
'Shimmers' are the newest tool for stealing credit card info - petethomas
http://www.cbc.ca/beta/news/canada/british-columbia/shimmers-criminal-chip-card-reader-fraud-1.3953438
======
caconym_
I'm having a surprising amount of trouble finding this information online:
does the "chip" include some functionality (maybe called iCVV or dCVV) that
allows it to individually "sign" transactions using internal secret keys, or
does it not? This was my understanding of why the new system was supposed to
be safer.

If the answer is yes, secret keys that never leave the chip are used to sign
each transaction and the signature is verified by the bank, I'm not sure how
these "shimmers" would be useful, since the secret key would presumably not be
compromised and so the shimmer may obtain some data identifying the card and
transaction but not the ability to sign new transactions. If the answer is no,
none of this is happening, then I'm not sure what the point of the switch was
in the first place.

Maybe the answer is something in between? Banks suck, so they've implemented
chip cards in a half-assed way with gaping security holes?

~~~
bramblerose
This sounds like the attack presented at DEFCON 19 (in 2011!):
[https://www.defcon.org/images/defcon-19/dc-19-presentations/...](https://www.defcon.org/images/defcon-19/dc-19-presentations/Barisani-
Bianco-Laurie-Franken/DEFCON-19-Barisani-Bianco-Laurie-Franken.pdf).
Basically, the chip used to contain all the information present on the
magstripe, which made it easy to create a copy of the _magstripe_ via the chip
interface.

~~~
PeterisP
From the issuer side, the solution to remove this risk is simple (and I
believe I was told it in an EMV implementation seminar 10 years ago):

If the incoming transaction lists that the terminal is chip&pin capable, so
you'd simply automatically reject a magstripe transaction with a code that
should result in POS showing "please insert card in the chip reader";

If the incoming transaction lists that the terminal is not chip&pin capable,
the merchant has chosen to be liable for all fraud cases themselves, so it
can't cause a loss for you and your customers. It _is_ an inconvenience, but
as all the fraud in the country concentrates on the (fewer and fewer)
merchants accepting these transactions, it causes an increasing financial
pressure on them to switch.

~~~
chrsstrm
If you try to swipe a chip card then yes, the terminal will reject the swipe
and tell you to insert the chip. If your chip fails three successive tries,
the terminal will accept a mag swipe instead. I don't know if this is true
everywhere but I have seen it in multiple retailers across the US. Point is,
if attackers are cloning mag cards from chip data, those cards can still be
used in chip terminals.

~~~
redbluff
That can be true, but then the transaction is considered "fallback" and most
issuer Banks that have any brains will be examining these very closely with
their real time fraud systems. Some deny fallback outright, but I am not sure
if this is within scheme rules, it may depend on the region.

~~~
cpncrunch
From what I can determine, the retailer is liable for fraud when using
magnetic strip, whether or not the chip has failed:

[http://www.emvcanada.com/forum/what-happens-
when.html](http://www.emvcanada.com/forum/what-happens-when.html)

------
blakesterz
Krebs has a post on this as well:

[https://krebsonsecurity.com/2017/01/atm-shimmers-target-
chip...](https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-
cards/)

“The only way for this attack to be successful is if a [bank card] issuer
neglects to check the CVV when authorizing a transaction,”

~~~
Pfhreak
I have not had the largest confidence in banks abilities to understand
security. I've personally dealt with:

1) 'Two factor auth _is_ on, you have to answer two security questions to
access your account!' 2) 'Your password is limited to exactly 8 characters ...
for security' 3) 'Oh, we now support SMS two factor auth' \-- 4 months in,
I've received 1 SMS challenge 4) 'You don't want a chip card, they are more
hassle' 5) 'We allow systems like Mint to access your account when you have 2
factor auth on. No, you cannot opt out.'

Yeah, don't have the highest confidence that my bank(s) actually understand
how to keep things safe.

~~~
gozur88
Ugh! This is my pet peeve. My brokerage house will reset your password (which
is fine) and convert your account back to single factor authentication (which
is... WTF?!) if you answer the security questions over the phone. What was the
point of getting that stupid fob when any idiot can bypass it if he knows my
mother's maiden name?

------
uladzislau
This happened to me recently when my card data was stolen in a very
respectable place where I've been a long time patron. It was totally
unpleasant surprise. Right the next day the fraudulent transactions on my card
started to popup all over the world - Beijing, North Carloina, etc. My bank
promptly blocked the card - but I had to deal with the pain of calling in,
going over my transactions list, verifying my identity and then waiting 2
weeks for a new card in the mail.

~~~
marcoperaza
Future tip: If you really need the card (or even if you don't), you can
usually get the replacement card overnighted to you if you're insistent on the
phone, at least in my experience.

------
djrogers
Lots of comments here about magstripes and the failure of the US banks to get
rid of them. Funny thing about that is this is a Canadian article about this
happening in Canada, and shimmers actually steal data off chips - not
magstripes.

Why would they do this? The assumption is that the thieves plan to use the
chip data to create fake magstripe card or make online purchases somewhere
that the CVV is not checked. Not checking the CVV _is_ a complete failure, and
apparently for once it's not a US failure (unless the thieves are targeting
tourists??).

~~~
msbarnett
The article is lite on specifics, but my Canadian chip card will normally
reject stripe transactions in Canada (or it did the last time I saw a stripe
machine, several years ago), but happily perform them when I cross into the
US.

So one possibility is that they're stealing magstripe data off the chips for
cloning and use in the US banking system.

------
draw_down
> "Businesses really need to be checking for these kinds of devices and
> consumers need to be aware of them."

Disagree. Consumers and businesses (ultimately) pay the interchange fees, and
this class of problem is the domain of payment infrastructure providers. I'm
not interested in keeping vigilant against the latest exploit, and unless the
responsibility for dealing with the problem lies with credit card networks and
processing gateways they'll have no reason to stop rolling out crappy easily-
owned payment tech.

~~~
shawn-butler
What is a good way for a consumer to validate the physical integrity of a box
in an essentially unsecured environment?

------
ChuckMcM
So at some level there is an issue with the "inside" aspect of card readers.
If you had four guide posts and you just pressed your card against the pogo
pins would it make it harder to interpose?

~~~
ZenoArrow
Agreed, this type of device could be easy to detect with some simple upgrades
to the card readers. However, the cost of upgrading card reader hardware at
all vulnerable banks and retailers is unlikely to be small.

~~~
code_duck
Many businesses in the USA have recently upgraded or will be soon... It would
be a shame of they installed new terminals that were flawed from the start.

------
necula
Can we not make certain parts of the ATM from a transparent material, like
clear plastic? I'm thinking it would be more obvious when the keypad or card
slot have been tampered with.

~~~
Cyph0n
Would the majority of people actually notice though?

~~~
hartz
Probably not normal people using cards, but it wouldn't be hard to train
cashiers/managers what to look for. However, this would probably just lead to
shimmers made out of clear plastic

------
johndbeatty
Note this is in Canada -- unfortunately there's still a lot of Offline
Plaintext PIN cards there. See CreditCall's blog on the subject:
[https://www.level2kernel.com/blog/2012/02/sda-and-
plaintext-...](https://www.level2kernel.com/blog/2012/02/sda-and-plaintext-
offline-pin-to-go/)

~~~
redbluff
Thanks for this - I was wondering how they got the PIN considering plain text
offline PIN has been deprecated for years. My understanding is that the
liability shift is in effect for plaintext PINs, but maybe not in the
NA/Canada region.

------
gambiting
I haven't actually physically inserted my card into a machine for at least 2
years now. It's contactless everywhere. If the transaction is more than ~$50
it just asks for my pin and that's it. Maybe we should just introduce this
everywhere and then see how criminals can possibly break it?

~~~
ZenoArrow
Contactless is even less secure than chip and pin. You can literally read card
details out of someone's wallet without them having any way to tell. Even if
someone uses a wallet that guards against this sort of attack, they're still
vulnerable at the point of use.

[http://youtu.be/x3S_6EJCjn0](http://youtu.be/x3S_6EJCjn0)

[http://youtu.be/vmajlKJlT3U](http://youtu.be/vmajlKJlT3U)

~~~
gambiting
That's RFID. Yeah, you can read that with a $5 reader off ebay.

I'm talking about Visa PayWave/Mastercard PayPass - both work through NFC and
won't surrender any data to a normal reader, you need an authorized terminal
that can give an authorization key valid for a given time. There were some
attacks against it, but you can't just swipe a card through a wallet, it's
extremely time sensitive and requires access to a valid terminal.

------
alistproducer2
I would argue that numbers skimmed from retail stores are the stores
responsibility. Even in a large store there's aren't that many POSs. They
should have a procedure for checking the POS before close or on open.

------
ourmandave
_Unlike skimmers, a shimmer — named for its slim profile — fits inside a card
reader..._

So shouldn't it be called a sLimmer?

~~~
ry_ry
Slimming sheds pounds, this accumulates them.

~~~
ioioiosdrt99
When can we expect NLP to "get" this?

------
eeZah7Ux
That sneaky comment about using NFC instead.

------
rehevkor5
Why on earth is the PIN located ON THE CARD?

~~~
xaduha
It's not.

~~~
rehevkor5
Then is the article inaccurate when it says, "Once installed, the microchips
on the shimmer record information from chip cards, including the PIN."?

~~~
xaduha
I don't know the details, but there are probably many possible ways to get the
PIN, since it's getting entered right then and there. Smartcard is a small
computer, but the connection to it from terminal is probably not that secure
and can be read somehow, side-channels or directly.

The card decides if the PIN is correct, but it might be possible to record all
the PINs that were tried.

