Bad Guys Are Already Compromising Chip and PIN Cards

The adoption of chip-and-PIN technology for payment cards is starting to happen in North America, in the name of improving security for consumers, merchants and card issuers alike. Unfortunately, this is also forcing the bad guys to innovate, as evidenced by a new kind of ATM “shimmer” found in Mexico.

A shimmer is a type of skimmer, which acts a shim that sits between the chip on the card and the chip reader in the ATM — recording the data on the chip as it is read by the ATM.

Brian Krebs noted in a blog that the chip-reading component is inserted from outside the machine; no access is required to the ATM internals. In this case the device was found inside a Diebold Opteva 520 with dip reader (the kind of card reader that requires you to briefly insert your card and then quickly remove it).

This revelation shows that physical proximity and access to the card itself has once again become highly important to criminals, according to Ricardo Villadiego, founder and CEO of Easy Solutions.

“We are starting to see ‘card trappers’ emerge again, because the physical card itself has now become more valuable,” he said in a blog. “We are also seeing criminals using other more sophisticated techniques in their skimming and other scams.”

Some of these include new readers, equipped with a GSM module which sends encrypted data cards through mobile phone networks; leveraging miniature spy cameras installed above the ATM keyboards or somewhere in the lobby of the bank to obtain PIN codes; and cheap fake cashier numerical panels, which can be purchased for less than $120 dollars on the black market. These automatically capture a PIN code, without any manual labor involved. These duplicate panels use the same type of metal and paint color as the original, making them extremely difficult to identify.

And it doesn’t stop there: Criminals are also now using SMS to get money from ATMs in bulk via malicious codes, while at restaurants, criminals using electronic soldering tools to replace the card chip with a phone SIM card, while the waiter is processing your payment.

“Both individuals, as well as those responsible for the overall fraud rates within financial organizations, [need to] understand that ‘chip’ transactions should not automatically be considered ‘safe’ or ‘approved,” Villadiego noted. “Banks must evolve their fraud posture to take into account the fact that criminals are at work every day trying to develop their own innovation, to take advantage of new technologies as soon as they become available.”

What’s Hot on Infosecurity Magazine?