atm

The new card skimming is called ‘shimming’

Westchester NY accountant Paul Herman of Herman & Company CPA’s is here for all your financial needs. Please contact us if you have questions, and to receive your free personal finance consultation!

By Bankrate

Card Shimming

Remember the card skimming wave, in which fraudsters attach false fronts to outdoor ATM and gas pump point-of-sale terminals to harvest the details off your card’s magnetic stripe and clone your card?

The bad guys are back with a new, improved data pickpocketing technique called shimming, in which they secretly insert a shimmer, a paper-thin, card-size shim containing an embedded microchip and flash storage into the “dip and wait” card slot itself, where it resides unseen to intercept data off your credit or debit card’s EMV chip. Although the scammers can’t use that purloined chip data to clone an actual chip card (for reasons we’ll discuss shortly), they can clone a mag stripe version that’s fully capable of defrauding banks and merchants who may not be paying close attention to their card security protocols.

What makes shimmers potentially more effective that skimmers? They can easily be inserted into indoor, in-store POS terminals, where they record the data being shared between the card’s chip and the terminal. What’s more, when the scammers periodically collect the shim to harvest its bounty, they appear to be doing nothing more than paying at the terminal.

Both scams gained momentum domestically as the United States ramped up for what has turned out to be a slow, rocky and ongoing transition from mag stripe to chip cards, contributing to a record 15.4 million victims of U.S. identity fraud in 2016.

Shimming: An invisible, yet still-rare, hack

Shimmers made their debut two years ago in Mexico and Arizona. The most recent North American case turned up in January in the Vancouver, British Columbia, suburb of Coquitlam. But it wasn’t a ripped-off consumer who blew the whistle, according to the Royal Canadian Mounted Police (RCMP).

How to protect yourself from shimmers

  1. Use the contactless tap-and-go feature on your credit or debit card instead of swiping or inserting your card.
  2. Use contactless mobile services such as Apple Pay or Samsung Pay to tap and pay.
  3. If you’re withdrawing cash at a bank, go inside to a teller.
  4. Use ATMs in banks rather than more vulnerable standalones.
  5. Cover the keypad with your hand when entering your PIN.
  6. Don’t proceed with a transaction if your card encounters resistance when it is inserted.
  7. Contact the bank, merchant and your card issuer is you suspect your card has been compromised.

“This retailer was doing daily checks to make sure everything was working properly on their four POS machines, and during one of those checks, they noticed that the test card they use wasn’t going in and out smoothly,” explains RCMP Cpl. Michael McLaughlin. “So they took the machine apart and found this shimmer inside. It’s a really good illustration of how a basic, low-tech technique can defeat high-tech crime.”

McLaughlin says that short of experiencing similar difficulty when inserting a card, there’s little to warn consumers that a card reader may contain a shim. “Unless you can really get a good look inside that little slot where your card goes, you’re probably not going to see a shimmer from the outside,” he says.

While the threat is invisible, it’s not as dire as it may seem.

“We don’t want people to panic over something like this,” cautions McLaughlin. “We’ve only found the one instance in our jurisdiction, it’s a brand-new technology and isn’t particularly widespread. You’re much more likely to get your wallet stolen.”

What happened to my “safer” chip card?

But wait — aren’t chip cards supposed to be more secure than those mag stripe relics?

Yes — and, ironically, shimming helps illustrate why, according to Nick Billett, senior director of global research and development for Diebold Nixdorf, a global banking and retail solutions company.

The reason: Each EMV chip card issued has two sets of digital card validation codes: a CVC for the magnetic stripe and a different, integrated CVC (or iCVC) for the EMV chip. Card issuers keep both codes on file, as well as a secret dynamic code unique to that chip, to verify the authenticity of every card transaction.

As a result, it’s impossible to clone a chip card. While skimmers and shimmers can create a cobbled-together mag stripe clone, it won’t buy them anything with merchants and banks that are following standard card security protocols. And those noncompliant operators who aren’t watching the store are fast diminishing as U.S. cardholders trade in their mag stripes for chips.

“The EMV mechanism is such that you can authenticate that that card is real and that it hasn’t been tampered with. Taking the data from a shimmed card doesn’t get you that data,” Billett explains. “If you look at the reports from Europe based on when EMV was introduced, going back 10 years now, their cure for redemption fraud in skimming is way, way down and dropped pretty much consistent with the EMV rollout. So hopefully we can get there very soon.”

The only U.S. terminals that would be fooled by a shimmed card are fast disappearing, according to Mastercard spokeswoman Beth Kitchener. In fact, Mastercard’s EMV partner Visa estimates that counterfeit fraud has declined by 50 percent at chip-enabled merchants, according to Visa vice president of risk and authentication products Stephanie Ericksen.

Because cards that have been cloned through shimming must rely on their mag stripe and not a chip to commit fraud, “shimmed cards can only be used in in-store retail environments that have not upgraded to EMV chip technology,” Kitchener notes.

Can tap-and-go save the day?

OK, so maybe the odds are very slim that your card will ever be shimmed and cloned. What steps can you take to mitigate even that remote risk?

In addition to closely monitoring your account for unauthorized purchases and setting text and email alerts and maximum ATM withdrawal limits on your cards, you may want to explore a tap-and-go contactless card or mobile pay apps such as Apple Pay or Samsung Pay rather than dip your chip.

“Tap-and-go or contactless cards would also help eliminate skimming or shimming,” explains Kitchener. That’s because each tap-and-go transaction uses limited banking information that prevents it from being used for fraud.

It was easy for Canada’s RCMP to recommend that consumers switch to tap-and-go, given that 95 percent of the cards up north support contactless payments and 8 out of 10 Canadian retailers have terminals with Near Field Communication (NFC) capability – a wireless technology that allows data to be exchanged between two different devices, such as a cellphone and a credit card terminal, from a short distance away.

Contactless payment forms are “actually very secure,” the RCMP’s McLaughlin explained. “Each tap transfers very limited banking information, which can’t be used to clone your card.”

Contactless cards are still the exception rather than the rule in the U.S., due in part to the rocky rollout of EMV and the reluctance of many banks and merchants to pay extra for terminals with an NFC antenna.

They are, however, expected to flood the U.S. soon. Contactless card shipments, which numbered 25.5 million in 2015, are expected to balloon to 405 million in 2021, according to a study released in November 2016 by ABI Research.

Whether you dip or tap, in the rare case you fall victim to a “shimmer,” rest assured: Both Visa and Mastercard have got your back.

“Cardholders should try their best to protect themselves from fraud. If this isn’t possible, they are protected by zero liability, which ensures they are never held responsible for fraudulent purchases,” Kitchener says.


Paul S. Herman CPA, a tax expert for individuals and businesses, is the founder of Herman & Company, CPA’s PC in White Plains, New York.  He provides guidance and strategies to improve clients’ financial well-being.

ATM Transaction FAQ’s

Scarsdale tax preparer Paul Herman of Herman & Company CPA’s has all the answers to your personal finance questions! Banking ATM FAQs from Scarsdale Tax Preparer

 

As tax professionals, our Westchester CPA firm sees firsthand many shared financial questions and concerns. In our “FAQ Series,” we will discuss these common topics and share our insight.

How do ATM transactions work? 

There are a variety of electronic transactions one can execute:

  • ATMs allow you to bank electronically, get cash, make deposits, pay bills, or transfer funds between accounts. These machines are used with a debit or ATM card and a personal identification number.
  • Point of Sale Transactions. Some ATM cards and debit cards can be used in stores to charge merchandise. Money is electronically drawn from your account and paid to the store.
  • Pre-authorized transfers. This is allowing for the automatic deposit of fund or withdrawal of funds to or from your account. For example, one can authorize the direct deposit of wages, social security, or dividends directly to their account. You can also pre-authorize your bank to make automatic transfers for bill paying.
  • Telephone transfers. You can transfer funds from one of your accounts to the other, or order bill payments over the phone.
  • Most ATMs provide you with a receipt for the transaction, as do point of sale purchases. These receipts are the records of your electronic transactions and should be kept. Additionally, your periodic bank statement will show all the electronic transfers performed. This monthly statement is your proof of payment to another party and is your record for tax and other purposes. Any inconsistencies can be taken up with your bank.

▼ What should I do if I find an error on an EFT or ATM transaction?

Call your bank as soon as possible, or within 60 days of the error. They may ask you to submit your account information and the alleged error in writing. Generally they have 10 business days to investigate the error, and if they fail to come up with an answer your funds should be reimbursed. If the funds in questions were withdrawn from a point-of-service debit or a foreign electronic transfer, the bank may be allowed more time to investigate the error. In the meantime, however, you should have full access to the funds in question.

Your bank should notify you immediately of their findings. If you were correct about the error, they must immediately finalize the re-credit to your account. If there was no error, they must present in writing the findings of their investigation, and notify you of any funds they have deducted after you had been re-credited.

▼ What if my ATM card is lost or stolen?

It’s important to note the difference in how you will be reimbursed for credit cards vs. ATM or debit cards. For a credit card your loss is limited to $50.

However, for an ATM or debit card the loss is limited to $50 if you notify your institution within 2 business days after the card is lost or stolen.

Keep in mind that the loss could be up to $500 if you do not tell your bank within two business days of the loss or theft.

If you do not report unauthorized transfers within 60 days of your statement being mailed to you, you run the risk of having unlimited loss on transfers made after the 60 days.

▼ Can I use my ATM card abroad?

Yes, there are plenty of ATMs all around the world, but it is wise to check beforehand. With Visa and MasterCard, you can pinpoint ATM locations worldwide on their website.

Often it is a good idea to travel with an ATM card because you can withdraw foreign currencies at a better exchange rate, and also if you lose your card and report it promptly you will not experiences the type of losses you would with cash. Be wary of fees your bank will charge you for each withdrawal – it may be wise to withdraw larger sums to minimize the frequency of transactions.

▼ How do I know when a pre-authorized credit has been deposited into my account?

Your institution may notify your employer, or you. Many times your bank may only notify the recipient if a scheduled credit does not come through. Often, you can check your statement online or call your bank to check on your credits.

▼ How do I cancel a pre-authorized payment?

You can call or write your bank, or often stop the payment by going to your bank’s website. Do this at least 3 days before the scheduled payment. It is a good idea to request a written confirmation of giving a telephone notice to stop the transfer.

Scarsdale accountant Paul Herman is here for all your financial needs. Please contact us for all inquiries and to receive your free personal finance consultation!

Herman and Company CPA’s proudly serves Scarsdale NY, White Plains NY, Mount Kisco NY, Pound Ridge NY, North Salem NY, Mamaroneck NY and beyond.

Photo Credit: redspotted via Photopin cc

Any U.S. tax advice contained in the body of this website is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code or applicable state or local tax law provisions.