What is Shimming? How Criminals Steal Your Credit Card Info

Credit card skimming was a common attack used to steal card info at gas pumps, ATMs, and other devices by adding a device over top of a card reader. Chip cards were created to protect against these issues, and they did for years, but attackers are creative, and they've created a new method for stealing card info known as a shimming attack.

Have you ever wondered what is shimming? It's a specialized credit card attack that steals data from a card chip from inside the chip reader itself. That's right; this modern attack doesn't rely on a dummy reader; it can be installed in a standard chip slot with good results. A credit card shim is a tiny circuit board and card reader that slides into a card slot and adheres to the ceiling out of the way of the card. When you insert your card, the tiny device captures your data and makes fraudulent purchases possible.

How Do Criminals Use Shimming to Steal Credit Card Information?

Identity theft has been an issue since the creation of the internet, but recent technological advancementsgive criminals more ways than ever to steal information from consumers. Shimming is the latest attack making credit cards with chips fraud possible. The moment you insert your card into a gas pump or ATM with a shim installed, your card's chip data is captured, and the attacker can make a clone card with a functional magnetic strip.

Criminals can't copy card chips, but they can create a magnetic stripe that will work anywhere that strips are still usable. Once the cloned card is finished, the attackers can begin making credit purchases with your card. Common places where magnetic card strips are still usable are gas pumps, ATMs, and some major department stores.

Your card details can also be used to make purchases online with ease, and many card companies won't stop transactions at major online retailers. Clever attackers will purchase gift cards and exchange them for cash without leaving a paper trail to worry about.

Some attackers even use hidden cameras, dummy number pads, or a number pad overlay to capture the PIN as you input it when completing your purchase. Once they have a PIN and your card info, they can make withdrawals at the nearest ATM and convert your balance into cash.

What are the Signs That a Chip Card Reader Has Been Compromised?

Out of all the different credit card scamming methods, shimming is the most difficult to detect. The most obvious way to tell if a card reader has a shim is to feel resistance when inserting your card. If it's difficult to insert your card, move to a different reader and report the issue to the owner of the reader if at all possible.

Other than difficulty inserting your card, you may notice a person standing around trying to watch you type in your PIN, or you may notice a small camera installed near the number pad in an effort to capture your PIN combination as you're typing it in. If something seems odd to you when you're making a purchase using your card, don't finalize your purchase and instead go elsewhere to use your card. You will be amazed at how effectively you can notice even subtle changes to a card reader if you purchase there regularly. Trust your intuition and if you think there may be a problem, protect yourself and move on.

There aren't many other signs of a card shim, though, which makes it difficult to detect. Many times you won't know your card was duplicated until you have fraudulent purchases on your card account. That's why it's so important to monitor your financial accounts closely so you can determine when things aren't right.

What to Do After a Shimming Attack?

The first thing you should do after a shimming credit card attack is reach out to your card company. If your company didn't inform you of the fraudulent attack, you should call your card company's fraud department as soon as you notice something strange. Often there is a number on the back of your card for you to dial for help. If you don't call your card company within 60 days of a fraudulent purchase, you'll struggle to get any help from the company. That's why you should call to report the issue as soon as you notice it.

Next, contact any merchants that allow fraudulent purchases from your credit or debit card. Inform these companies of the attack and provide the date and amount of the purchase on file with the merchant so they know which amount will be disputed in the future by your card company.

If you are very worried about an identity theft attack, you could invest in identity protection and monitoring services as well. These specialty services give you updates about any changes to your credit at the major bureaus, so you know when new accounts are being opened in your name. You can also get financial alerts from many major institutions, alerting you to fraudulent purchases almost as fast as the attackers can make them.

How to Protect Yourself From Shimming?

The number one way to prevent a shimming attack from ever being an issue is by using the tap-to-pay feature whenever it's possible; by tapping to pay, you never insert your card into the slot where a possible shim could be installed. You could also use Apple Pay or Google Pay with your registered card if your card doesn't support tap-to-pay by default.

It's also a good idea to choose where you make purchases carefully. When buying at a gas station, use the pumps that are most visible to the station employees. When choosing the ATM you use, try and pick a public location that's used regularly. By choosing popular and highly visible payment processor locations, you reduce the chances that a card shim has been installed.

Other than changing how you pay for things, you should watch your credit card and bank statements closely. Try to set up alerts for purchases so you always get updates when money is spent on your account. When you know what's happening with your finances, you are much less likely to be the victim of a credit card attack.

By staying up to date on the latest cyber threats and fraud tactics, you can protect yourself from being taken advantage of. Credit card shimming is just one of many attacks you should be aware of today. See these crime posts for the latest criminal tactics, data breaches, and other issues to protect yourself more effectively.