Now, looking for parts stuck onto the front of a cash machine, which might indicate fraudulent activity, is not enough. A shimmer does the work of a skimmer, but is housed completely inside the card slot of an ATM. In other words, entirely invisible to users.
Kim Thomas describes the shim-skimmer: “The thief makes a circuit board the size of a credit card, but approximately .1 mm thick. They use a carrier card to insert the device. Basically it is a reader-transmitter. The reader does what the usual credit card skimmer does: capture full track data. The transmitter does what bluetooth does: transmit the track data to a receiver. The technology is pretty sophisticated and will be hard to catch once it goes into mass production.”
According to Jamey Heary, Cisco Security Expert, “effective flexible shims are recently being mass produced and widely used in certain parts of Europe.” He diagrams the physical layout of this “man-in-the-middle” attack as installed inside a card-reader.
I haven’t found anyone who has actually seen one of these shimmers, but no one’s calling it just a proof-of-concept, either. It isn’t clear to me whether or not the shimmer works with U.S. credit cards that lack the chip-and-PIN. Anyone know more about this?