For financial scammers intent on getting their hands on your credit or bank card information, thin is in and miniature is du jour. In fact, the latest tech that fraudsters are using to steal your financial information at ATMs, gas pumps, and other self-service payment terminals is so slender and so tiny that it beggars belief. Talk about sneaky!
The new tech is an evolution of credit card skimming, where thieves install a small, hard-to-spot device on top of a legitimate card reader at a payment terminal. When an unsuspecting card owner slides their credit or debit card into a compromised machine, the skimmer reads and stores their card’s information.
To capture the card owner’s PIN number, skimmers are often paired with a hidden camera or fake PIN pad overlaying the real keyboard. Once the data is captured, thieves can later harvest it to sell or use themselves—for example, by cloning payment cards and using them to drain a victim’s account at other ATMs.
The trouble with magstripes
The Achilles heel of payment cards is the magnetic stripe that stores cardholder data in plain text. Magstripes are notoriously easy to hack; to find out how easy, just swipe your own credit card on a USB magstripe reader plugged into a computer with a word processing doc. And since newer chip-enabled cards (aka EMV cards) also have magstripes, they are not immune to this type of theft.
According to the European Association for Secure Transactions (EAST), an industry group of banks and ATM vendors, skimming cost European banks about $184 million (€167 million) in 2022, which accounts for the lion’s share of the $232 million the banks lost to criminal groups overall.
However, EMV chips have additional security components that make them less vulnerable to fraud. Chip-enabled cards support contactless payment, so they need not be inserted into payment slots at all. Furthermore, many newer ATM models now allow customers to tap their card, which foils skimmers and shimmers.
Shimmers: slimmer skimmers
Now, a new generation of wafer-thin skimming devices is showing up at payment terminals. Known as shimmers or “deep insert” skimming devices, they fit inside the mouth of a card acceptance slot where they are invisible to the eye. When the card holder slides their card into the slot, the shimmer reads the data from the card’s chip.
By contrast, regular skimmers steal account information by reading a card’s magnetic stripe (or “magstripe”). Sitting on top of magstripe readers, they typically protrude from the card acceptance slot where an observant individual might spot them.
How skinny are shimmers or “deep insert” skimming devices? Some are no more than integrated circuits printed on thin, metallic plates or plastic sheets that can be flexible or rigid and include a battery no thicker than a fingernail. One “deep insert” device recovered from an ATM in New York was about half the thickness of a U.S. dime (0.68mm or about 0.053 inches). If you’re having trouble visualizing that, it takes 19 dimes to make a 1-inch stack—the equivalent of nearly 40 shimmers!
Craftier cameras
Fraudsters are also turning up the creativity in how they conceal the cameras used to glean PIN numbers. Ingeniously disguised as part of the cash machine, micro cameras have been found in fake side panels that fit over the ATM’s real side panels with a view of the PIN pad. Other times, tiny cameras are embedded in false panels or in “consumer awareness mirrors” above the PIN pad of ATMs fitted with shimmers.
The rise of e-skimming
Perhaps not surprisingly, skimming and shimming have a digital cousin—e-skimming—which has grown in popularity with the rise of online shopping. E-skimmers are lines of malicious code that fraudsters inject into a website to steal data from HTML fields, including credit card data and other credentials.
Steps to protect yourself
Here are some tips to avoid becoming a victim of skimmers and shimmers.
- Before using an ATM, gas pump, or payment terminal, take a few seconds to inspect it for tell-tale signs that it may have been compromised, such as loose, damaged, or crooked components.
- Sign up for bank alerts and check your accounts regularly.
- Cover the PIN pad with your hand to prevent hidden cameras from recording the number.
- For online purchases, use a mobile wallet or Apple Pay or Google Pay. Consider using a virtual credit card—essentially dummy credit card numbers linked to your real credit card account so you don’t have to enter your actual credit card information.
- Invest in an identity theft protection service such as LifeLock Standard, which includes dark web monitoring, identity and social security number alerts, stolen wallet protection, and more.
The good news is, skimmers and shimmers are still relatively rare, so hopefully you’ll never come across one. But forewarned is forearmed. Just knowing that one might be lying in wait at a payment terminal near you will make your chances of falling victim to these slimmed-down devices slimmer still.
