Remember the days when skimming was the go-to method for scammers to gain your information when using ATMs or POS terminals at gas stations? You know, the ones where they attach false fronts to the terminals to gain information from your card’s magnetic strip? Well, major card issuers put a stop to that when they introduced EMV chips to ATM and credit cards.

Each EMV chip chard issued would have two sets of digital card validation codes as well as a secret dynamic code unique to the chip to verify the authenticity of each card transaction, rendering cloned cards useless. However, fraudsters have come up with a new method to obtain information from EMV chips – shimming.

Shimming Explained

Shimming is carried out when fraudsters secretly insert a paper-thin, card-sized scanner – called a ‘shim’ – containing an embedded microchip and flash storage into the “dip and wait” card slot itself to intercept data off your credit or debit card’s EMV chip.

The new method made its debut two years ago in Mexico and Arizona and has recently turned up in a suburb in Vancouver, British Columbia. However, the victim wasn’t the one who caught the trick, as explained by the Royal Canadian Mounted Police (RCMP).

“This retailer was doing daily checks to make sure everything was working properly on their four POS machines, and during one of those checks, they noticed that the test card they use wasn’t going in and out smoothly,” said RCMP Cpl. Michael McLaughlin. “So they took the machine apart and found this shimmer inside. It’s a really good illustration of how a basic, low-tech technique can defeat high-tech crime.”

What makes this new case interesting is how easy it was to insert the shim inside the terminal without being detected by store personnel. What’s more worrying is that scammers can collect the shim to harvest its bounty while avoiding detection as they appear to only be doing nothing more than paying at the terminal.

Cards are Still Secure

Even with the appearance of this new method of obtaining your card information, it would still be very difficult for the fraudsters to clone the card because of the EMV chips. Yes, they can create a new card with a magnetic strip clone, it still won’t have the ability to purchase anything from merchants and banks that strictly follow standard security protocols for card transactions. This is possible, however, for those establishments that do not comply.

“The EMV mechanism is such that you can authenticate that that card is real and that it hasn’t been tampered with. Taking the data from a shimmed card doesn’t get you that data,” Dieblod Nixdor senior director of global research and development Nick Billett explains. “If you look at the reports from Europe based on when EMV was introduced, going back 10 years now, their cure for redemption fraud in skimming is way, way down and dropped pretty much consistent with the EMV rollout. So hopefully we can get there very soon.”

With the majority of U.S. terminals upgrading to accommodate EMV technology, the terminals that can be fooled by shimmed cards are fast disappearing. And because the cards that have been shimmed only rely on the magnetic stripe, and not the chip, to commit fraud, scammers specifically target stores that have not upgraded to EMV chip technology, which are disappearing fast.

Staying Safe

Even with the slim chance of success for shimmed cards for success, cardholders should still be cautious to avoid having your card information stolen. Here are some ways to protect yourself from shimming, according to the Better Business Bureau.

  • Keep a close eye on your bank and credit accounts. Check your online statements regularly to make sure there are no suspicious charges. If you see any, report them to your bank or credit card company immediately. Use the customer service number on the back of the card to be sure you are reaching the real company and not and impostor. Make sure you contact the bank, merchant, and your card issuer if you ever suspect your card has been compromised.
  • Be wary if your card gets stuck in a chip reader. IF the reader seems to have a tighter than normal grip on your card, there could be a shim inside. You may want to cancel your transaction and notify the business.
  • Use contactless payment methods. Contactless payment methods are not vulnerable to shimming. Try using “tap-and-go” features on your credit card instead of swiping or inserting your card. You can also use contactless mobile services such as Apple Pay or Samsung Pay to tap and pay.
  • Go inside to a teller to withdraw cash at a bank.
  • Use ATMs in banks rather than more vulnerable standalones.
  • Cover the keypad with your hand when entering your PIN.
  • Don’t proceed with a transaction if your card encounters resistance when it is inserted.