Protecting Credit Cards From RFID Scanning Theft
For as long as civilizations have used money – from ancient coins to modern paper bills – there have been pickpockets. Stealing cash by stealth from individuals as they go about in public has been a form of robbery for literally thousands of years, but with the recent introduction of “smart” contactless credit cards, a new form of electronic pickpocketing has become even easier.
It is now possible for someone to have their pocket “picked” from a distance, without the thief even having to physically touch the victim’s wallet. Fortunately, there are ways to protect from this new high-tech pickpocketing.
Credit cards were originally conceived of not just a way of borrowing money, or at least deferring payment by the consumer, but also as more convenient and safer than carrying cash. Even if a card owner was robbed or otherwise lost the card, a quick telephone call would cancel the card and render it useless.
A weakness in the security system began to be exploited in the 1960s, though, when transactions required an imprint of the card and a signature by the card holder on three copies of the receipt: one each for the card holder, the merchant and the bank.
Thieves discovered that a record of the card number and signature were available on the carbon paper used between these copies. This security flaw was plugged by paperless scanning technology, introduced with magnetic strips attached to the back of the card. The data was read electronically by a reader when the card was swiped during the purchase transaction, without the need of any paper records.
In the late 1990s, a new form of smart credit cards began to be introduced into the marketplace. These use radio frequency identification (RFID) microchips imbedded into the card. These chips carry much more information about the credit card account, are more difficult and expensive to counterfeit and were much easier and faster to use when charging a purchase: The card no longer had to be swiped through a reader, but merely waved in front of a reader which would electronically query the microchip for the information required to complete the transaction.
Unfortunately, this “contactless” technology also exposes the cardholders to a new form of fraud: If they can be read by authorized readers, the cards can also be read by unauthorized ones and the information used to make fraudulent purchases. It is pickpocketing crossed with identify theft.
With an easily-obtained contactless credit card reader, a laptop computer containing the required software and memory and a power source, a credit card thief can read and record the information from credit cards, right through the cloth and leather of pockets, purses, briefcases and bags of anyone just a few feet away.
All the thief has to do is carry their credit card trapping system unobtrusively in a crowd – from a mall to the lobby of a hotel – and he can harvest a large number of data sets.
The reader’s signal identifies queries and records the information from the RFID chips, including the credit card number, expiration date, name of the card holder and a one-time CVV security code. The only defense the contactless chips offer is that the CVV code can only be used once, for the next transaction; if the card holder uses the card for another transaction before the thief does, the system will note the discrepancy and automatically block any transaction with that card number.
Of course, the work-around for a credit card thief is to have a set of fraudulent transactions pre-loaded in their systems, to allow the card number to be used as soon as it is stolen.
Anyone whose credit card has an RFID chip imbedded is at risk for this form of fraud. How do they know if their cards use this technology? It’s difficult to know: While some smart contactless cards are marked with names such as “PayPass” or logos marked with “RFID” or “Radio,” the issuers are not required to identify the cards using this technology.
With nearly 400 million credit card accounts active in the United States, as of the third quarter of 2013 (the most recent period for which there are data), the number of smart contactless cards that are potentially open to theft is very large.
Fortunately, there are products already on the market to guard against unauthorized RFID scanning and data theft. Protective sleeves for individual cards or multiple cards, wallets and even money belts are readily available on the market.
These are made from material that blocks the signals from the readers, preventing the data on the chips from being transferred. If used consistently, they will frustrate electronic pickpockets.