ATM Shimming Explained: What It Is and How to Protect Yourself
ATM shimming targets EMV chip cards by hiding a thin device inside the card slot. Learn how it differs from skimming and 5 steps to protect yourself.
Last Updated: February 2026
Key Takeaways:
- Shimming targets EMV chip cards — it is the "next generation" skimmer designed for the chip era
- Shims are hidden inside the card slot, not on top of it — you cannot detect them through external inspection
- Shimming alone cannot enable full card cloning due to EMV's dynamic security codes — but it can capture data for use in fallback transactions
- Covering your PIN remains your strongest individual defence regardless of shimming risk
- ATM operators can deploy electronic monitoring that detects shimmer insertion
What Is ATM Shimming?
When EMV chip cards became widespread, criminals faced a problem: the data captured from chip cards is harder to re-use than magstripe data. EMV chip transactions generate a unique cryptographic code for each purchase — a captured code cannot be replayed.
Shimming was the industry's (criminal industry's) response.
A shim is an extremely thin device — sometimes as thin as 0.1mm — that is inserted inside the ATM's card reader slot. When you insert your chip card, the shim sits between your card's chip and the machine's reader, physically in the data path.
Unlike a traditional skimmer (which sits on the outside of the card reader), a shim sits inside the slot. This makes it:
- Impossible to detect through visual inspection of the machine's exterior
- Invisible to a physical "wiggle test" of the card reader
- Extremely difficult to detect without specialist electronic monitoring
Shimming vs Skimming: Key Differences
| Feature | Skimming | Shimming |
|---|---|---|
| Targets | Magnetic stripe data | EMV chip data + potentially magstripe |
| Placement | External (on top of card reader) | Internal (inside card reader slot) |
| Detectability | Physical check may reveal it | Virtually undetectable without electronic monitoring |
| Card types affected | Magstripe and any card | EMV chip cards |
| Data captured | Magnetic stripe + (via camera/overlay) PIN | Chip interaction data + PIN (via separate camera) |
| Can enable full cloning? | Yes, for magstripe | Limited — see below |
How to Spot a Card Skimmer on an ATM: 10 Warning Signs for the skimmer comparison.
Can a Shim Clone Your EMV Card?
This is the nuanced part.
EMV chip transactions produce dynamic authentication data — a unique code tied to that transaction, that cannot be reused. So shimming an EMV transaction does not give a criminal a code they can replay for another chip transaction.
However:
- Fallback transactions: Some ATMs and terminals are configured to fall back to magnetic stripe processing when the chip cannot be read properly (including when a shim interferes with the reading). If fallback is available, the magnetic stripe data captured during the shimmed session may be exploitable.
- Track 1 / Track 2 data: The EMV standard still includes magnetic stripe equivalent data in chip communications for backward compatibility. Some implementations expose this data in ways that shimming can exploit, particularly in older card or terminal implementations.
- Card-not-present fraud: Even if the dynamic transaction code cannot be replayed, partial card data captured by a shim combined with other available information may be usable for card-not-present (online) fraud in some scenarios.
The practical takeaway: Shimming is less immediately dangerous than classic skimming, but it is not harmless — and it continues to evolve.
Why You Can't See a Shim (and What You Can Do)
Because the shim is inside the card slot, the 30-second physical check that helps detect external skimmers does not work here.
What does work:
1. Cover your PIN — always A shim alone cannot capture your PIN. It would need a separate camera or PIN pad overlay for that. Covering your PIN breaks the combination that makes card data exploitable for ATM withdrawals.
2. Check for PIN pad overlays Even if you cannot detect the shim, a criminal installing a shim will also need a PIN capture method. Check the PIN pad carefully for the signs described in How to Spot a Card Skimmer on an ATM: 10 Warning Signs.
3. Monitor your account for unusual activity Enable real-time transaction alerts through your banking app. If shim-captured data is used, you will know almost immediately.
4. Report card insertion difficulty If your card feels unusually resistant or seems to catch inside the slot, tell the bank and do not proceed with the transaction. Something inside the slot may be causing resistance.
For ATM Operators: Detecting Shimmers
Shim detection requires more than physical inspection:
- Electronic card reader monitoring: Specialist systems can detect the electrical characteristics of a shimmer inserted in the card reader — changes in capacitance, resistance, or signal quality that differ from a clean reader
- Physical inspections with jitter tools: Some anti-skimming hardware includes "jitter" mechanisms that physically vibrate the card during insertion — this makes shimmer data capture unreliable and detects unusual resistance
- Tamper alerts: Reader monitoring systems can send real-time alerts if shimmer-related anomalies are detected
- Firmware-level detection: Some ATM vendors have developed firmware updates that detect shimmer interference patterns during card reads
Anti-Skimming Solutions for hardware designed to address both skimming and shimming threats.
Frequently Asked Questions
Q: If shimming can't clone my chip card, should I be worried about it? A: Yes — with appropriate perspective. Pure shimming of EMV is more limited than classic skimming. But combined with PIN capture and fallback transactions, it remains a viable fraud vector. And shimming technology continues to develop.
Q: How do I check if an ATM has a shimmer? A: You cannot reliably check from the outside — this is exactly what makes shimming concerning. Your defences are indirect: cover your PIN, use ATMs in high-surveillance locations, and monitor your account for unusual activity.
Q: Can contactless ATM withdrawals be shimmed? A: Contactless withdrawals use NFC and do not involve inserting your card into the shimmed slot. Where contactless ATM withdrawal is available (it is not universal), it bypasses shimming risk.
Q: Are shimmer attacks common? A: Shimmer attacks have been documented in multiple countries. They are less common than traditional skimming — partly because of their technical complexity — but they are a known, active threat that operators and consumers should be aware of.
Internal Links
- ATM Fraud Prevention: The Complete Guide — ATM Fraud Prevention Guide
- How to Spot a Card Skimmer on an ATM: 10 Warning Signs — How to Spot a Card Skimmer
- Safe ATM Usage: 15 Habits That Protect Your Card and PIN — 15 Safe ATM Habits
- Card Fraud Prevention: EMV, Contactless & Digital Payments — Magstripe vs EMV vs Contactless
- Card Fraud Prevention: EMV, Contactless & Digital Payments — Card Fraud Prevention Guide
CTA — For ATM Operators
Standard physical inspections don't detect shimmers.
ATM Fortify's electronic card reader monitoring and anti-shimming solutions provide the detection layer that visual checks cannot. Learn More →
Last Updated: February 2026 | Educational purposes only.
Need Professional ATM Security Support?
ATM Fortify provides anti-skimming hardware, security assessments, and fraud prevention consulting for ATM operators and financial institutions across 30+ countries.