Shimmers Appearing at CU ATMs, Sources Say
ATM skimmers have become an unfortunate part of life for many credit unions, but another threat is now hitting CUs as well: illicit EMV card readers called “shimmers.”
A shimmer, when inserted into the mouth of an ATM card-acceptance slot, sits between a card’s EMV chip and the ATM’s chip reader, allowing criminals to read the chip and steal card information. They are a generation ahead of skimmers, which steal information from mag stripes rather than EMV chips.
Though shimmers are relatively young members of the crime world — reports of them began circulating widely in late 2015 — credit unions haven’t been able to avoid their wrath, according to Ashley McAlpine, who is a fraud prevention manager at CO-OP Financial Services. McAlpine said she’s aware of around 10 to 20 credit unions that have been hit with shimmers, and the incidents often result in, among other things, card reissuances — something many credit unions were hoping to get away from with the advent of EMV chips.
“Primarily where we've seen it is in the California, Texas, Florida regions, where you've seen a lot more fraud rings taking place,” she noted. “A lot of times those rings seem to have a lot more money to be implementing these type of devices.”
That doesn’t mean credit unions in other states are safe, though. Appleton, Wisconsin-based Fox Communities Credit Union was a victim just a few weeks ago, according to Detective Lt. Rick Belanger of the Green Bay Police Department. The suspicion began after members started having problems getting their cards out of one of the credit union’s ATMs, he said.
“And when they were able to get it back out, it had kind of a gummy substance on it,” he added. A look inside the machine revealed the hidden shimmer device.
Fox Communities has $1.4 billion in assets and about 89,000 members.
In a way, that credit union may have gotten lucky. Many times the criminals come back to an ATM and remove the shimmer so they can collect the information hidden on it, Belanger said.
“That kind of seems to be the thing that they do, is they insert it on a Friday, spend the weekend getting the data, they take it by early Sunday morning, and off to the races they are with the data. And they compromise numerous people's accounts and get all kinds of free money,” he noted.
The fact that the shimmer is physically inside the ATM is also a problem, McAlpine added.
“Usually it’s really hard for a credit union or any financial institution of that matter to detect it — primarily because it goes in so deep,” she said.
Even spotting a criminal installing a shimmer can be hard, Belanger added. The one at the Fox Communities ATM appears to have been put in as employees were arriving for work.
“You know, they're pretty brave,” he said, “but it really just appears he was using the ATM. Nobody thought anything of it.”
Belanger and McAlpine said there are things credit unions can do to hinder shimmers:
1. Look for cameras. Criminals want card data, but they want the PINs, too. That usually requires putting a tiny camera somewhere near or above the ATM keypad, McAlpine said.
2. Scrutinize the size of the card slot. The smaller the slot, the harder it is to insert a shimmer, Belanger noted. Fraud rings often know which ATM makes and models have card slots big enough to fit a shimmer; credit unions should do the same research.
3. Tell members to cover their hands. That can prevent cameras from recording PINs. “That could go a long way,” McAlpine said.