Bank card users are being warned for a new type of scam that can empty accounts in minutes and involves cloning. The scam, known as Shimming, uses a hidden device inside the multibaning grooves or payment terminals that collects data directly from the chip or the magnetic range of the card.
According to The Connexion newspaper, a French-based English-based English language newspaper, the so-called Shimmer is so discreet that it does not change the appearance of the terminal or the functionality of the card, making it virtually impossible to detect. The information collected is sent remotely to criminals, who can clone it and make surveys or payments without the victim noticing.
Como funciona o “shimming”
According to the same source, the device is inserted inside the card reader and automatically captures the data when it is introduced. From there, criminals can create fake cards or make transactions on behalf of the victim, including contactless payments, toll tickets or abroad, which can generate even more costs due to international rates.
In June, a case near Paris led to the arrest of four suspects, accused of installing these devices at a service station and using the information obtained to raise money in automatic boxes in Spain.
Despite the degree of sophistication, the numbers are still reduced: by 2023, it is estimated that shimming has allowed theft of about 36 thousand euros in France, modest when compared to the about 500 million euros associated with other forms of card fraud, according to the France banker cited by the same source.
How to protect
Security experts warn that, given the hidden nature of shimming, it is difficult to adopt effective preventive measures. However, the Signal-Arnaks website, a French platform that specializes in reporting and sharing information on online fraud, scams and schemes, recommends the frequent monitoring of bank accounts and the immediate reporting of any suspicious movement. Whenever possible, it is advisable to use contactless payments that dispense with the introduction of PIN and limit card exposure to these devices.
In case of fraud, and provided there is no negligence on the part of the customer, banks must reimburse the amounts improperly removed, contrary to what happens in schemes such as the phishingwhere voluntary credential sharing can complicate the return process.
The situation in Portugal
In Portugal, this type of burla has no significant expression yet, but the judicial police have warned of similar devices used in automatic boxes and payment terminals. According to PJ, cited by News to the Minute, criminals resort to discrete microchanes and devices to copy data and register PIN codes, techniques that have been constantly evolving.
News to Minute adds that authorities recommend extra attention to ATM boxes with manipulation signs, the use of virtual cards for online shopping, and the activation of transaction alerts on digital banking services.
Quoted by SIC Notícias, Banco de Portugal confirms that most fraud with national cards occur in transactions carried out outside the country, which reinforces the need for added surveillance.
European trend
Europol reports, cited by, have also identified shimming as a technological evolution of skiming, placing it among the main threats to physical payment systems in the European Union. Authorities recommend always checking the crowd groove before entering the card and protecting the keyboard when introducing the PIN.
The message is clear: if something seems suspicious, it is best not to use that machine. The simple gesture of moving away can prevent the card from being cloned and the bank account is at risk.
Also read:
