Clearsale Blog | Insights on Ecommerce and fraud

Shimming: The Newest Chip-Enabled Credit Card Scam

Written by Rafael Lourenco | Aug 15, 2018

The newest attack method, called shimming, isn’t yet widespread, but it’s potentially devastating for merchants and customers. Knowing the subtle signs to look for and steps to take to avoid becoming a victim can help prevent this scam from wreaking financial havoc on your business.

What Is Shimming?

In a shimming attack, fraudsters insert a thin, card-sized shim — complete with embedded microchip and flash storage — into chip card readers to capture card data. All fraudsters have to do to collect the stolen credit card data is insert a special card at the compromised reader. The criminal looks like they’re making a payment or using the ATM, but they’re actually harvesting the data stored on the flash drive.

Unfortunately for customers and merchants, this attack method is so subtle that they don’t know they’re a victim until it’s too late.

The good news? Fraudsters can’t use the stolen data to create new chip cards. The bad news? Scammers can still use the data to clone a magnetic stripe card, sell the data on the dark net, or use it on card-not-present purchases to defraud e-commerce merchants.

How Merchants Can Thwart Shimming Scams

If merchants don’t follow the latest security procedures for encrypting and transmitting credit card data, they may be unknowingly accepting payment from shimmed cards and facilitating fraud. And that can result in upset customers, expensive chargebacks once the legitimate cardholder discovers the fraud, and hits to revenue and reputation.

Here are five things merchants can do to avoid falling victim to this scam.

1. Require CVV Numbers

When shimming devices capture credit card data, one thing they’re unable to capture is the CVV — it’s embossed on the credit card, not stored on the magnetic stripe. Asking or looking for this number can help confirm the rightful owner possesses the credit card and will make merchants less susceptible to shimming.

2. Share Attack Data

To help identify credit card fraud before it happens, share fraud attempts with merchant networks. Doing so provides merchants a larger pool of data from which they can identify emerging fraud patterns.

3. Inspect POS Terminals

Brick-and-mortar retailers should inspect their card readers daily, ensuring they haven’t been tampered with. Most point-of-sale merchants won’t see the shimming device from the outside, so they should test the reader by inserting credit cards. If they don’t go in and out of card readers smoothly, a shimming device may be to blame.

4. Encourage Contactless Payments

Encourage customers to use the tap-and-go features on their credit cards or mobile payment apps like Apple Pay and Google Pay. Both payment methods eliminate the risk of having data stolen after inserting credit cards into card readers.

5. Implement a Robust Fraud Prevention Program

Customers love the convenience of online shopping, but they’re increasingly concerned about the risk of divulging sensitive financial data. E-commerce merchants who invest in a robust fraud prevention solution can protect customers — and themselves — against emerging criminal scams while also eliminating false declines and providing a seamless shopping experience.

Fraudsters don’t need high-tech ways to defraud consumers when simple shimming devices work just fine. Merchants, however, should use solutions that combine the best of human analysis with advanced artificial intelligence to stop fraud before it happens.

Download ClearSale’s “Online Credit Card Fraud Risk” e-book to learn how our approach can help you safeguard your profits, protect your reputation and improve customer relationships.