Newest Attack on your Credit Card: Pin Pad Shims

Cheap, readily available microchip fabrication gives thieves new tech

Shimming is the newest con designed to skim your credit card number, PIN and other info when you swipe your card through a reader like an Pin Pad machine. The shim is the latest attack being used by criminals to steal your credit card info at the Pin Pad or other Pin Entry Device. According to Diebold, " The criminal act of card skimming results in the loss of billions of dollars annually for financial institutions and card holders." Shimming works by compromising a perfectly legitimate card reader (like a Pin Pad) by inserting a very thin flexible circuit board through the card slot that will stick to the internal contacts that read card data. The shim is inserted using a "carrier card" that holds the shim, inserts it into the card slot and locks it into place on the internal reader contacts. The carrier card is then removed. Once inserted, the shim is not visible from the outside of the machine. The shim then performs a man-in-the-middle attack between an inserted credit card and the circuit board of the Pin Pad machine. See the image below for an example of what a skim looks like inside the Pin Pad.

Before it was practical/possible to create shims, thieves used various skimmer designs that attached to the outside of the card slot. Like the one shown below: Image is Courtesy of Naples Police Department:
It is important to keep in mind that this attack is not trivial from an engineering standpoint. The shim needs to be extremely thin and flexible. In fact it must be less than 0.1mm in most cases to fit in the space allocated in the card reader and not obstruct credit cards from being inserted seamlessly. The EMV 4.2 standard that regulates the dimensions of the card slot calls for the following specifications according to section 5.2.1.1 on Module Height:
*The highest point on the IC module surface shall not be greater than 0.10mm above the plane of the card surface. *The lowest point on the IC module surface shall not be greater than 0.10mm below the plane of the card surface.
To put in perspective how thin less than 0.1mm is, think about this. Your credit card is 0.76mm thick. A grain of salt is 0.5mm thick. The human hair is about 0.18mm thick. The smallest objects that the unaided human eye can see are about 0.1 mm long. Now that's thin!!!! Add to this that the shim must be semi-flexible and this attack becomes quite a technological achievement. Recent advances in microchip fabrication coupled with the commoditization of same means that shims this size can be cheaply and reliably manufactured by the bad guys. The actual designing of the shim and its components, especially the transmitter function, is still non-trivial. But it was inevitable that this the thieves would figure this out, as they have. It has been found that effective flexible shims are recently being mass produced and widely used in certain parts of Europe. One of the main reasons this attack can succeed is because in most all countries today (like the U.S.A) the data sent from the chip on a credit card to the contacts on the Pin Pad circuit board is sent in the clear. So if you can get in the middle of that data flow, like a shim attack does, you can capture card data, pin information, CVV info, etc. However, most Pin Entry devices have supported offline-encrypted pin (encrypting the data between chip and board) for years. So it is possible that if this feature was enabled on both the credit card and the machine it could defeat this attack. The credit card chip encrypts the data using its public key before it sends it to the card reader. Skimming is not something new, it's been around since ATM machines. However, it is continuing to become more sophisticated and readily available. It is a constant battle between the Pin entry device manufacturers and the criminals. The shim attack is just the latest in a long history of attacks. For a look at some other attacks from the past and present see my other article on this topic here. Diebold released five new anti-skimming protection levels for its ATM devices june 1st 2010. You can read about it here: http://www.news.diebold.com/article_display.cfm?article_id=5065 Unfortunately, none of these helps with the shim skimming attack on Pin Pads. That problem has yet to be solved mechanically yet. For information on how to protect yourself from skimming attacks see here http://masteryourcard.com/blog/2009/08/24/how-to-protect-yourself-from-credit-card-skimming/ Great article from Cambridge University researchers on security flaws in Pin Entry Devices: http://www.scribd.com/doc/6444475/UCAMCLTR711

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Google Nexus One vs. Top 10 Phone Security RequirementsWhy you should always shred your boarding pass Video rental records are afforded more privacy protections than your online dataThe truth about new SSL attacks 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.

*

*

*

*

*

*

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT