Credit Card Skimmers Evolve – Shimmers Are Here

Credit cards are loaded with security features, but the game of cat and mouse goes on. Nefarious syndicates continue to develop technology to steal data in new and innovate ways. After SparkFun did a teardown on some illicit hardware, they were visited by local law enforcement, who requested their help once more.

[Nick] from SparkFun refers to the device in question as a “shimmer”. It’s intended to be installed inside the chip reader of a credit card terminal, in between the terminal and the user’s credit card. Fabricated on a flexible film PCB, it’s thin enough to glue inside without being obvious even during maintenance.

The investigation begins with identification of the major components on board, followed by attempts to communicate with the device. Unfortunately, the hardware was largely unresponsive, even when connected to a card reader. In an effort to learn more, a schematic was produced. [Nick]’s analysis raised more questions than answers, and the suspicion is that the hardware may have been damaged at some point. However, the basic capabilities of the device are obvious, given the ability of the hardware to interact with a card via its contacts and offload the data through the onboard nRF24L01 radio module.

Thanks to people like [Nick], and earlier work from SparkFun, we all now have a better understanding of the risks when using payment terminals out in the wild. Unfortunately, unless your local gas station is willing to let you spend 20 minutes disassembling their card reader before paying, there’s not a whole lot the individual can do about it. Stay vigilant, and if you’ve got the skinny on a skimmer, drop us a line.

90 thoughts on “Credit Card Skimmers Evolve – Shimmers Are Here

  1. The market is already adjusting by using phones to pay for fuel and fast food..etc.
    This prevents the need to use the card readers and still being more convenient than a wallet full of bills.

    1. “more convenient”

      more convenient for some but not all
      I have a wallet full of bills and find it mighty convenient

      An entire generation (several) grew up with physical money and didn’t need apps on their phone to tell them how to budget (because they cant figure it out themselves)
      They simply looked into their wallets.

      1. All I heard was “hurr durr get off my lawn”. In all seriousness though as you said different people find different things convenient. Trying to extrapolate that to imply that younger generations are somehow incapable of fiscal management without technology is not only futile but also incorrect on the whole. Luddism isn’t always the answer.

        1. im still amused by my mom’s ability to do math on paper. and there was certainly a time i knew how to do that. and with the cost of computers going down while performance was going up, its not really a skill i ever got good at (good == fast). but that time is gone and the procedure from doing it that way has completely slipped my mind. another thing the younger generation has yet to deal with (and almost certainly will barring some breakthrough in memory augmentation).

          1. yes indeed it is a shame that we don’t all walk around with 5000 years of obsolete technology lore in our heads. It is a shame that we can’t all start a fire with flint and steel, that we can’t make our own soap, and we can’t adjust the valve clearance on a VW beetle. Life would be so much better if we remembered these things.

          2. @N, may I humbly suggest you read The Machine Stops by [E. M. Forster]. If you are not too deep into your safe space, you may find it enlightening.

            I mean, what do you do when your shoe-tying robot stops working because venmo borked your payment to the DRM server in The Cloud™?

          3. N’s reply reminds me of the time, quite a few years ago now, when my family visited a Toys ‘R” Us. there was a blackout while we were in the store. First, the store manager passed out pads and pencils so the cashiers could finish ringing up purchases. It quickly became obvious that most of these young people couldn’t do the math, so he passed out some calculators from the office. It then became apparent that even with the calculators, none of them had any idea how to do percentages, and so they couldn’t figure out the sales tax. The manager then ran up the white flag, asked all the customers to return later to finish their purchases, and closed the store. I still wonder how much money the store lost that day. I can do math on paper, I can start a fire with a bow drill, and I do know how to make soap, as well as a lot of other things. Disasters happen, civilizations collapse. History is filled with examples. If it all goes down the tube, most people with N’s attitude will be dead inside of a month.

        1. Convenient is a subjective thing, however. If you’re unfamiliar with one method and well versed in another method, then the other method, even if slightly less efficient than the first may well be more convenient to you.

          Of course, each person needs to evaluate for themselves whether the learning curve for a more efficient method gains enough to pay back the time spent over the long run.

          Most people are generally very bad at making this calculation on the fly and different people tend to consistently err in their own preferred direction (some tend to learn any new method they can at any opportunity while others tend to resist learning until strongly compelled by external forces).

          There’s definitely little point or success to be gained by trying to reverse someone’s bias in this area.

          1. – Too bad this concept is lost on so many… Dvorak keyboard is a great example… sure, your newfangled way may be slightly more efficient, but the vast majority of us don’t want to learn from scratch something we are already relatively proficient at, for minimal improvement. Applies to soooo many areas…. (particularly looking at you, linux… and ‘we need to rewrite this’ attitude of many developers – scrapping the collective knowledge of all who have worked with / built the code and are capable of supporting it). /get off my grass

        2. I have to cut barcode tags at work and nobody can work as fast as I can with a simple knife…so much faster than scissors. Just because it’s lower tech doesn’t mean it’s inferior.

      2. I grew up before cell phones, when gasoline was leaded, paying for everything with cash. It was a pain in the ass having to forecast how much money I’d need for a given few days or a week, and having to swing by the bank on a regular basis. I have 95% of my bills automated, I deposit checks on my phone, use PayPal or other payment services whenever possible. It’s just more convenient.

        And exactly how do phone apps “tell” people how to budget? Either way, you’re looking into your available funds, be it paper in your wallet, or numbers on a screen. If subsequent generations are having trouble budgeting, it’s not because of phone apps, so your criticism is misplaced.

        1. They tell them when they are running out of money. They analse what they are spending on and send them messages. Really, if you dont know, go look into it.
          But these are things that people who grew up with physical cash were able to do in theri head.
          Research has shown that newer generations are not as able to budget, that is understand how to, than the previous ones.
          Although you sound like you were unable to budget too.

          So enterprising folks have created apps for the glued to their phone generation to do it for them.
          Have you not heard of micro loans ? Round up saving?

          I use my phone to do banking. I use paypal , I have automated some bill payments.
          BUt I still use cash becaue its’ conveniant and thanks but do not need to be dictted to by the newer generation who thinks that is outdated and thus plan to try and obsolete it.
          Have you not noticed a pattern of obsoleting things that work perfectly fine so that the next big thing/industry/money making can come along?

          Throw away perfectly working things because “this is better” – like every time a company changes their website and most users are up in arms about it but they just ignore them all.
          A percentage leave. A percentage put up with it. After a while everyone forgets and gets used to the sucky interface. Then the company proclaims it a success.

          1. I don’t actually believe you are a part of a generation that kept all of their money in their wallet.
            I know there are nutcases who refuse to use banking, but the vast majority has used banking for many decades. Even those who didn’t use banking wouldn’t carry around all of their money with them.
            “Research has shown that newer generations are not as able to budget” – I suspect this is true for some places. However it’s a skill like any other, you either practise it and get better at it, or don’t and never improve. I know some education systems used to include such things as balancing a cheque book, and household budgeting, but mine certainly didn’t. Many are smart enough to extrapolate the skill from their general maths tuition, but many people are really dumb, and don’t learn anything they’re not actively taught.

        2. Ditto. I grew up with cash. I’ve handled 1000s in cash for large purchases, having to get it out over several days because of withdrawal limits. I’ve collected cash at an even and spent ages counting it and paying it into the bank. It sucks. It sucked even more for people who lost it or had it stolen.

          Cards solve a lot of this. Yes, they have their own types of fraud, but the risks are lower than with cash, and – having had a card skimmed – banks are good and gove you your money back.

          Contactless for small purchases makes it quicker and easier (and makes it viable for smaller purchases), and reduces the skimming risk.

          Contactless authenticated on your phone (=trusted device) uses 2FA (thing you have – phone – and thing you know/are – code or fingerprint), reducing the fraud risk further.
          It’s also very handy because you don’t need to decide if you’re bringing your wallet with you when you go out.

          Yes, it has flaws, but it’s a lot better than cash.

          As for budgeting, people struggle with that mainly because they fail to understand credit, and credit is offered too easily. That’s not directly related to moving away from cash. Though yes, for some people, working in cash helps them learn to budget.

      3. Gen Xer, here. I’ve done the cash thing and the credit card thing and the debit card thing and the phone thing. Without a doubt, the phone thing is the most secure, most convenient and best way to make payments while staying on top of your finances.

      4. Agreed and to further that complaint — the dialog about failing electrical infrastructure is often dismissed — right up until your entire savings is hidden behind a powerless screen. We are setting ourselves up for an inevitable failure by being lured by technology. Keep it simple, idiots! (stupid is no longer harsh enough)

    2. Not everybody uses cell phones, or have any need or desire. I never have, just have seen any actually need of it. I have landlines, and a answering machine. Nothing in my life requires me being on a leash. I don’t have an interest of social media, online games, or pornography videos. I don’t see any need to get a cell phone, simple to pay for goods and services, which would be an added expense. Your phone can be lost, stolen, or damaged. The battery is a consideration, if you run it out in a restaurant, as some people do, how do you pay for your meal? Cell phones can be cloned and spoofed. Not necessarily any more secure, and doubtless there are already exploits.

    3. Phone-based payment systems are convenient to some. Obviously you don’t want malware on your phone when using it. You don’t want to be aware from a charge for more than a day or two, so perhaps a bit tough if you’re traveling. And perhaps the biggest inconvenience, you have no liability protection with a phone payment system. At least with a credit card you’re only liable for the first $50 of fraudulent charges.

      1. Here (in parts of Europe) is common to first fill your car with fuel and then go to cashier to pay. It is “inconvinient” if to fill your car and then realise that POS network is down and you don’t have cash in your pocket. Happend to me once… :)

  2. i guess the chips have gotten cheap enough or more credit cards are abolishing the magnetic strip making the crime more affordable.

    remember to always check your bills for suspicious charges

  3. Filled up at a pump that was mysteriously missing its lock – pulled the access panel open to find that someone had stolen the NFC reader out of it. No evidence of a skimmer/shim etc.

    By itself, this isn’t remarkable, but the single person left running the whole operation wasn’t paid enough to care. Her response was “I’ll tell the manager…let them worry about the police. I ain’t got time”.

    Perhaps the lapses are a bit more insidious than a couple of chips and a bit of wire.

      1. The problem is not only to pay people “enough to care”, is actually allowing for people to be responsible.

        One of the biggest problems right now is that nobody is responsible, not because they wouldn’t care, but because we are treating people like robots that must follow some procedure, and this is a problem of scale.

        If you call some hotline for a problem, you get either an actual robot, or a person behaving like a robot, that must follow a plan and which in 99% of the cases have no knowledge nor control of what is going on, they are just replaying a script, hence the “person behaving like a robot”.

        They have no liberty to move out of such procedures, even if they wanted to.

        In the example of the gas station, the person probably has a directive that says that it should not touch that, and/or under which circumstances it should call the manager.

        Sure that helps on 80% of the cases, and for the rest you are out of luck.

  4. Contactless cards would be a lot better if the banks added a clicky dome tactile switch in the coil.
    You hold the card and pinch the switch when you tap it. Simple convenient. If it’s in your pocket and someone walks past with a reader they’re not going to steal your money.
    I remember a story a while back of some people in France who added a chip to the card that basically jumped in before the original chip and authenticated the transaction no matter what pin was entered.

      1. – Seems kind of like avoiding eating sugar and ‘well, that hamburger bun had some sugar, might as well grab a dozen donuts now’… Massively less tracking grabbing cash from an ATM and spending it. Sure you get tagged at an ATM, but that doesn’t feed the marketing engines much… Shared a ride with a guy from a marketing comp – they had several petabytes of transaction data (not videos or photos, we’re talking plain text tallying up that much…). Buy enough anonymous data, and you can map it all together. You googled ‘monopoly’ – looked at Target store search result. GPS puts you at Target 30 mins later – one monopoly item in ‘anonymous’ target transaction data at that store +/- 10 minutes of GPS departure – your google account is linked to your target transactions, likely permanently and retroactively, with your cards unique ‘anonymous’ transaction identifier. quite possible the unique card identifier crosses vendors – just one example. Can’t say I have anything to hide, but I’m also not big on ‘them’ keeping track of where I live, who I live with, what I buy, where I go, who I call, etc, to make a few buck to sell me as a target market to someone. The less of this baloney the better.

        1. And if your friend, let’s call him “Fred”, has tried to stay off of the Google radar, and you have him in your smart phone’s, Contacts. Well, by accessing _your_ “Contacts”, Google probably now has Fred’s name, address, phone number, birthdate, spouse, and maybe their children’s names, birthdates, etc.
          And knows how many times you’ve called him and from where, and when you visit him because of your Location that you gave Google permission to have.

          I’m sick of it all, and realize that Google already has a lot on me (including HaD comments), but I have not allowed my current phone to give them Location, Contacts, Calendar, or even activated Chrome.
          I have also stopped posting/following Facebook, or LinkedIn (never had accounts with Imgur, Snapchat, or others.)

          1. Yep, it’s bananas the level of information available to connect the dots with, even if you only have ‘anonymous data’, let alone what Google has access to across accounts as you said. Wouldn’t be surprised if in the ‘target’ example, card # UID is even the same in ‘anonymized’ card transaction data card companies/visa/etc sell. So they peg you at a store once on a transaction, and it might not only be your purchase history linked up at that store chain, but all you transaction history most anywhere. Pretty sure I’ve seen where hulu and/or other streaming services insert high freq chirps that devices in range can pick up on to create further linking between devices/locations/etc.

    1. Yes indeed, security cameras and facial recognition are fake news, so using cash is perfectly safe for your identity. They will never be able to see what you buy and they will never be able to determine your identity.

      1. Security cameras and facial recognition are not fake news, but I highly doubt that the security cameras in my supermarket, hardware store, and pharmacy are tied into a bigger network for supervision or facial recognition. On the other hand I am pretty sure that my banks process the texts of all my transactions to build a profile about me that they can sell to other companies.

        I really like cash. I once went on vacation to the US. Since I was with family, I had to pay only three times using my credit card. And guess what, in one of those three shops my magnet stripe was copied and a few weeks later my bank froze my credit card because someone else had a nice evening in New York buying clothes and fast food on my account.

        1. A lot of businesses outsource their security cameras now. Look up Envysion. They are in basically every fast food restaurant and probably a number of other stores as well. You’ll sometimes see their company logo at entrances. They network the cameras back into their cloud systems. I don’t know if they are doing facial recognition on them, but I wouldn’t be surprised.

    2. Wanna bet?

      If you’re spending cash with a cell phone in your pocket then your spending habits can always be monitored. Chances are you have location services turned on in at least one application, and data miners are paying real close attention to what type of commercial locations you visit. Odds are they already have a data sharing agreement with the multi-national retailer you visited.

      If you’re more worried about the Feds than Google, well bad news there as well. Elliot Ness and Co. already have access to your phone’s metadata, and your bank records. Sure, it’s theoretically more time consuming for them, but all they have to do is pull a request for cash purchases during the time and date your phone is associated with a given location. They probably wouldn’t even need a warrant to get them, assuming they don’t already have some sort of agreement with major retailers anyway. Cash isn’t as secure as you think.

      1. Cell phone in my pocket is turned off, and in airplane mode (in case I want to turn it on to read my offline maps, or take a picture).
        I have it to make calls in an emergency, not to get
        telemarketers spam calls.

  5. See, if I designed one of these I’d have used the same smartcard contacts for exfil as for shimming. Then make a fake card containing the brains of a real one, but talking to the installed shim before enabling the pass-through for the real card to talk to the real reader. Retrieving the data would look like any other normal transaction with the business, no tell-tale radio signal or skulking around with a laptop required.

  6. I must be missing the point here…isn’t the whole point of a chipped card that the card has to sign the transaction request with its private key, and the key never leaves the card?

    1. Chip and signature cards are like a locked door next to a plate glass window. It keeps people from using that specific path, but it doesn’t significantly reduce break-ins. The card numbers still work when the card isn’t present, so a thief only has to get a copy of the card number and expiration date.

      Chip and signature wasn’t really instituted to reduce fraud, it exists to shift liability. Since the transition in the US, credit card fraud has gone up 20%

  7. Do they even teach long division in school anymore?
    I love technology, but I also subscribe to the KISS method of living.By keeping it simple, there is less to foul up.
    I know what my paycheck is, I know how much I have left after rent, bills, groceries etc. and while a debit card or
    credit card is convenient, I always have some cash on me. It’s the one thing that I can use that doesn’t rely on
    electronics, should I need to purchase something. As far as phone apps, and other stuff, don’t need it.
    It just seems to me, (and I’m no luddite) that the more you rely on technology, when that technology fails, you’re
    going to be left in a bind. If a credit terminal is available, I’ll use it, but if one is not, then cash is king.

    1. They don’t teach people how to replace typewriter ribbons either, indeed it’s just sad.

      So the cash register drawer still opens and closes when the power goes off? That’s a neat trick.

      1. Just to be clear, you’ve stated in multiple comments that it’s not necessary to understand how to do math on paper, comparing it to replacing typewriter ribbons and starting a fire with flint and steel. In my world, division on paper or in your head is not some useless skill. I mean, if you don’t want to develop some basic intuition of math, nobody can force you.

        I dunno. I guess trolls are gonna troll. Troll on, you crazy diamond.

      1. Why go to the ATM? I prefer banks that actually have tellers.
        (Helps ensure that they will keep employing tellers, so when I have problems
        there will be somebody there to help resolve them.)

        Why go a lot? Part of emergency preparedness is having enough cash on hand that one can function for a reasonable period when normal services are not available. (Power outage, earth-quake, tsunami, hurricane, blizard, take your pick, …)

        So one should have enough cash to cover basic necessities and emergency
        needs for a week at the least. Some recommend having cash for living necessities for a month. Exact amount depends on number of people, how much
        you have stored, etc. But a few hundred dollars seems typical.

        Want reasonable amount in small bills (since making change may become challenging when things are disrupted.)

    2. Yes, they teach long division. They now also teach coding at primary school, and 3D modelling.

      But I’m not clear how knowing long division protects you from a card skimmer? Checking your statements does, and keeping an eye out for how dodgy the reader looks.

      Of course, if you use mobile banking, you can get an alert whenever money goes out.

      1. Good to know Dan, I’m a grey haired old school person. Balance my account once a month, keep track of what I’ve earned and spent. Simple math. It’s just my opinion, but it’s always good to have SOME cash on you.
        Even as a kid, I always had a few dimes in my pocket for a payphone (my God I’m showing my age)
        in case of an emergency. I guess in a bent sort of humorous way, smartphones have replaced dimes,
        but you can still use a dime after your smartphone battery has died.

        1. OTOH you can still use your smartphone when someone has stolen or hit their car into the payphone. (Or, since I live in redneckville, shot it.) And since most of my time spent outside is on a bicycle, it’s often many kilometers to the nearest place where a pay phone might even exist, while my cellphone is right in my pocket. (Although, about 30% of my bike riding is in places where there were neither pay phones nor cell service.)

        2. But then, in a twist of ironicalness, land lines don’t work when the power is out, but there is a strong chance your cell phone will!

          Perhaps we shouldn’t be so eager to create maxims that support our worldview.

          1. False. Land lines DO work. They only don’t work if you’ve been suckered into FiOS or U-Verse and let them cut your copper lines and replacement them with VoIP. They do that because the copper is *heavily* regulated, but the fiber is not. Scumbags.

          2. Used to be land lines would work for 2-4 days, that’s how long the huge accumulator batteries at the exchanges would last. It kinda depends how/why the power was taken out though, if the lines are running above ground and a windstorm takes the power, maybe the phone lines have gone too, or it’s real patchy outages. If they’re below ground and it’s flooding, maybe they’re out, ground level wiring boxes could be affected etc.

            On VoIP, whether they’re out or not may depend partially on your own preparations, had outages where my cable line has stayed active, just that local power outage gave limited ability to run modem/router. That might be due to outage being localised or actual backup gennies at the cable co head end. Either way, have them on a big UPS or your own solar rig or something, guess is the cable co is probably only good a few days with fuel on hand.

  8. Thought about making one of these from a sim card bypass board to prove how insecure they were. Installing such a thing would be alarmingly discrete. Only need a special install card and a peel off backing. “secure chip reader” nothing can be completely secure.

  9. I must be missing something here, because to make a card payment (since the early 2000’s) we have the technology of “PayWave” and no need to insert a credit or ATM card into an EFTPOS machine.
    Even if the amount was over the PIN entry threshold (ISTR is $150) only requires a card tap and then punching in your PIN.
    In fact, most of the EFTPOS machines made in the last decade or so probably don’t even have a card slot.
    Unless this skimmer was designed to be hidden in the card slot of an ATM, it wouldn’t collect any data at all.
    Mind you, I’m not located in the USA and find it mildly amusing that the supposedly “most advanced country on Earth” has such primitive banking technology.

  10. I am all for tech making things more efficient and secure, but you should still have the knowledge to perform the task without it. Example: went through drive thru of local fast food establishment ,got my total, decided to give some change at window so would not get hand full of misc. change back. Girl in window has bewildered look on her face and says to me “I’m sorry I already pushed the button.” Simple math i figured out in my head between drive thru windows she could not do without the computer to tell her the answer. Technology’s great but not a replacement for simple life skills.pushing a button to get the answer is only truly helpful if you can still get the answer without the button.Otherwise when the tech fails you can’t function and life stops. Also liked this one too….Im sorry we can’t use the grill because the computers are down…lol

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.