ATM Shimmers Supplanting Skimmers
By Isaac Palmer
Automated tellers—literal money machines—cannot help but be a target for crime. Most are filled with money and run on software that contains exploitable security vulnerabilities or hardware that can be tampered with by hackers. Or bad guys can try to outright steal or blow them up.
Putting aside physically destructive attacks for the moment, when hackers are involved, the more likely results are an exploit that jackpots the ATM, or the insertion of a device that will siphon a bank customer’s payment data from the card’s magnetic stripe and initiate a potentially devastating type of fraud that’s challenging to counter.
For quite a while, ATM skimmers were the prevalent option for thieves who opt to physically tamper with ATMs. Some of these devices are nearly indistinguishable from legitimate card readers installed on the machine. Skimmers can fit over an existing card reader and are tough to spot, especially for a consumer. The stolen card numbers could then be used to clone a magnetic stripe card.
But now with the widespread implementation of the Europay Mastercard Visa (EMV) payment method via chip cards with integrated circuits storing payment data, targeting information housed on the stripe isn’t as relatively simple as it used to be. Attackers now must focus on capturing data from the chip.
The most effective countermeasure is the presence of a Card Protection Plate (CPP), a state-of-the-art security mechanism that is difficult to bypass depending on its design. CPPs are designed to prevent objects from being inserted inside an ATM card reader, and it’s highly unlikely an attacker would be able to open the device and remove the CPP.
Instead, attackers are using with growing frequency what’s called a shimmer to grab chip data as the ATM reads it. Shimmers are thin devices—much smaller than skimmers, for example—that include some flash storage and a microchip and are positioned between the chip and the chip reader inside an ATM and other devices such as point-of-sale systems. The shimmer stores the copied payment card data, which can then be dumped onto the magnetic stripe of a fraudulent card.
Move Over Skimmers
Chip cards in theory cannot be cloned because they contain additional security in the form of a component known as an integrated circuit card verification value (iCVV), which differs from the more familiar CVV number stored on magnetic stripes. iCVVs protect against the copying of magnetic-stripe data from the chip and using that data to create counterfeit magnetic stripe cards.
Shimmers have been slowly nudging skimmers aside as the number of EMV implementations increases nationwide. An October 2017 deadline shifted liability from the card issuer to the bank/merchant for any ATM fraud that occurred where a chip card was used but the device supported only magnetic swipes. A similar deadline in 2015 shifted liability from issuers to merchants for in-store fraud. There have been a handful of publicly reported incidents and arrests involving fraud and the use of a shimmer, including the April 2018 arrests of five individuals in California, and other known attacks dating back to 2015.
Bypassing CPPs is difficult, even with a shimmer, but possible depending on whether the bank is properly verifying transactions, specifically the iCVV. Authentication of the iCVV (pdf) is done in real-time to authorize transactions where data from the chip card and terminal is input into an algorithm that creates a unique cryptogram for each transaction.
A known security issue exists with Static Data Authentication (SDA) EMV cards, which use a single, static digital signature for each transaction and often verify each card’s PIN number in clear text. This combination of factors may negatively affect cards both by having their information skimmed and re-written on fraudulent cards using EMV software as well as with replay attacks, which involve spoofing EMV transaction requests.
Though SDA EMV chips are to be phased out, Flashpoint analysts assess with moderate confidence that any such chips remaining in circulation may still be desirable to cybercriminals. Flashpoint analysts have observed actors across a number of underground communities discussing writing SDA information to a card’s magnetic stripe as well as to a chip, thus bypassing protections.
Improper iCVV Verification Enabling Attacks
Furthermore, an attack that uses a shim inserted into the ATM card reader depends on the fact that the bank is not properly verifying transactions on the ATM cards.
The attack targets the mishandling of the iCVV and takes advantage of banks that have not properly implemented the EMV chip card standard. There are different kinds of EMV processing methods that use SDA, Dynamic Data Authentication (DDA), and Combined Data Authentication (CDA), as well as offline and online processing verification.
Depending on the combination of factors associated with the ATM technology, attackers may be more successful in targeting less secure configurations like SDA with offline verification. SDA chips are often more susceptible to attacks, though SDA should be getting phased out and replaced by DDA and CDA.
There is growing interest in custom-built shimmers advertised in online illicit communities. Some vendors also sell tools to detect CPPs and produce videos describing their shimmer placement and removal tools.
CPPs are currently the best mitigation for ATM shimming attacks, according to Flashpoint analysts; device software and hardware should also be regularly updated. Attackers commonly target older models with outdated security features. If a CPP is used, it should be installed with an optional tamper switch. This will help mitigate any attacks that might move or put added pressure on the CPP. If an alarm is triggered, the ATM can send alerts in various ways.
ATMs should conduct proper EMV/CVV checks on transactions. Online verification is preferred over offline verification of EMV data. If card readers do not have the optional tamper switch but have a CPP currently installed, ATM security companies like TMD offer an upgrade to implement the tamper switch functionality, which is recommended.
ATMs should be in areas that are well lit and monitored frequently (such as in 24-hour convenience stores or by utilizing a CCTV system.) Analysts will continue to monitor and report on ATM shimming and bypassing CPPs as developments are forthcoming.
Senior Analyst II
Isaac Palmer is a Senior Analyst II on Flashpoint’s Hunt Team who has more than 20 years of experience in computer security. He has advised multiple U.S. government agencies in various capacities and has been featured in major online media outlets around the world including Infosecurity Magazine, SC Magazine, and SecurityWeek, among many others. Isaac was a noted contributor to the DGA Archive project presented in Paris, France during BotConf2015.