How ATM card ‘shimmers’ have kept scammers one step ahead

Scammers are getting more high-tech. KIRO 7 has warned you about card skimmers and how to look for them but now banks and law enforcement are fighting another piece of scam technology, called a “shimmer.”

“It’s a constant battle,” said, a spokesperson for the Washington State Employees Credit Union (WSECU), Ann Flannigan. “There are a lot of people out there who would love to separate you from your money.”

“Shimmers” are thin pieces of metal inserted into an ATM or a machine at a point of payment. They’re smaller than ever and almost impossible to detect from looking at a machine from the outside.

Even the U.S. Secret Service is on the lookout for the scam.

One recent hack targeted multiple South Sound ATMs. Then criminals used that stolen data to cash in, up and down the I-5 corridor.

“It was a shock,” said Elaine Fischer, an Olympia resident who was one of the victims in that hack.

She said her trouble began after a stop at an ATM at the Olympia’s Farmer’s Market back in November. Before she knew it, her information was stolen and her privacy was violated.

On the weekend after Thanksgiving, two weeks after the farmer’s market, $1,000 suddenly vanished from her account.

“That is really disturbing,” Fisher said. “I really thought a lot about the idea that someone had my information.”

She didn’t know right away that she was the victim of a much larger hack.

WSECU said scammers managed to steal debit card information from several hundred customers at three of their ATMS – at the Olympia Farmer’s Market, at the Tumwater Town Center, and the Tacoma branch James Center ATM.

Surveillance video from one of the cases shows a man wearing blue neoprene gloves, a face mask, and a baseball cap approaching one of the ATMs. He slides a thin piece of metal inside the machine and appears to use a card or device to shove the metal piece further inside the ATM. Finally, he appears to test the setup with a card to make sure the ATM is still working, before walking away.

The whole setup took just over a minute and the ATM targeted was right outside the credit union, on bank property.

“They’re coming right on to our turf where they know, frankly, a lot of customers - a lot of members - are going to be using those machines,” Flannigan said. “And it is a new development.”

The newer scamming devices are almost impossible to detect from the outside.

Flannigan said with credit union employees checking the ATMs daily, they missed the devices that had corrupted the machines. There was also a pinhole camera installed on the ATM, so the criminals could also capture victims’ pin numbers.

About two weeks after inserting the “shimmers” on three WSECU ATMs, the scammers cashed in. The criminals printed out new debit cards and used people’s information to withdraw cash at 11 different ATMs from Seattle to Tumwater.

“We’re always trying to stay one step ahead of the scammers,” Flannigan said. “Unfortunately, sometimes the scammers are one step ahead of us.”

The crime is so sophisticated that KIRO 7 wanted to show you exactly what to look for.

KIRO 7′s Deedee Sun alerted the U.S. Secret Service Seattle branch about the South Sound case. The Secret Service was originally created to protect the U.S. Treasury and still handles certain monetary crimes as part of its work to protect the financial system of the United States.

“With the newer technology, of course, the components can be smaller and smaller,” said network intrusion forensic analyst with the U.S. Secret Service, Chris Hansen.

Hansen said he was not aware of this case but was working on helping local law enforcement with other cases involving shimmers. While shimmers first started cropping up a decade ago, the tech has now become much more advanced.

Hansen said typically, criminals use that same method of operation – harvest the stolen data, print out fake debit cards, and go on a shopping spree at ATMS. Often, it’s groups of people working together.

“This is what we call white plastic,” Hansen said, showing a stack of white plastic cards, completely blank except for a magnetic stripe. “You can encode the data onto this stripe.”

As for that pinhole camera, Hansen said criminals go so far as to hide the tiny camera onto a plastic panel that fits perfectly onto the ATM.

“Yeah and you’ve got to get the color right,” Hansen said.

The panel also has a microchip on it where the recorded data was being stored, along with a tiny battery.

Bottom line – the “shimmers” are much more difficult to spot than the bulky overlay “skimmers” KIRO 7 has reported on extensively before.

Skimmers are installed on the outside of an ATM or payment machine. Criminals are still using them – but customers can pull on the device to see if it comes loose or feel for mushy buttons.

Protecting yourself is a little harder with “shimmers” but there are plenty of ways to beat the thieves.

Here are the tips that KIRO 7 gathered from both WSECU and the U.S. Secret Service:

• Use your chip and tap to pay whenever possible: Even though customers were inserting their cards instead of swiping, the “shimmer” was still pulling data off the card’s magnetic stripe – not stealing data from the chip. If your payment option offers a tap-to-pay option, use it. Hansen said he has not yet handled a case where data was stolen from the chip of a credit or debit card.

• When withdrawing cash, go inside a bank or financial institution: Indoor ATMs are closer to bank employees, there are more cameras inside the building, and are much less likely to be targeted by criminals. Flannigan said she was not aware of any ATM inside their credit unions that have ever been compromised.

• Carefully inspect an ATM before using: You won’t be able to spot a “shimmer” inside the machine but the plastic panel hiding a pinhole camera might be jutting out or have an uneven seam from a quick glue job.

• Always cover your pin number: Even though it seems rudimentary, even the sophisticated “shimmer” scammers still use a camera to capture pin number data. Closely covering your hand when punching in your pin number can prevent thieves from stealing that piece of data.

• Set up text alerts for your debit/credit card: Set up an alert to get a text message for any transaction over one cent. That way, you are aware of a charge or withdrawal you didn’t make immediately.

• Use the digital wallet on your phone to pay: This option avoids using your card altogether. A digital wallet transaction generates a one-time token to the merchant and does not send over your debit or credit card number.

WSECU said it is doing everything possible to help keep customers safe.

“First of all, is keeping our technology up to date,” Flannigan said.

The organization has high-tech fraud detection. Their software noticed unusual transactions from their customers that raised a red flag. So, the credit union locked down the cards, preventing even more damage and loss.

Flannigan said WSECU is also working with its ATM manufacturer to win the game of cat and mouse.

“They are now working to find a solution to retrofit machines to address this latest (scam) technology,” Flannigan said.

A retrofitted machine would change the physical hardware of the ATM so the types of “shimmers” criminals are using can’t be slid into the machines.

WSECU said it reimbursed the cash to all customers who lost money in the scam.

“I don’t want people to feel frightened to use an ATM and certainly not at a financial institution,” Flannigan said. “This is rare this is rare for us to have this incident.”

Still – she said it’s also very important for customers to be proactive in protecting themselves and that people need to arm themselves with some new defenses against these “shimmers.”