DIEBOLD ADDRESSES SHIMMER ATM THREAT
ATM manufacturer Diebold has spoken out to CU Times after fraud experts reportedly discovered a skimming device on one of its ATMs that may be able to hack EMV cards.
The device, called a “shimmer,” is apparently inserted into the mouth of the ATM’s card acceptance slot and sits between the card’s chip and the ATM’s chip reader. Fraud experts in Mexico discovered one on a Diebold Opteva 520 with a chip reader, according to the report, which was published last week on KrebsonSecurity.com.
The chips on many EMV cards contain a security component called an integrated circuit card verification value that protects against copying magnetic stripe data from the chip. However, thieves may have devised a workaround.
“Banks can run a simple check to see if any card inserted into an ATM is a counterfeit magnetic stripe card that is encoded with data stolen from a chip card,” KrebsonSecurity.com reported. “But there may be some instances in which banks are doing this checking incorrectly or not at all during some periods, and experts say the thieves have figured out which ATMs will accept magnetic stripe cards that are cloned from chip cards.”
That kind of fraud is called cross contamination, according to Diebold Senior Director of Software and Core Security Nick Billett (pictured), who told CU Times through a spokesperson that his company is aware of the attack and is investigating.
“We have a fundamental understanding of the shimmer technology and have already received response from PCI regarding the mitigation technology available to help prevent cross-channel redemption fraud,” Billett said.
The EMV-based track data stored on the EMV chip does not include the card validation code stored on the magnetic stripe, Billett noted.
Shimmers could be a sign that cards will still be vulnerable in a post-EMV world because most card issuers are deploying cards with both EMV chips and magnetic stripes so customers can use both types of readers.
The challenge now is waiting for magnetic stripe readers to disappear.
“Until then, magnetic stripe-based skimming and redemption fraud will continue to some extent,” he said.
Billett said ATM operators should inspect card readers regularly to ensure nothing foreign is inside them, and acquirers should ensure that ATM transaction hosts are checking CVCs.