standard slot on a card reader. The low profile, which is often close to that of a piece of paper, and relatively small size, make a shimmer much more challenging to identify. Shimmers are capable of intercepting and storing the data from a chip-based card.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.