Stories
Slash Boxes
Comments

SoylentNews is people

Hackers Favoring Shimmers Over Skimmers for ATM Attacks

posted by martyb on Friday June 28 2019, @10:39PM   Printer-friendly
from the cat-and-mouse dept.

MrPlow writes:

Submitted via IRC for SoyCow1944

Cybercriminals are increasingly using shimmers instead of skimmers in attacks targeting automated teller machines, Flashpoint reports.

Skimmers are small devices nearly indistinguishable from legitimate card readers, which have been designed to steal the data from the card’s magnetic stripe, thus allowing hackers to clone cards. These devices can fit over an existing card reader and are typically difficult to notice.

The widespread implementation of the Europay Mastercard Visa (EMV) payment method via chip cards, prevents the use of skimmers by storing data on integrated circuits. Attackers are now focusing on capturing data from the chip, and this is where shimmers enter stage.

First detailed in 2016, these thin devices are much smaller than skimmers and are usually positioned between the chip and the chip reader inside an ATM or point-of-sale system. They include flash storage and a microchip and store copied payment card data, which is then dumped onto the magnetic stripe of a fraudulent card.

[...] Chip cards in theory cannot be cloned due to an integrated circuit card verification value (iCVV), which differs from the more familiar CVV number stored on magnetic stripes. iCVVs prevent the copying of magnetic-stripe data from the chip, and the creation of counterfeit magnetic stripe cards using the data.

[...] Attackers take advantage of improperly implemented EMV chip card standard to target less secure configurations, such as Static Data Authentication (SDA) EMV cards, which are slowly being replaced with Dynamic Data Authentication (DDA), and Combined Data Authentication (CDA).

Source: https://www.securityweek.com/hackers-favoring-shimmers-over-skimmers-atm-attacks

Original Submission

 
This discussion has been archived. No new comments can be posted.
Hackers Favoring Shimmers Over Skimmers for ATM Attacks | Log In/Create an Account | Top | 1 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 3, Insightful) by ledow on Saturday June 29 2019, @10:40AM

    by ledow (5567) on Saturday June 29 2019, @10:40AM (#861297) Homepage

    Any proper encryption system... ANY proper encryption system... allows a third-party attacker to overhear all of the conversation without being able to glean any useful information whatsoever about the data in transit. It's literally the core purpose of encryption.

    Credit card smart chips having an encrypted communication with a bank ATM chip that can be overheard, man-in-the-middled or intercepted? Why is that a problem? Unless you're a fecking idiot and did not use a proper encryption system.

    You should be able to literally post the entire electronic communication between a card and a card reader (whether that be radio captures, electronic interceptions or voltage levels on an unrelated side-pin) onto the Internet and nobody should be able to make any use of them whatsoever. If you cannot, you did not use a proper encryption system. It's that simple.

    And with PFS, pretty much you're guaranteed that even if someone dug out the entire ATM history of every bank in the world, 50 years into the future, they *still* wouldn't be able to tell you anything about the data on the card.

(1)