ATM manufacturer Diebold has spoken out to CUTimes after fraud experts reportedly discovered a skimming device on one of itsATMs that may be able to hack EMV cards.
The device, called a “shimmer,” is apparently inserted into themouth of the ATM's card acceptance slot and sits between the card's chip and the ATM's chip reader. Fraud experts inMexico discovered one on a Diebold Opteva 520 with a chip reader,according to the report, which was published last week onKrebsonSecurity.com.
|The chips on many EMV cards contain a security component calledan integrated circuit card verification value that protects againstcopying magnetic stripe data from the chip. However, thieves mayhave devised a workaround.
|“Banks can run a simple check to see if any card inserted intoan ATM is a counterfeit magnetic stripe card that is encodedwith data stolen from a chip card,” KrebsonSecurity.com reported.“But there may be some instances in which banks are doing thischecking incorrectly or not at all during some periods, and expertssay the thieves have figured out which ATMs will accept magneticstripe cards that are cloned from chip cards.”
|That kind of fraud is called cross contamination, according toDiebold Senior Director of Software and Core Security Nick Billett(pictured), who told CU Times through a spokesperson thathis company is aware of the attack and is investigating.
|“We have a fundamental understanding of the shimmer technologyand have already received response from PCI regarding themitigation technology available to help prevent cross-channelredemption fraud,” Billett said.
|The EMV-based track data stored on the EMV chip does not includethe card validation code stored on the magnetic stripe, Billettnoted.
|Shimmers could be a sign that cards will still be vulnerable ina post-EMV world because most card issuers are deploying cards with both EMV chips and magnetic stripes so customers canuse both types of readers.
|The challenge now is waiting for magnetic stripe readers todisappear.
|“Until then, magnetic stripe-based skimming and redemption fraudwill continue to some extent,” he said.
|Billett said ATM operators should inspect card readers regularlyto ensure nothing foreign is inside them, and acquirers shouldensure that ATM transaction hosts are checking CVCs.
|Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Critical CUTimes.com information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
- Exclusive discounts on ALM and CU Times events.
- Access to other award-winning ALM websites including Law.com and GlobeSt.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
