Money Saving Tips

The new card skimming is called ‘shimming’

Westchester NY accountant Paul Herman of Herman & Company CPA’s is here for all your financial needs. Please contact us if you have questions, and to receive your free personal finance consultation!

By Bankrate

Card Shimming

Remember the card skimming wave, in which fraudsters attach false fronts to outdoor ATM and gas pump point-of-sale terminals to harvest the details off your card’s magnetic stripe and clone your card?

The bad guys are back with a new, improved data pickpocketing technique called shimming, in which they secretly insert a shimmer, a paper-thin, card-size shim containing an embedded microchip and flash storage into the “dip and wait” card slot itself, where it resides unseen to intercept data off your credit or debit card’s EMV chip. Although the scammers can’t use that purloined chip data to clone an actual chip card (for reasons we’ll discuss shortly), they can clone a mag stripe version that’s fully capable of defrauding banks and merchants who may not be paying close attention to their card security protocols.

What makes shimmers potentially more effective that skimmers? They can easily be inserted into indoor, in-store POS terminals, where they record the data being shared between the card’s chip and the terminal. What’s more, when the scammers periodically collect the shim to harvest its bounty, they appear to be doing nothing more than paying at the terminal.

Both scams gained momentum domestically as the United States ramped up for what has turned out to be a slow, rocky and ongoing transition from mag stripe to chip cards, contributing to a record 15.4 million victims of U.S. identity fraud in 2016.

Shimming: An invisible, yet still-rare, hack

Shimmers made their debut two years ago in Mexico and Arizona. The most recent North American case turned up in January in the Vancouver, British Columbia, suburb of Coquitlam. But it wasn’t a ripped-off consumer who blew the whistle, according to the Royal Canadian Mounted Police (RCMP).

How to protect yourself from shimmers

  1. Use the contactless tap-and-go feature on your credit or debit card instead of swiping or inserting your card.
  2. Use contactless mobile services such as Apple Pay or Samsung Pay to tap and pay.
  3. If you’re withdrawing cash at a bank, go inside to a teller.
  4. Use ATMs in banks rather than more vulnerable standalones.
  5. Cover the keypad with your hand when entering your PIN.
  6. Don’t proceed with a transaction if your card encounters resistance when it is inserted.
  7. Contact the bank, merchant and your card issuer is you suspect your card has been compromised.

“This retailer was doing daily checks to make sure everything was working properly on their four POS machines, and during one of those checks, they noticed that the test card they use wasn’t going in and out smoothly,” explains RCMP Cpl. Michael McLaughlin. “So they took the machine apart and found this shimmer inside. It’s a really good illustration of how a basic, low-tech technique can defeat high-tech crime.”

McLaughlin says that short of experiencing similar difficulty when inserting a card, there’s little to warn consumers that a card reader may contain a shim. “Unless you can really get a good look inside that little slot where your card goes, you’re probably not going to see a shimmer from the outside,” he says.

While the threat is invisible, it’s not as dire as it may seem.

“We don’t want people to panic over something like this,” cautions McLaughlin. “We’ve only found the one instance in our jurisdiction, it’s a brand-new technology and isn’t particularly widespread. You’re much more likely to get your wallet stolen.”

What happened to my “safer” chip card?

But wait — aren’t chip cards supposed to be more secure than those mag stripe relics?

Yes — and, ironically, shimming helps illustrate why, according to Nick Billett, senior director of global research and development for Diebold Nixdorf, a global banking and retail solutions company.

The reason: Each EMV chip card issued has two sets of digital card validation codes: a CVC for the magnetic stripe and a different, integrated CVC (or iCVC) for the EMV chip. Card issuers keep both codes on file, as well as a secret dynamic code unique to that chip, to verify the authenticity of every card transaction.

As a result, it’s impossible to clone a chip card. While skimmers and shimmers can create a cobbled-together mag stripe clone, it won’t buy them anything with merchants and banks that are following standard card security protocols. And those noncompliant operators who aren’t watching the store are fast diminishing as U.S. cardholders trade in their mag stripes for chips.

“The EMV mechanism is such that you can authenticate that that card is real and that it hasn’t been tampered with. Taking the data from a shimmed card doesn’t get you that data,” Billett explains. “If you look at the reports from Europe based on when EMV was introduced, going back 10 years now, their cure for redemption fraud in skimming is way, way down and dropped pretty much consistent with the EMV rollout. So hopefully we can get there very soon.”

The only U.S. terminals that would be fooled by a shimmed card are fast disappearing, according to Mastercard spokeswoman Beth Kitchener. In fact, Mastercard’s EMV partner Visa estimates that counterfeit fraud has declined by 50 percent at chip-enabled merchants, according to Visa vice president of risk and authentication products Stephanie Ericksen.

Because cards that have been cloned through shimming must rely on their mag stripe and not a chip to commit fraud, “shimmed cards can only be used in in-store retail environments that have not upgraded to EMV chip technology,” Kitchener notes.

Can tap-and-go save the day?

OK, so maybe the odds are very slim that your card will ever be shimmed and cloned. What steps can you take to mitigate even that remote risk?

In addition to closely monitoring your account for unauthorized purchases and setting text and email alerts and maximum ATM withdrawal limits on your cards, you may want to explore a tap-and-go contactless card or mobile pay apps such as Apple Pay or Samsung Pay rather than dip your chip.

“Tap-and-go or contactless cards would also help eliminate skimming or shimming,” explains Kitchener. That’s because each tap-and-go transaction uses limited banking information that prevents it from being used for fraud.

It was easy for Canada’s RCMP to recommend that consumers switch to tap-and-go, given that 95 percent of the cards up north support contactless payments and 8 out of 10 Canadian retailers have terminals with Near Field Communication (NFC) capability – a wireless technology that allows data to be exchanged between two different devices, such as a cellphone and a credit card terminal, from a short distance away.

Contactless payment forms are “actually very secure,” the RCMP’s McLaughlin explained. “Each tap transfers very limited banking information, which can’t be used to clone your card.”

Contactless cards are still the exception rather than the rule in the U.S., due in part to the rocky rollout of EMV and the reluctance of many banks and merchants to pay extra for terminals with an NFC antenna.

They are, however, expected to flood the U.S. soon. Contactless card shipments, which numbered 25.5 million in 2015, are expected to balloon to 405 million in 2021, according to a study released in November 2016 by ABI Research.

Whether you dip or tap, in the rare case you fall victim to a “shimmer,” rest assured: Both Visa and Mastercard have got your back.

“Cardholders should try their best to protect themselves from fraud. If this isn’t possible, they are protected by zero liability, which ensures they are never held responsible for fraudulent purchases,” Kitchener says.


Paul S. Herman CPA, a tax expert for individuals and businesses, is the founder of Herman & Company, CPA’s PC in White Plains, New York.  He provides guidance and strategies to improve clients’ financial well-being.

Social Security and Medicare Amounts for 2015

Westchester NY accountant Paul Herman of Herman & Company CPA’s is here for all your financial needs. Please contact us if you have questions, and to receive your free personal finance consultation! 

The annual inflation adjustments have also impacted the various Social Security amounts and thresholds for 2015.

o-SOCIAL-SECURITY-AND-MEDICARE-facebook

The Social Security wage base, for computing the Social Security tax (OASDI only), increases to $118,500 in 2015, up from $117,000 for 2014. There is no taxable earnings limit for Medicare (HI only) contributions. However, there is a 0.9% Medicare surtax that is imposed on wages and self-employment (SE) income in excess of the modified adjusted gross income (MAGI) threshold amounts of $250,000 for joint filers, $125,000 for married separate filers, and $200,000 for all other taxpayers. The MAGI thresholds are not adjusted for inflation. The surtax does not apply to the employer portion of the tax.

For Social Security beneficiaries under the full retirement age, the annual exempt amount increases to $15,720 in 2015, up from $15,480 in 2014. These beneficiaries will be subject to a $1 reduction in benefits for each $2 they earn in excess of $15,720 in 2015. However, in the year beneficiaries reach their full retirement age (FRA), earnings above a different annual exemption amount ($41,880 in 2015, up from $41,400 in 2014) are subject to $1 reduction in benefits for each $3 earned over this exempt amount. Social Security benefits are not reduced by earned income beginning with the month the beneficiary reaches FRA. But remember, Social Security benefits received may be subject to federal income tax.

The Social Security Administration estimates the average retired worker will receive $1,328 monthly in 2015. The average monthly benefit for an aged couple where both are receiving monthly benefits is $2,176. These amounts reflect a 1.7% cost of living adjustment (COLA). The maximum 2015 Social Security benefit for a worker retiring at FRA is $2,663 per month, up from $2,642 in 2014.

Herman and Company CPA’s proudly serves Bedford Hills NY, Chappaqua NY, Harrison NY, Scarsdale NY, White Plains NY, Mt. Kisco NY, Pound Ridge NY, Greenwich CT and beyond.

Gift-giving tax rules

Westchester NY accountant Paul Herman of Herman & Company CPA’s is here for all your financial needs. Please contact us if you have questions, and to receive your free personal finance consultation! 

Still looking for a last-minute or belated Holiday gift? Think cash!

Some people shy away from giving money because they think it’s tacky. Others are leery because of possible tax complications.

You’ll have to consult with Miss Manners about the propriety of gifting cash. But I can help allay some of your financial gift giving tax concerns.

People don’t understand monetary gifts, says Dave Du Val, vice president of taxpayer advocacy at Taxaudit.com, largely because in the tax world it’s a nebulous term. Adding to the confusion, adds Du Val, is that there are different requirements for different types of gifts.

However, when it comes to plain old dollar bills (or checks), the Internal Revenue Service rules are pretty straightforward.© staras/Shutterstock.com

This Christmas, you can give up to $14,000 to anyone and neither you nor your gift recipient will face any tax consequences. That amount is adjusted annually for inflation. For 2015 it stays at $14,000.

When you keep your gifts below that amount, you don’t have to report the gift to the Internal Revenue Service and the person who received the money doesn’t have to report it as income.

Breaking the $14,000 gift tax barrier

But what if you want to be even more generous? There are ways to get around the annual gift exclusions amount.

You can give your spouse any amount you wish without worrying about any gift tax as long as your husband or wife is a U.S. citizen.

Your spouse also can help you double the annual exclusion amount, says Du Val. The giving limit applies individually, so a married couple gets a double financial gift option.

You can give your daughter $14,000 and your spouse can give her another $14,000. She banks $28,000 but because the total came from each parent individually, there are no tax issues for generous moms and dads.

Here’s some more good news, especially for potential financial gift recipients. The tax-free giving isn’t limited to family. You can give up to $14,000 to anyone; a friend, a co-worker, any person you wish.

And in a couple of cases, you can exceed the annual gift exclusion limit entirely. This is the case, says Du Val, when your gift covers qualified educational or medical expenses. Just be sure, he notes, to pay the college or hospital directly.

Right about now, you might be wondering why you should think about financial gifts and taxes since you are far from ultra-rich.

That’s OK. Remember that $14,000 is the most you can give without worrying about taxes. But you don’t have to max out the gift. If you want to give $5,000 or $3,000 or $1,000, that’s fine.

Those relatively smaller amounts are still covered under the tax-free giving rules. At holiday time, that makes Uncle Sam a close cousin of good old Santa Claus.

Source: BankRate

Herman and Company CPA’s proudly serves Bedford Hills NY, Chappaqua NY, Harrison NY, Scarsdale NY, White Plains NY, Mt. Kisco NY, Pound Ridge NY, Greenwich CT and beyond.

Any U.S. tax advice contained in the body of this website is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code or applicable state or local tax law provisions.