Are EMV cards vulnerable at the ATM?

By : Owen Wild

October 06, 2015 12:29 PM

EMV cards are much more secure than traditional mag stripe cards when it comes to counterfeiting. There are recent reports  coming out of Mexico around the use of a device they call a ‘shimmer’ that sits between the chip on the card and the chip reader within the ATM to record the card data. The device can be placed in the ATM from the outside, meaning the fraudster does not require access to the inside of the ATM machine. This form of attack known as “Card Shimming” is NOT a vulnerability with a chip card, or with the Chip cards are inherently far more secure than magnetic strip cards. Any data that can be captured from a chip card CANNOT be reused to create a clone magnetic strip card because chip data and mag strip data have different CVVs (check values). Issuers can very easily spot any counterfeit cards by simply checking the CVV at time of authorization. The only way for this attack to be successful is if an issuer neglects to check the CVV when authorizing a transaction. One of the additional security components is the integrated circuit card verification value (iCVV), which differs from the main card verification value (CVV) held on the magnetic stripe.  This protects against the copying of magnetic stripe data from the chip to create counterfeit magnetic stripe cards. But this latest scam (card shimming) suggests thieves may be targeting issuers where they believe the CVV will not be checked. Banks can easily check to see if the card being used at an ATM is a cloned mag stripe card created with stolen data from a chip card. But it seems that some banks may not be doing this check each and every time, and criminals are targeting ATMs that will accept counterfeit cards created from EMV cards. Almost all issuers make these basic checks - which makes the attack infeasible and is why ATM shimmers are virtually unheard of, even though EMV is in widespread use globally. Shimming at an ATM is an infeasible attack provided chip card issuers implement the correct chip card validation steps during transaction authorization. EMV cards certainly offer added security in the physical realm, but alignment to the EMV process through the entire transaction processes remain essential to reduce fraud. Sign up for NCR Security Alerts

Owen Wild

Security Marketing Director

Other articles by this author

Owen Wild is responsible for marketing strategies for the NCR Security Solutions within NCR’s Financial Solution Portfolio. Over the past 15 years, Owen has held several sales and marketing positions with leading travel and tech cos.