ATM Shims:New Attack On Your Credit Card

Don’t forget to :  Follow us on Twitter or  Facebook for updates.

Shimming is the latest attack designed to track your credit card number, PIN and other info when you swipe your card through a reader like an ATM machine.Shimming is the latest attack used by the criminals to steal your credit card information.Which results in loss of billions of dollars.If you are also a credit card user, then you should know about this, keep reading.

Shimming works by placing a small thin shim(a man in the middle between the card reader and the circuit board).When you insert your credit card, it just do a simple man in the middle attack between your credit card and the circuit board and tracks your credit card number, PIN, CVV info etc like shown in the below figure.The shim is inserted using a “carrier card” that is first inserted in the card reader and then removed after it fixed between the card reader and the circuit board.

You have to note that it is not trivial in engineering point of view because, the shim needs to be extremely slim and think of the order less than 0.1mm.

o put in perspective how thin less than 0.1mm is, think about this. Your credit card is 0.76mm thick. A grain of salt is 0.5mm thick. The human hair is about 0.18mm thick. The smallest objects that the unaided human eye can see are about 0.1 mm long. Now that’s thin!!!! Add to this that the shim must be semi-flexible and this attack becomes quite a technological achievement.

But recent advancements in microchip fabrication coupled with the commoditization some manufacturers made it easy to create and deploy.The reason why this technique will fill the pockets of criminals is that in general , the ATM transactions are plane.That is, ATM allow us to encrypt our data while we transmit out data to the card reader of ATM.So many people even don’t aware of this feature.So it is easy to implement this attack.If they enabled this feature, then it is impossible to track the data, because the credit card uses a public key to encrypt the data that to be sent to the ATM reader.So, it is really impossible to Brute force it.

But, it looks it definitely needs a new design for ATM’s or a wide upgrade of credit cards.This is really a cost effective and time consuming solution.But, the simple solution is just enable the encryption mechanism in your credit cards.

Here are some resources to help you protect form Shimming attack.

http://www.networkworld.com/community/blog/newest-attack-your-credit-card-atm-shims?source=NWWNLE_nlt_daily_am_2010-07-12

http://www.news.diebold.com/article_display.cfm?article_id=5065

http://www.networkworld.com/community/node/33210

http://masteryourcard.com/blog/2009/08/24/how-to-protect-yourself-from-credit-card-skimming/

http://www.scribd.com/doc/6444475/UCAMCLTR711