Security

Forget card skimmers, chip-card shimmers will be your next nightmare

Account-sniffing Raspberry-Pi-powered kit hidden in cash-machine slots

shimmer
Shimmer me timbers ... The tiny bits of kit that can empty your bank account

Black Hat America's belated move to EMV (Europay, MasterCard and Visa) chip-equipped cards won't be the panacea some had hoped. As it turns out, the cards are just as easy to clone as their magnetic stripe predecessors.

At the Black Hat 2016 security conference in Las Vegas this week, engineers from Rapid7 demonstrated how a few small pieces of electronics could be used to stage a man-in-the-middle attack against an ATM.

The shimmer device is so named because it is inserted in the card slot like a shim, and it then takes a snapshot of the transaction data as a request for cash is processed.

Tod Beardsley, security research manager at Rapid7, told The Register that the equipment needed was tiny – it's basically RaspBerry-Pi-powered – and could be installed quickly without access to the internals of the cash machine. The PIN typed into the keypad is obtained via a passive man-in-the-middle attack – all the technical details are in the presentation's slides, here [PDF].

Once retrieved, he was able to use the information to set up fraudulent accounts and potentially start siphoning money.

ATM money shot

The now-traditional ATM spewing money shot

Shimming systems have already started cropping up, particularly in areas of South America where tourists congregate, he said. With the introduction of chipped cards in the US you can expect shimmers to spread north, and he predicted that petrol pump card readers would be a likely target, since they are easily accessible and in frequent use.

The move to chipped cards isn't all gloom and doom, however. Data stolen from a magstripe card is easy to sell online and reuse on cloned cards for long periods after it's stolen. With chip cards, the window of opportunity to sell the information is much smaller. Beardsley said that banks had gotten much better at spotting likely cases of fraud using the technique, and blocking access to accounts.

Rapid7 has contacted vendors of ATMs to tell them about the research, and praised the pioneering work of the late Barnaby Jack for making this possible without lawsuit threats. Jack's ATM hacking nearly got him arrested, but these days manufacturers recognize that white-hat hackers can do them a lot of good. ®

Biting the hand that feeds IT © 1998–2017