ATM skimmers have become an unfortunate part of life for manycredit unions, but another threat is now hitting CUs as well:illicit EMV card readers called “shimmers.”

A shimmer, when inserted into the mouth of an ATMcard-acceptance slot, sits between a card's EMV chip and the ATM'schip reader, allowing criminals to read the chip and steal cardinformation. They are a generation ahead of skimmers, which steal information from magstripes rather than EMV chips.

Though shimmers are relatively young members of the crime world— reports of them began circulating widely in late 2015 — creditunions haven't been able to avoid their wrath, according to AshleyMcAlpine, who is a fraud prevention manager at CO-OP FinancialServices. McAlpine said she's aware of around 10 to 20 creditunions that have been hit with shimmers, and the incidents oftenresult in, among other things, card reissuances — something manycredit unions were hoping to get away from with the advent of EMVchips.

“Primarily where we've seen it is in the California, Texas,Florida regions, where you've seen a lot more fraud rings taking place,” she noted. “A lot of times thoserings seem to have a lot more money to be implementing these typeof devices.”

That doesn't mean credit unions in other states are safe,though. Appleton, Wisconsin-based Fox Communities Credit Union wasa victim just a few weeks ago, according to Detective Lt. RickBelanger of the Green Bay Police Department. The suspicionbegan after members started having problems getting their cards outof one of the credit union's ATMs, he said.

“And when they were able to get it back out, it had kind of agummy substance on it,” he added. A look inside the machinerevealed the hidden shimmer device.

Fox Communities has $1.4 billion in assets and about 89,000members.

In a way, that credit union may have gotten lucky. Many timesthe criminals come back to an ATM and remove the shimmer so theycan collect the information hidden on it, Belanger said.

“That kind of seems to be the thing that they do, is they insertit on a Friday, spend the weekend getting the data, they take it byearly Sunday morning, and off to the races they are with the data.And they compromise numerous people's accounts and get all kinds offree money,” he noted.

The fact that the shimmer is physically inside the ATM is also aproblem, McAlpine added.

“Usually it's really hard for a credit union or any financialinstitution of that matter to detect it — primarily because it goesin so deep,” she said.

Even spotting a criminal installing a shimmer can be hard,Belanger added. The one at the Fox Communities ATM appears to havebeen put in as employees were arriving for work.

“You know, they're pretty brave,” he said, “but it really justappears he was using the ATM. Nobody thought anything of it.”

Belanger and McAlpine said there are things credit unions can doto hinder shimmers:

1. Look for cameras. Criminals want card data, butthey want the PINs, too. That usually requires putting a tinycamera somewhere near or above the ATM keypad, McAlpine said.

2. Scrutinize the size of the card slot. The smallerthe slot, the harder it is to insert a shimmer, Belanger noted.Fraud rings often know which ATM makes and models have card slots big enough to fit ashimmer; credit unions should do the same research.

3. Tellmembers to cover their hands. That can prevent camerasfrom recording PINs. “That could go a long way,” McAlpine said.