In December of 2002, CBS reported the existence of what at the time had been almost regarded as fiction: devices called skimmers that could “record the names, account numbers and other identifying information from the magnetic stripes to be downloaded onto a personal computer later.” Since the early 2000s, the methods of securing payment transactions have been evolving along with the industry standards, transitioning from magnetic stripes to EMV chips, and embracing the acceptance of mobile payments. As security measures tighten, attackers target legacy exploits or further develop new attack methods.
While card skimming appeared to be in decline for a while, recent data from FICO highlights a worrying rise in the US, with a staggering 77% increase in the first half of 2023 alone.
According to FICO, during 2022 alone:
- 3,000 financial institutions fell victim to skimming attacks.
- There was a dramatic 368% increase in compromised cards compared to 2021.
- Each skimming attack impacted at least 185 cards.
The use of EMV chips has significantly reduced skimming risks in Europe and other parts of the world, as these chips are far more challenging to compromise than traditional magnetic stripes. EMV chip transactions are considered more secure because a signature is calculated over each transaction by a cryptographic key in the chip, providing an additional layer of protection. Even if a skimming device captures information, the encrypted or tokenized data is rendered useless without the corresponding decryption keys. However, attackers respond by tampering with contactless payment screens, triggering “fallback mode”, so that the terminal assumes that the card doesn’t support chip based transactions. This forces the users to pay through the magnetic stripe reader – compromised by a skimming device. While the continued use of magstripes is useful for backwards compatibility, it keeps a vulnerable technology open for exploitation. The use of skimmers particularly at gas stations in the US is making the news more recently, and the police is warning the public to pay close attention to the payment terminals.
As EMV adoption rates start to pick up, another attack method called “shimming” has emerged, targeting poorly protected devices. This technique involves the insertion of a thin, card-sized device between the EMV chip and the chip reader. These devices relay commands to the EMV chip cards, record the information, and store it in their flash memory. The data recorded by shimmers includes signed static data, revealing identifying details about the account, account holder, and the issuing bank, which is then used to create a fraudulent magnetic stripe copy. While this data lacks the CVV1 for the magstripe and PIN, shimmer makers have exploited certain banks’ treatment of CVV1 as optional, allowing them to carry out magstripe transactions anyway using the stolen card details.
To secure transactions against shimming, EMV chip cards have a component known as the Integrated Card Validation Code (ICVC) – also called Dynamic Card Verification Value. Thanks to ICVC, different card verification values are specified on the magnetic stripe and chip, making copying chip data to a stripe no longer effective. Far more secure is the option to generate the signature on non-static transaction data. This is already implemented in most European countries.
During any transaction, the card and terminal agree on the priority level which is supported by both. Shimmers have been seen downgrading cardholder verification methods by manipulating the communication between the card and terminal, shifting it to offline plaintext verification to learn the PIN. To counter this, card issuers may decide to reject transactions if a terminal does not support encrypted PIN verification, making a tradeoff between accessibility and security.
Riscure is an accredited EMVCo laboratory, working with vendors for more than 20 years to safeguard the payments industry and roll out secure technologies worldwide. As EMV adoption continues to rise, Riscure focuses on comprehensive chip security evaluations to ensure that the keys in the chip cannot be extracted even using the most sophisticated methods. Our security testing solution Inspector, globally considered a golden standard in side channel analysis and fault injection testing, was originally developed with a smart card focus.
Gas stations are by far not the only target for skimming or shimming – legacy devices may be found in public terminals like ticket vending machines, self-checkout counters many other payment devices remain potential targets if they aren’t regularly inspected for tampering. Targeting a poorly protected legacy device is a path of least resistance and a common attack route for cybercriminals in any industry. Entities lacking the resources to upgrade to newer payment technologies are falling victim to card skimming.
Skimming is an example where a rather outdated and vulnerable technology is being attacked. An important twist in this story is that a much more robust technology, a chip card, has been available in the industry for more than two decades. It is hard to discontinue legacy methods, especially when consumers are involved. The only way to address this challenge is to identify, evaluate and adopt new, innovative security methods at a faster rate. So that the skimmers of tomorrow will face technology that is much more difficult to break.