In an effort to work around the security measures built into EMV credit cards, a Brazilian criminal gang has created a skimmer-type device that steals the chip right out of the card when it is inserted into a compromised ATM.
The operation is pretty simple, but requires a certain level of inattentiveness by the victim, according to a FlashPoint blog by Analyst Olivia Rowley and Senior Intelligence Analyst Ian W. Gray. The criminal first installs a skimmer-like device onto the ATMs card slot. However, instead of reading information off the magnetic strip like a typical skimmer, the device punches out the chip, leaving a big hole in the card, which can them be inserted into a blank card for future use. The bad guys also rig up a camera at the ATM so they can record the person's name and PIN.
The researchers are not entirely certain what happens to the chips after they are removed, but believe they are most likely stored in what they called an overlay that is installed by the criminals.
“The overlay has a fake screen and card reader that is installed by the attackers. To recover the chips, the fraudsters would simply remove the overlay and collect the chips,” the researchers told SC Media.
Another reason this scam is succeeding is the general low security awareness in Brazil and the victims are slow to act when they realize something has happened to their card.
“In an interview with one of the victims, the victim states that they say that the chip was cut out when they withdrew their card from the ATM, but didn't alert anyone until they received a text message from the bank about unusual activity on their account, 20 minutes after the incident,” Rowley and Gray said.