Schlanger Law Group LLP - Restore Your Financial Life
212 500 6114

Card Shimming: Why “Chip Detected” Doesn’t Mean the Charge Was Authorized

By: The Schlanger Law Group Legal Team 

credit card shimming chip skimming legal rights victims

In our recent article on card skimming, we discussed how criminals use hidden devices to steal card data from ATMs and gas pumps. We noted that we would address “shimming”—a newer, more sophisticated form of card fraud—in a follow-up post. This is that post.

If your bank has denied your fraud claim because “the chip was detected” during the transaction, you need to read this article. Banks routinely tell consumers—and tell us—that if a chip was detected, the transaction must have been authorized. As the banks know full well, this is simply not true. Chip cards can be—and are—cloned through a process called shimming.

Many consumers incorrectly assume that hiring a consumer protection lawyer to challenge a refusal to reimburse unauthorized charges on a debit or credit card won’t be financially viable. Consumers may anticipate being asked for a sizeable initial retainer, or may reason that the loss, while serious, is not large in relation to the potential fees and costs the attorney will need to incur to vindicate the consumer’s rights. But because the relevant federal statutes provide for attorney’s fees, typical case resolutions include recovery of both the amount of the unauthorized charges and, in addition, fees and costs paid by the bank or card issuer. This changes the economics of obtaining qualified counsel to assist the consumer, and makes cases that would otherwise not be financially viable worth litigating.

“The Chip Was Detected, So It Must Be Authorized”

When EMV chip cards were introduced, they were marketed as virtually impossible to clone. The technology was supposed to make card counterfeiting a thing of the past. Banks embraced this narrative, and many still cling to it today—even though criminals have long since found ways around it.

We routinely encounter banks that deny fraud claims on the grounds that a chip was detected during the disputed transaction. The implication is that chip detection proves the cardholder’s physical card was present and the transaction was therefore authorized. But this reasoning is fundamentally flawed. Security researchers have documented methods for cloning chip card data since at least 2008, and criminals have been exploiting these vulnerabilities in the real world for years.

As Bankrate—a leading financial industry publication—plainly states: “Chip cards can still be skimmed — or shimmed — at card readers and ATMs.” The notion that chip technology makes cards immune to fraud is simply outdated.

What Is Card Shimming?

While traditional skimming targets the magnetic stripe on the back of your card, shimming targets the EMV chip. A “shimmer” is a paper-thin device that criminals insert inside an ATM or payment terminal’s card slot. When you insert your chip card, the shimmer sits between your card’s chip and the terminal’s chip reader, intercepting the data as it passes between them.

Because shimmers are installed inside the card reader, they are virtually impossible for consumers to detect. Unlike skimmers, which are sometimes visible as an overlay on the card slot, a shimmer is completely hidden from view. According to Bankrate, “These shims contain a microchip and flash storage that can capture and save your card information from your chip card.”

Security researchers have documented that shimming is “a more advanced method that detects EMV chip data” and allows criminals to “intercept EMV chip card data.” The FBI has warned that skimming and related fraud costs consumers and financial institutions over $1 billion annually.

How EMV Bypass Cloning Works

The technique criminals use to exploit shimmed data is called “EMV bypass cloning.” Here’s how it works:

  1. Data capture: The shimmer intercepts data from your chip card when you insert it into a compromised terminal. This includes account information that would normally be protected by chip technology.
  2. PIN capture: Criminals often pair shimmers with hidden cameras or overlay keypads to record your PIN as you enter it.
  3. Clone creation: The criminals use the captured chip data to create a cloned magnetic stripe card. As Bankrate explains, “The crooks can then retrieve the shim and use your card information to create forged cards with magnetic stripes.”
  4. Fraudulent use: The cloned card is used to make unauthorized purchases or ATM withdrawals. The criminals rely on the fact that chip cards still have magnetic stripes as a backup, allowing them to swipe the cloned card at terminals.

This is where banks’ “chip detected” defense falls apart. The shimmer captures the chip data from your legitimate card. When the cloned card is later used, the transaction may involve chip data—but it’s data that was stolen from you. The “chip detected” notation proves only that chip data was present in the transaction. It does not prove that you authorized the transaction or that your physical card was present.

Your Legal Rights When Your Chip Card Is Compromised

Federal law provides important protections for victims of card fraud—including shimming—regardless of whether your debit card or credit card was compromised.

Debit Cards: The Electronic Fund Transfer Act (EFTA)

Victims of debit card shimming are protected by the Electronic Fund Transfer Act (EFTA), which caps liability for unauthorized transactions. Consumers who report promptly face a maximum exposure of $50; those who report within 60 days of receiving their statement are generally limited to $500 in liability for unauthorized charges appearing on that statement.

The EFTA also imposes procedural obligations on banks. Upon receiving a fraud report, the bank must investigate and—in most cases—provisionally credit the disputed amount within 10 business days. Too often, banks fail to meet these requirements, or attempt to sidestep them by invoking “chip detected” records as supposed proof of authorization.

EFTA Remedies: If a bank violates its obligations under the EFTA, the law provides consumers with several potential remedies:

  • Actual damages—not just the stolen funds, but also consequential harm such as emotional distress
  • Statutory damages as prescribed by the statute
  • Treble (triple) damages in cases of willful noncompliance
  • Attorney’s fees and costs

The attorney’s fees provision is particularly important: it enables consumers to retain qualified counsel even when the dollar amount at stake might otherwise make litigation impractical.

Our free guide, Fighting Back: A Guide to Identity Theft, Credit Reporting Errors, and Unauthorized Charges, provides additional detail on the EFTA and walks through the dispute process step by step.

Credit Cards: TILA and FCBA

Two federal statutes protect credit card holders against shimming fraud: the Truth in Lending Act (TILA) and the Fair Credit Billing Act (FCBA).

TILA Section 1643 limits cardholder liability to $50 for unauthorized charges—though most issuers waive even this amount in practice. What many consumers don’t realize is that TILA’s requirements are relatively flexible. There is no mandate for written notice, no requirement to send disputes to a designated address, and no rigid 60-day cutoff. The standard is simply that the cardholder provide “reasonable notice” of the unauthorized charges.

The FCBA offers separate protections for “billing errors” but comes with more demanding procedural rules. Consumers who satisfy the FCBA’s requirements may assert claims under both statutes. And crucially, even if the FCBA’s deadlines have passed, TILA may still provide a remedy.

TILA and FCBA Remedies: Credit card issuers that fail to comply with these statutes can be held liable for:

  • Actual damages suffered by the consumer
  • Statutory damages as provided under each statute
  • Attorney’s fees and litigation costs

Because the law requires the card issuer—not the consumer—to pay attorney’s fees in successful cases, consumers can pursue valid claims without worrying whether the amount stolen justifies the cost of legal representation.

To learn more about TILA, the FCBA, and the procedural differences between them, download our guide: Fighting Back: A Guide to Identity Theft, Credit Reporting Errors, and Unauthorized Charges.

What to Do If You’re a Victim

If you discover unauthorized transactions on your account—whether or not your bank claims a chip was detected—take the following steps immediately:

  • Notify your bank or card issuer right away. Prompt reporting strengthens your legal position and may limit your liability under federal law.
  • Put your dispute in writing. Use certified mail with return receipt requested so you have proof of delivery. Retain copies of everything you send.
  • Obtain a police report. This documents the crime officially. Send a copy to your bank to support your dispute—you can submit it as a supplement if you’ve already filed your initial claim.
  • File a report at IdentityTheft.gov. The FTC’s site will generate an Identity Theft Report and create a tailored recovery plan. Forward a copy to your bank as additional documentation for your dispute.
  • Protect your credit. Place a fraud alert by contacting any one of the three major credit bureaus (they are required to notify the others), or lock your credit files entirely by requesting a freeze from all three bureaus.
  • Keep detailed records. Write down when and where you last used your card, the date you noticed the fraud, and maintain a log of every interaction with your bank.
  • Report the fraud to law enforcement. The FBI accepts reports of shimming and card fraud through its Internet Crime Complaint Center at ic3.gov.

We have published a resource that covers each of these steps in detail: Fighting Back: A Guide to Identity Theft, Credit Reporting Errors, and Unauthorized Charges.

Getting Legal Help

Schlanger Law Group focuses on consumer protection litigation, with particular depth in cases involving unauthorized debit and credit card charges. Our firm has been at the forefront of card fraud cases—including shimming and skimming disputes—for years, and our attorneys handle these matters as a core part of our practice.

Banks that reject fraud claims based on “chip detected” evidence are clinging to an outdated view of card security. The reality, well documented by security researchers and industry publications alike, is that chip cards are not immune to cloning. When banks invoke chip detection to deny legitimate claims, they may be violating their obligations under federal law.

The fee-shifting provisions in the EFTA, TILA, and FCBA mean that banks—not consumers—bear the cost of attorney’s fees when they lose. Our firm handles shimming and other card fraud matters on a contingency basis: you pay nothing up front, and we only collect a fee if we obtain a recovery on your behalf.

If your bank has refused to reimburse you for unauthorized charges—particularly if they claimed the transaction was authorized because a chip was detected—we encourage you to reach out. Contact us at (212) 500-6114 or visit consumerprotection.net for a free consultation.

Attorney Advertising. Prior results do not guarantee a similar outcome. This article is for informational purposes only and does not constitute legal advice.

Share this Article

More to Explore

Schlanger Law Group In The Media

Blue background with white LAW360 logo.
The New York Times logo in white on a black background.
Black background with white WSJ letters.
Black and white ABA Journal logo.

Give Yourself A Legal Voice and Restore Your Financial Life.

Reach out to Schlanger Law Group for a free consultation, and let’s discuss your case with no upfront fees.

Something went wrong. Please try again or call us at (212) 500-6114.

The information on this website is for general information purposes only. Nothing on this site should be taken as legal advice for any individual case or situation.
This information is not intended to create, and receipt or viewing does not constitute, an attorney-client relationship.
ATTORNEY ADVERTISEMENT | Past Results Do Not Guarantee Similar Outcomes in the Future

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Copyright © 2023, Schlanger Law Group, LLP. All rights reserved.| Disclaimer | Privacy Policy

WEBSITE BY: VISIONTRACTION