Go to:

March 2019
< Feb Apr >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Shimmers Appearing at Credit Union ATMs, Sources Say
Tuesday, November 7, 2017 6:20 AM

ATM skimmers have become an unfortunate part of life for many credit unions, but another threat is now hitting CUs as well: illicit EMV card readers called “shimmers.” 

A shimmer, when inserted into the mouth of an ATM card-acceptance slot, sits between a card’s EMV chip and the ATM’s chip reader, allowing criminals to read the chip and steal card information. They are a generation ahead of skimmers, which steal information from mag stripes rather than EMV chips.

Though shimmers are relatively young members of the crime world—reports of shimmers began circulating widely in late 2015—credit unions haven’t been able to avoid their wrath, according to Ashley McAlpine, who is a fraud prevention manager at CO-OP Financial Services. McAlpine said she’s aware of around 10 to 20 credit unions that have been hit with shimmers, and the incidents often result in, among other things, card reissuances, something many credit unions were hoping to get away from with the advent of EMV chips.

“Primarily where we've seen it is in the California, Texas, Florida regions, where you've seen a lot more fraud rings taking place,” she noted. “A lot of times those rings seem to have a lot more money to be implementing these type of devices.”

That doesn’t mean credit unions in other states are safe, though. Appleton, Wis.-based Fox Communities Credit Union (89,000 members and $1.4 billion in assets) was a victim just a few weeks ago, according to Det. Lt. Rick Belanger of the Green Bay Police Department. The suspicion began after members started having problems getting their cards out of one of the credit union’s ATMs, he said. 

“And when they were able to get it back out, it had kind of a gummy substance on it,” he added. A look inside the machine revealed the hidden shimmer device. 

In a way, that credit union may have gotten lucky. Many times the criminals come back to an ATM and remove the shimmer so they can collect the information hidden on it, Belanger said. 

“That kind of seems to be the thing that they do, is they insert it on a Friday, spend the weekend getting the data, they take it by early Sunday morning, and off to the races they are with the data," Belanger noted. "And they compromise numerous people's accounts and get all kinds of free moneyd." 

The fact that the shimmer is physically inside the ATM is also a problem, McAlpine added. “Usually it’s really hard for a credit union or any financial institution of that matter to detect it—primarily because it goes in so deep,” she said. 

Even spotting a criminal installing a shimmer can be hard, Belanger added. The one at the Fox Communities ATM appears to have been put in as employees were arriving for work.

“You know, they're pretty brave,” he said, “but it really just appears he was using the ATM. Nobody thought anything of it.”

Belanger and McAlpine said credit unions can do things to hinder shimmers:

  1. Look for cameras. Criminals want card data, but they want the PINs, too. That usually requires putting a tiny camera somewhere near or above the ATM keypad, McAlpine said.
  2. Scrutinize the size of the card slot. The smaller the slot, the harder it is to insert a shimmer, Belanger noted. Fraud rings often know which ATM makes and models have card slots big enough to fit a shimmer; credit unions should do the same research.
  3. Tell members to cover their hands. That can prevent cameras from recording PINs. “That could go a long way,” McAlpine said.

Credit Union Resources' Idrees Rafiq says, "In our information security risk assessment, we encourage one member of the credit union staff to be responsible for physically checking their ATMs for skimmers and shimmers on a weekly basis. Also, the practice of logging these inspections is strongly encouraged."

Source:  Credit Union Times

Assess Your Systems and Manage Your Risk

As technology changes, every credit union faces new security issues. Let Credit Union Resources help you stay on top of it—your future could depend on it. Our team of technology professionals provides guidance on compliance, shares best practices, and performs audits. We have a vested interest in your success, and your cybersecurity matters to us. To find out how we can help you manage cybersecurity and operational risks, contact:

Idrees Rafiq


800-442-5762, ext. 6799

Deanna Brown


800-442-5762, ext. 6464

About Credit Union Resources Inc.

Credit Union Resources is a service corporation that provides industry-leading solutions and expertise to credit unions across the country. Credit Union Resources is a wholly owned subsidiary of the Cornerstone Credit Union League, a regional trade association representing the interests of credit unions in Arkansas, Oklahoma, and Texas.