What starting position does this attack require?

The first step is Make fraudulent purchase (T1041) — a exfiltration primitive. Assumed environment: target merchant uses payment terminals that allow EMV-to-magstripe fallback.

What is the final impact of this kill-chain?

The final step lands on Encode cloned magstripe (POS-CHIP-SHIMMER), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 4 steps · 3 edges

Approved

EMV → Magstripe downgrade → card cloning

Many terminals still accept magstripe fallback when EMV chip 'fails'. Block / corrupt the chip read; terminal accepts cloned magstripe data captured earlier from a shimmer or skimmer.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Exfiltration

Make fraudulent purchase

T1041 · Exfiltration Over C2 Channel

Collection

Obtain card data via skimmer / shimmer

POS-CARD-SKIM · Card Skimmer Hardware

Defense Evasion

Force EMV failure → magstripe accepted

POS-EMV-DOWNGRADE · EMV-to-Magstripe Downgrade

Collection

Encode cloned magstripe

POS-CHIP-SHIMMER · Chip Shimmer (EMV)

§ Context

Assumed environment: target merchant uses payment terminals that allow EMV-to-magstripe fallback. Attacker has card data (track 1/2) from a prior chip-shimmer or skimmer deployment.

§ Steps

01
Make fraudulent purchaseExfiltration
T1041— Exfiltration Over C2 Channel
02
Obtain card data via skimmer / shimmerCollection
POS-CARD-SKIM— Card Skimmer Hardware
03
Force EMV failure → magstripe acceptedDefense Evasion
POS-EMV-DOWNGRADE— EMV-to-Magstripe Downgrade
04
Encode cloned magstripeCollection
POS-CHIP-SHIMMER— Chip Shimmer (EMV)

§ References

T1041Exfiltration Over C2 Channel

§ Frequently asked

What is the "EMV → Magstripe downgrade → card cloning" attack path?: Many terminals still accept magstripe fallback when EMV chip 'fails'. Block / corrupt the chip read; terminal accepts cloned magstripe data captured earlier from a shimmer or skimmer. It chains 4 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Make fraudulent purchase (T1041) — a exfiltration primitive. Assumed environment: target merchant uses payment terminals that allow EMV-to-magstripe fallback.
What is the final impact of this kill-chain?: The final step lands on Encode cloned magstripe (POS-CHIP-SHIMMER), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.