card shimming

What is Card “Shimming”?

Most of us are at least somewhat familiar with card skimming. It’s an old trick, by which scammers use a device to steal data off of magnetic stripe cards. Well, there’s a new threat out there to know about called card “shimming.”

Naturally, lawmakers and financial institutions are alarmed, and with good reason. Banks and financial institutions mandated EMV chip cards because they are more secure than magstripe cards and twice as hard to counterfeit. However, with a 700% leap in US card skimming cases in 2022, it seems credit and debit card scammers are back in business. 

So, what is card shimming? How can you protect yourself from this growing threat?

What is Card Shimming?

Card shimming is the act of illegally capturing data stored in the microchips of EMV-compliant debit and credit cards. This is done using a device called a shimmer, which is able to capture encoded data from EMV chips.

Rather than sit on top of magstripe readers like a skimmer, shimmers are inserted inside of the card reader and can’t be seen from the outside. Shimmers are very tiny, thin devices that can read inserted card data much in the same way that skimmers can read magstripe data. 

Although shimmers can read this data, they can’t duplicate it for immediate use. Scammers work around this by cloning that data to a magstripe card or some other method (i.e. for online use).

How Does Card Shimming Work?

This is a technique developed to steal data from an EMV chip rather than a magnetic stripe. Fraudsters can’t yet “clone” an EMV chip and make a fake chip that’s encoded with a valid user’s information. However, they can take the information stolen using a shimmer, then encode that onto a magnetic stripe card. 

In other words, info can be stolen from your EMV card and put on a fake card. You can then use it to make purchases wherever merchants allow cardholders to swipe magnetic stripes.

For instance, a fraudster could make a fake card with a fake, non-working EMV chip. Then, they go to the store and dip the card in the card reader at checkout. The card terminal will advise the cashier that the chip’s not working. The cashier will then ask the fraudster to swipe the card. Voila: the fraudster has successfully worked around EMV safeguards. 

How to Prevent Card Shimming

While it’s true that businesses are almost entirely liable for fraud committed in their retail locations, there isn’t a guarantee that you will get all of your money back. Generally speaking, consumers are protected from any acts of fraud beyond $50. That doesn’t mean you’ll always notice you’ve been targeted, or act in time to recover your money, though.

Skimming and shimming are going to remain a problem so long as there is a chance that fraudsters can make a quick, easy buck with either. This is why it’s very important to opt for the newest security features whenever available and be conscious of stores that still allow the use of magstripe cards. 

Thanks to technology, we are not totally unarmed against shimmers and other scams. Contactless card readers, for example, can’t be targeted by shimming scams. The same goes for mobile wallet apps like Apple Pay and Google Pay. There is simply no way for a shimmer to intervene or record a contactless transaction, so take advantage of this payment option wherever available. 

Additionally, try to refrain from withdrawing funds from an ATM that is located outside of a bank. Instead, transfer funds with your mobile wallet, or opt for P2P (person-to-person) payment applications like Zelle or CashApp. 

A good rule of thumb to follow here is this: if it can happen, assume it does happen.

By avoiding the traps that shimmer and skimmer scammers set for consumers, you could sidestep them altogether and keep yourself safe.