The new card skimming is called ‘shimming’

Westchester NY accountant Paul Herman of Herman & Company CPA’s is here for all your financial needs. Please contact us if you have questions, and to receive your free personal finance consultation!

By Bankrate

Card Shimming

Remember the card skimming wave, in which fraudsters attach false fronts to outdoor ATM and gas pump point-of-sale terminals to harvest the details off your card’s magnetic stripe and clone your card?

The bad guys are back with a new, improved data pickpocketing technique called shimming, in which they secretly insert a shimmer, a paper-thin, card-size shim containing an embedded microchip and flash storage into the “dip and wait” card slot itself, where it resides unseen to intercept data off your credit or debit card’s EMV chip. Although the scammers can’t use that purloined chip data to clone an actual chip card (for reasons we’ll discuss shortly), they can clone a mag stripe version that’s fully capable of defrauding banks and merchants who may not be paying close attention to their card security protocols.

What makes shimmers potentially more effective that skimmers? They can easily be inserted into indoor, in-store POS terminals, where they record the data being shared between the card’s chip and the terminal. What’s more, when the scammers periodically collect the shim to harvest its bounty, they appear to be doing nothing more than paying at the terminal.

Both scams gained momentum domestically as the United States ramped up for what has turned out to be a slow, rocky and ongoing transition from mag stripe to chip cards, contributing to a record 15.4 million victims of U.S. identity fraud in 2016.

Shimming: An invisible, yet still-rare, hack

Shimmers made their debut two years ago in Mexico and Arizona. The most recent North American case turned up in January in the Vancouver, British Columbia, suburb of Coquitlam. But it wasn’t a ripped-off consumer who blew the whistle, according to the Royal Canadian Mounted Police (RCMP).

How to protect yourself from shimmers

  1. Use the contactless tap-and-go feature on your credit or debit card instead of swiping or inserting your card.
  2. Use contactless mobile services such as Apple Pay or Samsung Pay to tap and pay.
  3. If you’re withdrawing cash at a bank, go inside to a teller.
  4. Use ATMs in banks rather than more vulnerable standalones.
  5. Cover the keypad with your hand when entering your PIN.
  6. Don’t proceed with a transaction if your card encounters resistance when it is inserted.
  7. Contact the bank, merchant and your card issuer is you suspect your card has been compromised.

“This retailer was doing daily checks to make sure everything was working properly on their four POS machines, and during one of those checks, they noticed that the test card they use wasn’t going in and out smoothly,” explains RCMP Cpl. Michael McLaughlin. “So they took the machine apart and found this shimmer inside. It’s a really good illustration of how a basic, low-tech technique can defeat high-tech crime.”

McLaughlin says that short of experiencing similar difficulty when inserting a card, there’s little to warn consumers that a card reader may contain a shim. “Unless you can really get a good look inside that little slot where your card goes, you’re probably not going to see a shimmer from the outside,” he says.

While the threat is invisible, it’s not as dire as it may seem.

“We don’t want people to panic over something like this,” cautions McLaughlin. “We’ve only found the one instance in our jurisdiction, it’s a brand-new technology and isn’t particularly widespread. You’re much more likely to get your wallet stolen.”

What happened to my “safer” chip card?

But wait — aren’t chip cards supposed to be more secure than those mag stripe relics?

Yes — and, ironically, shimming helps illustrate why, according to Nick Billett, senior director of global research and development for Diebold Nixdorf, a global banking and retail solutions company.

The reason: Each EMV chip card issued has two sets of digital card validation codes: a CVC for the magnetic stripe and a different, integrated CVC (or iCVC) for the EMV chip. Card issuers keep both codes on file, as well as a secret dynamic code unique to that chip, to verify the authenticity of every card transaction.

As a result, it’s impossible to clone a chip card. While skimmers and shimmers can create a cobbled-together mag stripe clone, it won’t buy them anything with merchants and banks that are following standard card security protocols. And those noncompliant operators who aren’t watching the store are fast diminishing as U.S. cardholders trade in their mag stripes for chips.

“The EMV mechanism is such that you can authenticate that that card is real and that it hasn’t been tampered with. Taking the data from a shimmed card doesn’t get you that data,” Billett explains. “If you look at the reports from Europe based on when EMV was introduced, going back 10 years now, their cure for redemption fraud in skimming is way, way down and dropped pretty much consistent with the EMV rollout. So hopefully we can get there very soon.”

The only U.S. terminals that would be fooled by a shimmed card are fast disappearing, according to Mastercard spokeswoman Beth Kitchener. In fact, Mastercard’s EMV partner Visa estimates that counterfeit fraud has declined by 50 percent at chip-enabled merchants, according to Visa vice president of risk and authentication products Stephanie Ericksen.

Because cards that have been cloned through shimming must rely on their mag stripe and not a chip to commit fraud, “shimmed cards can only be used in in-store retail environments that have not upgraded to EMV chip technology,” Kitchener notes.

Can tap-and-go save the day?

OK, so maybe the odds are very slim that your card will ever be shimmed and cloned. What steps can you take to mitigate even that remote risk?

In addition to closely monitoring your account for unauthorized purchases and setting text and email alerts and maximum ATM withdrawal limits on your cards, you may want to explore a tap-and-go contactless card or mobile pay apps such as Apple Pay or Samsung Pay rather than dip your chip.

“Tap-and-go or contactless cards would also help eliminate skimming or shimming,” explains Kitchener. That’s because each tap-and-go transaction uses limited banking information that prevents it from being used for fraud.

It was easy for Canada’s RCMP to recommend that consumers switch to tap-and-go, given that 95 percent of the cards up north support contactless payments and 8 out of 10 Canadian retailers have terminals with Near Field Communication (NFC) capability – a wireless technology that allows data to be exchanged between two different devices, such as a cellphone and a credit card terminal, from a short distance away.

Contactless payment forms are “actually very secure,” the RCMP’s McLaughlin explained. “Each tap transfers very limited banking information, which can’t be used to clone your card.”

Contactless cards are still the exception rather than the rule in the U.S., due in part to the rocky rollout of EMV and the reluctance of many banks and merchants to pay extra for terminals with an NFC antenna.

They are, however, expected to flood the U.S. soon. Contactless card shipments, which numbered 25.5 million in 2015, are expected to balloon to 405 million in 2021, according to a study released in November 2016 by ABI Research.

Whether you dip or tap, in the rare case you fall victim to a “shimmer,” rest assured: Both Visa and Mastercard have got your back.

“Cardholders should try their best to protect themselves from fraud. If this isn’t possible, they are protected by zero liability, which ensures they are never held responsible for fraudulent purchases,” Kitchener says.

Paul S. Herman CPA, a tax expert for individuals and businesses, is the founder of Herman & Company, CPA’s PC in White Plains, New York.  He provides guidance and strategies to improve clients’ financial well-being.

Don’t fall for phone or email tax scams

Westchester NY accountant Paul Herman of Herman & Company CPA’s is here for all your financial needs. Please contact us if you have questions, and to receive your free personal finance consultation!

By: Bankrate

phone or email tax scams

IRS Scam Video / Bankrate Video

Tax crooks continue to come up with new ways to try to get their hands on your money.

The latest scam is a play on a common tax notice that’s sent to taxpayers. The fake emails purport to be about an Internal Revenue Service bill related to the Affordable Care Act.

How to tell it’s a phony email

The melding of the CP2000, a commonly snail-mailed communication from the IRS, and an email request for money represents just the latest evolution in tax scams.

The crooks apparently are trying to latch on to the IRS’ frequent reminders that it sends notices to taxpayers before asking for money.

But where the IRS sends its real notices via the U.S. Postal Service, in this scam the fake notice is delivered as an email attachment.

The fraudulent CP2000 notice, notes the IRS in a statement about this new scheme, includes a payment request that taxpayers write a check to IRS, instead of to the U.S. Treasury (the real payment entity), and send the check to a processing center at a Post Office box address.

But don’t do it.

The scam notices use a tax matter that many filers still find confusing, the Affordable Care Act, commonly referred to as Obamacare, and its possible tax if you have insufficient health coverage. In this case, the fake CP2000 seeks information about taxpayers’ 2014 health care coverage.

There also is a payment link within the email itself.

RATE SEARCH: Are you planning to relocate? Compare mortgage rates at today!

How the IRS will, and won’t, contact you

The one good thing that comes from this latest attempted tax crime is that it gives the IRS — and Bankrate — the chance to offer a reminder about how and when you’ll hear from the tax agency.

The CP2000 is a real notice that the IRS commonly mails out, using the U.S. Postal Service, regarding questions about a taxpayer’s filings.

But the IRS will never send a CP2000 in an email to taxpayers.

The agency does not initiate contact with taxpayers by email or through social media platforms.

If you receive the scam email, the IRS says forward it to Then delete it.

If receive any communication that appears to be from the IRS and makes you worry about your tax situation, call the agency directly at 1-800-829-1040 to discuss your concerns.

Keep an eye on your finances

And if you fear that your tax or other personal financial data has been compromised, monitor your credit reports. You can do so for free by using

Keep up with IRS and tax news, as well as find filing tips, calculators and more at Bankrate’s Tax Center.

Paul S. Herman CPA, a tax expert for individuals and businesses, is the founder of Herman & Company, CPA’s PC in White Plains, New York.  He provides guidance and strategies to improve clients’ financial well-being.

Bill would make some forgiven student loans tax-free

By Bankrate

Westchester NY accountant Paul Herman of Herman & Company CPA’s is here for all your financial needs. Please contact us if you have questions, and to receive your free personal finance consultation!


Owing a debt you can’t repay is bad. Owing federal taxes on that debt amount even after you no longer have to pay it back is even worse.

Federal tax law, however, requires in most cases that when a loan is forgiven, the amount that is written off by the lender is taxable income to the previous debtor.

Sen. Debbie Stabenow, D-Michigan, thinks that’s wrong when the debt was incurred under fraudulent circumstances, specifically to pay for college. Stabenow has introduced the Student Tax Relief Act, a bill that would protect defrauded borrowers from being taxed on their forgiven student loans.

Corinthian College cause

Her bill, S. 3008, was drafted in the wake of the federal investigation into Corinthian Colleges, Inc. and its associated schools.

The Department of Education found that the now-defunct for-profit chain run by Corinthian defrauded students at more than 100 schools in more than 20 states across the country.

Following the fraud finding, the Education Department told students who borrowed money from Uncle Sam to attend Corinthian classes that they would not have to repay those loans. Affected students can apply for loan forgiveness through the department’s Federal Student Aid division.

That’s a welcome step for the bilked students. The Education Department says that as of March 1 it had processed almost 9,000 claims from former Corinthian students nationwide, totaling more than $132 million.

Canceled, but taxable, debt

The forgiven debt provisions of the Internal Revenue Code generally require that such canceled debt is taxable. For example, folks who are able to negotiate down or away debt owed on credit cards face the same tax due on what is called phantom income.

A notable exception is in the case of some residential foreclosures or mortgage renegotiations, where a special, temporary law allows certain home-related canceled debt amounts to be tax free.

The Corinthian students also were provided special tax relief on the amounts cleared by the Department of Education.

Stabenow’s bill, which has 7 Democratic cosponsors in the Senate, would give the same tax relief to students in similar educational fraud cases.

“When students take out loans to attend college, they should get a fair deal and a fair shot,” said Stabenow in announcing the introduction of the Student Tax Relief Act. “No student should be the victim of false advertising from a college that promises skills or job placement. And the last thing they deserve is to be hit with an enormous tax burden on their forgiven loans.”

Time running out

Stabenow’s bill might be able to garner some additional support. The issue of burdensome student debt in general already is under a spotlight, thanks in large part to Vermont Sen. Bernie Sanders’ campaign to be the Democratic nominee for president.

But time is not on the side of Stabenow’s effort. The tax-writing Senate Finance Committee, where the bill is pending, has not scheduled any hearing on S. 3008.

And with the upcoming November elections, the House and Senate aren’t going to be in session much. The chambers’ schedules are reduced so that Representatives and Senators can return home to make their reelection cases.

If, however, enough constituents let lawmakers know of their student debt concerns, both on a wider scale and in connection with cases like Corinthian, there might be some action on Stabenow’s bill this year. That would be a welcome development for former students facing an unexpected tax bill next filing season on their forgiven school loans.

Have you ever faced a tax bill on forgiven debt? Do you agree with Stabenow’s proposal? Do you think the tax code is right, or should all forgiven debt be tax-free?

Any U.S. tax advice contained in the body of this website is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code or applicable state or local tax law provisions.