Credit card shimming is a fraud technique where thieves insert a paper-thin device into a card reader's chip slot to steal your EMV chip data. Unlike older skimming attacks that targeted magnetic stripes, shimming targets chip-enabled cards specifically. The device sits invisibly inside the card slot, reads your chip data each time someone inserts a card, and stores it for the thief to retrieve later.
Running a credit repair company, I see the aftermath of this fraud regularly. One of the most unforgettable cases came from a client who noticed 11 small charges across two days, all from cities she had never visited. The source traced back to a gas pump she used three weeks earlier. By the time she reached us, the fraudulent activity had already created two new accounts in her name.
Card fraud is accelerating at a serious pace. The FTC received 449,032 reports in 2024 from consumers who reported fraud involving an existing card or a new one opened in their name, according to the FTC Consumer Sentinel Network Data Book. Total fraud losses across all categories hit $12.5 billion in 2024, up 25% from 2023. Shimming is one of the tools driving that number up.
What Is Shimming in Fraud Terms?
Shimming is the chip-era evolution of skimming. Skimming targets the magnetic stripe on the back of a card. Shimming targets the EMV microchip, which was introduced specifically to replace the magnetic stripe as a more secure option.
A shim is an ultra-thin device, roughly the size and thickness of a paper card, embedded with a microchip and flash storage. Thieves slide it into the card reader slot at an ATM, gas pump, or point-of-sale terminal. Once inside, it sits between your card and the machine's legitimate chip reader.
Every card that goes into that slot passes its chip data directly through the shim. The shim records it. The thief returns later, inserts a retrieval card that looks like a normal transaction, and downloads everything the shim collected.
This is why shimming is harder to detect than skimming. A skimmer sits on the outside of a machine. A shim sits inside it. You cannot see it without physically disassembling the reader.
Shimming vs. Skimming: What's the Difference?
Both attack methods steal card data. The hardware and target are different.
Skimming uses a device placed on the exterior of a card reader, over the magnetic stripe slot. It captures the data stored on the card's magnetic stripe, including the card number, expiration date, and cardholder name. Skimmers are often bulky and can be spotted if you tug on the card slot.
Shimming uses a device placed inside the chip card slot. It targets the EMV chip data rather than the magnetic stripe. Shims are thin, completely internal, and invisible to the eye without taking the machine apart.
The practical outcome is the same: thieves get your card data and use it to create a cloned card or make unauthorized purchases. The key difference is that shimming is significantly harder to detect.
One technical limitation of shimming: the data captured from an EMV chip cannot be used to fully clone a chip card. The EMV protocol includes dynamic authentication, meaning each chip transaction generates a unique code. Thieves who shim your card can create a magnetic stripe clone, not a chip clone. Many retailers still accept magnetic stripe transactions, which makes this limitation less protective than it sounds.
Where Does Shimming Happen Most Often?
Thieves install shims in locations that see high card volume and low human supervision. The most common targets are:
Gas pump card readers (outdoor, often unmonitored)
Non-bank ATMs at convenience stores, bars, and shopping malls
Parking meters and transit payment terminals
Vending machines in low-traffic areas
Among Americans surveyed in 2024 who reported being victimized by card fraud at a physical terminal, 60% said it happened at the gas pump, according to data compiled by cardrates.com. Gas stations remain the top target because outdoor pump readers are easier to access and less monitored than indoor ATMs.
Bank-owned ATMs inside branch buildings are the least targeted. Thieves avoid locations with security cameras, staff visibility, and regular equipment checks.
How to Spot a Shimming Device
Spotting a shim is difficult because the device is internal. But there are warning signs worth checking before you insert your card:
Resistance when inserting your card. A card slot with a shim inside feels tighter than usual. A shim takes up physical space. If your card does not slide in smoothly, that is worth noticing.
Misalignment around the card slot. Look at the card reader slot against the rest of the machine's surface. Any visible gap, warping, or color mismatch around the slot can indicate tampering.
Broken or missing security seals. Many gas pumps have tamper-evident security tape across the panel access door. A broken or voided seal is a sign that the machine was opened.
Unusual thickness of the card reader. If the reader looks thicker or extends further from the pump than nearby machines, compare it to a neighboring pump to confirm.
The NJ Division of Consumer Affairs notes that thieves tend to install shimmers in ATMs that are not well-lit and have low foot traffic, specifically to reduce the chance of being observed during installation. Using machines in open, well-lit, high-visibility areas reduces your exposure.
Does Chip Technology Protect You from Shimming?
Chip cards are more secure than magnetic stripe cards, but they are not immune to shimming. EMV chips generate a unique transaction code for every purchase, which makes direct chip-to-chip cloning impossible with current shimming technology.
However, the data a shim collects can still be used to create a magnetic stripe clone. That clone works anywhere a retailer accepts swipe transactions, which still accounts for a significant share of payment terminals in the U.S.
Contactless payment methods (tap-to-pay, Apple Pay, Google Pay, Samsung Pay) do not involve inserting a physical card into a slot. They transmit encrypted, tokenized payment data wirelessly. A shim inside a card slot cannot intercept this data because the card never enters the reader. Contactless payment is the most effective protection against shimming available to consumers today.
How Shimming Affects Your Credit
Shimming itself does not appear on your credit report. But what happens after is the real problem.
Thieves use the stolen data to create cloned magnetic stripe cards. They then use those cards for purchases or cash withdrawals. Two outcomes can affect your credit file:
New account fraud. If the thief uses your stolen information to open new credit accounts, those accounts appear on your credit report. Hard inquiries from fraudulent applications also show up. New account fraud made up roughly 90% of credit card identity theft cases reported to the FTC in 2024.
Collections from missed payments on fraudulent accounts. If fraudulent accounts accumulate balances and go unpaid, they can be sent to collections. A collection account stays on your credit report for up to 7 years.
At our credit repair company, this year alone, we handled dozens of cases where clients had 2 to 5 unauthorized accounts opened after a shimming or skimming event, each requiring separate disputes with all three credit bureaus. The dispute process takes time and requires documentation, but items tied to confirmed fraud are removable.
What to Do If You Think You've Been Shimmed
Act fast. Every hour of inaction gives thieves more time to use your data.
Call your card issuer immediately. Report the suspected fraud. Ask them to cancel the card and issue a new one with a different number. Most card issuers have 24-hour fraud lines.
Review all recent transactions. Go back at least 30 days. Report every charge you do not recognize, even small ones. Thieves often test cards with small charges first before making larger purchases.
Place a fraud alert with the credit bureaus. A fraud alert at any one of the three major bureaus (Equifax, Experian, TransUnion) triggers automatic alerts to all three. It requires creditors to verify your identity before opening new credit in your name. Fraud alerts are free.
Consider a credit freeze. A freeze prevents any new credit accounts from being opened in your name until you lift it. It is stronger than a fraud alert. You can place and lift a freeze for free at each bureau directly through their websites.
File a report with the FTC. Visit IdentityTheft.gov to report the fraud and get a personalized recovery plan.
Report to local law enforcement. A police report creates a formal record. Some creditors require it to process fraud disputes.
Under the Fair Credit Billing Act, you are not responsible for unauthorized charges on a credit card once you report the card as stolen. For debit cards, your liability depends on how quickly you report, so speed matters more with debit accounts.
How to Prevent Credit Card Shimming
Has Fraud Already Touched Your Credit?
Credit card shimming can lead to unauthorized accounts, hard inquiries, and collections showing up on your credit report. The faster you catch fraud, the easier it is to stop long-term damage. Get your full credit report reviewed and see what’s hurting your score.
Check My Credit Report Now →Free credit analysis • No obligation • Find fraud-related damage fast
Protection comes down to changing three habits.
Use contactless payments whenever possible. Apple Pay, Google Pay, Samsung Pay, and tap-enabled cards never insert into a card slot. No insertion means no shimming risk.
Choose your terminal wisely. Prefer bank-owned ATMs inside branch buildings over standalone ATMs at convenience stores. At gas stations, choose pumps closest to the store entrance and in direct sightlines of staff. Pay inside when in doubt.
Check before you insert. Tug the card reader slot. Feel for resistance. Look at the security seal. If anything looks off, use a different machine and report it to the business. You can also report it to the FTC at ReportFraud.ftc.gov.
Monitor your accounts. Set up transaction alerts through your bank or card issuer. Most banks allow real-time push notifications for every charge. An alert for an unrecognized $1.50 test charge is often the first sign of a compromise.
Skimming-related fraud costs businesses and consumers more than $1 billion every year, according to Truist Bank's fraud prevention data. That figure includes shimming as part of the broader card compromise category. ATM compromise events jumped 46% in the second half of 2024 compared to the first half, based on FICO's 2024 debit card compromise report, signaling that this threat is not declining.
Staying one step ahead of shimming requires awareness, not advanced security tools. The habit changes above cost nothing and take seconds. The alternative, disputing fraud and recovering your credit profile, can take months.