Shimming, Not Skimming: Thieves Target Chip Cards

First came the warning about skimming but now officials are warning about shimming.

Skimming is when hackers attach a device to places where you swipe your debit card and steal personal information through the magnetic strip. Shimmers are paper-thin devices hidden inside the credit card machine slot, so when someone inserts their card, the information can be compromised. 

Amber Kellogg believes she was a victim of shimming. She doesn’t use cash, so when she saw two back-to-back ATM withdrawals totaling $400 on her bank statement, Kellogg called Chase to report suspicious activity.

At first, Kellogg said Chase told her the bank would return her money, but then didn't because they said chip cards like Kellogg’s can’t be hacked.

"They told me there's no way someone could have used my card at an ATM without my physical card," Kellogg said.

But Kellogg insists her card never left her possession.

Jill Gonzalez, who works for personal finance website WalletHub, said Kellogg was likely a victim of shimming.

"Unfortunately your information can still be compromised, even though that's kind of why these chips were created," Gonzalez said. "Shimmers are on the inside of the slot, very flat devices. You don't really feel anything when you're inputting your card."

Security experts said the thieves can’t clone a chip card but they can copy the data they steal onto a magnetic strip. They can use the counterfeit card by swiping it at an ATM or payment terminal.

"As a person that uses their debit card every day, it's scary. It's really unnerving," Kellogg said.

After NBC OTS reached out to Chase, the bank put $400 back in Kellogg’s account.

In a statement, Chase said victims of fraud should contact the bank immediately.

While shimming is hard for consumers to spot, it should be easy for banks to prevent with chip cards. Security experts said shimming only works if banks skip a basic and crucial step during verification.

There are actually three different credit verification values (CVV) in a chip card – one encoded into the magnetic stripe, the number visible on the back of the card and one stored in the card’s chip. The one in the chip is known as the iCVV. 

While the data collected by shimmers cannot be used to counterfeit chip cards, it can be used to make fake magnetic-stripe cards. However, since the chip and strip have different CVVs, counterfeit cards can be immediately detected during transaction authorization and declined. It is up to the issuer to check the CVV when authorizing a transaction and prevent fraud.

Contact Us