Crooks Learn How to Clone Latest Chipcards

Why that chipcard may not be as safe as you think: Internet Scambusters #855

Although they’re still a lot safer than the old types, new chipcards that replace cards with a magnetic strip, they’re not as invulnerable as you might have thought.

That’s because scammers have learned how to steal information from them as we explain in this week’s issue.

But don’t worry. We’ll also tell you the steps you can take to try to avoid falling victim.

Let’s get started…


Crooks Learn How to Clone Latest Chipcards


One of the great things we were told about the replacement of magnetic strips with smart chips (chipcards) on our debit and credit cards was that it would significantly improve security.

But has it?

The flaw with those old black magnetic strips was that they could be cloned (copied) by scammers and other crooks fairly easily.

The new cards that replace them are also known as chip-and-pins or EMVs (for the founding Eurocard, Mastercard and Visa providers).

Now, three or four years after their introduction in the U.S. (they’ve been available in Europe for many years), it turns out that crooks have learned how to steal information embedded in the new chipcards.

Of course, they have to get their hands on your card first. Last year, they were found to be using heat to remove chips from batches delivered to card providers and sticking them on other cards.

(To read more about this, see Criminals Have Found a Way to Replace the Chips on Credit Cards.)

But their crooked technology has moved on and they’re now able to use more sophisticated versions of skimming devices, or shimmers as they’re known, that they hide inside the card slot on ATMs and payment machines.

A new alert was raised a couple of months ago by Arkansas Attorney General Leslie Rutledge.

“Credit and debit cards with the chip protect the user’s identity more than the magnetic strips,” she acknowledged. “The chip creates a unique transaction code that cannot be used again.

“Unfortunately, scammers continue to evolve their tactics and can now use the information they obtain from the shim to create a version of the card featuring a magnetic strip, which is still accepted by many retailers, especially online.”

Unfortunately too, shimming devices are much harder to detect than the old-style skimmers.

With the latter, the bad guys place their fake reader over the front of the genuine machine to collect the data.

Shimming devices, which contain their own microchip technology, are so thin they can actually fit inside the slot. They’re virtually invisible to all but the most vigilant of users.

The crooks’ favorite targets are the point-of-sale (POS) machines that you see at cash registers in stores and elsewhere. It takes them just seconds to insert the shim, usually while they’re paying for something they bought.

And they extract the shim, with its stolen information, just as quickly and easily.

In other reported cases, researchers have claimed that shims are capable of modifying the details of certain transactions, using the victim’s cards to transfer money.

Protect Yourself

To protect yourself against a shimmer, website CreditCards.com and the Scambusters team recommend the following actions:

  • If your card has a contactless tap-and-go feature, use that instead of swiping or inserting your card.
  • Consider using smartphone payment apps such as Apple Pay or Samsung Pay to tap and pay.
  • If you’re withdrawing cash at a bank, go inside and use a teller.
  • Use ATMs in banks rather than more vulnerable standalones. As a matter of security, ATMs inside banks are likely to be safer than those elsewhere.
  • Cover the keypad with your hand when entering your PIN. The crooks use tiny cameras to read your number. They also use heat-seeking devices that can tell which keys were pressed most recently, so, after you get your cash, press a couple more keys at random.
  • If things don’t feel right when you insert the card — if there’s some resistance for example — abort the transaction.
  • Contact the bank, merchant, and your card issuer if you suspect your card has been compromised.
  • Use a credit card rather than a debit type at gas pumps (where they’re accepted) because credit cards offer more protection and they also don’t contain details of your bank account.
  • And don’t forget to monitor your card statements regularly — every day if you use online services — so you can take swift action if you notice anything unusual.

Hopefully, as retailers and other businesses discontinue accepting magnetic-strip swipe cards, this particular route to information theft will be closed off to the crooks.

But don’t bet on it. You can be sure that, behind the scenes, they’re devising new ways of getting their hands on our chipcard data and stealing our money.

Alert of the Week

High-pressure telesales scammers claiming to be from Medicare or health insurers are calling people with offers of muscular braces that they claim the insurer will pay for.

They say they’ll arrange all the payments directly with the insurer so they need your Medicare number. Once they have that, they overbill the insurance organization.

You may or may not get the brace but either way you could find yourself tied up in an alleged fraud.

Unless you initiated an inquiry, just hang up on these callers and, if you can, block them from calling again.

That’s all for today — we’ll see you next week.