There have been some alarming reports circulating recently about security problems with contactless, or Radio Frequency Identification (RFID), cards. These include credit, debit, or ATM cards, all of which can be enabled for contactless transactions by an embedded RFID chip. Encoded within the chip are confidential account details such as the account number and expiry date. To make a quick purchase the customer just holds the card up to a merchant’s contactless reader at the point of sale; the account details are read and the transaction is recorded.
Early adopters of contactless technology include coffee shops, public transport providers and fast food stalls. A potential weakness of the contactless system is that enterprising fraudsters may be able to use their own, illegal RFID readers, to capture customer account details. The story seems to have originated from Memphis-based TV channel WREG, who ran an item called ‘Electronic Pickpocketing’ in December 2010.
The TV station commissioned an undercover reporter to patrol a shopping street with a card-reader, bought for less than $100, and test the device out (on willing volunteers, not on unknowing victims, I should point out!). The reporter was able to use the device to scan contactless cards remotely from people’s wallets, pockets and bags, and display their account details on its screen. The story ‘went viral’ after being posted on WREG’s website, reportedly attracting 1.2 million views in the first few days.
Information he was able to steal included the card issuer name, customer account number, card expiry date and customer name. All this data can be scanned in, stored, and then emailed to criminals anywhere in the world. Imagine a fraudster armed with this card reader, at a football match, for example. Thousands of people crammed together in a small space, all carrying contactless cards to pay for their mid-match snack at the hot dog stand. Rich pickings indeed for an enterprising criminal, all for the outlay of $100 and a couple of hours ‘work’! It turns out that WREG’s undercover reporter was none other than Walt Augustinowicz , founder of security firm Identity Stronghold,
According to him, it’s not just your account details that are at risk from this type of theft, but also your passport, which, if it was issued in recent years, will also contain the new-style RFID chip and is vulnerable to being illicitly scanned in the same way. Hacking a passport yields personal details such as date of birth and a photograph, which can then be used to create fake ids.
Mr Augustinowicz’ company is in the business of marketing protective devices designed to shield plastic cards and passports from illegal scanning. I’m informed that aluminium foil will have the same effect, though I have not tried this out myself yet. Sounds like a simple idea which could save a lot of problems; doesn’t it? But do we really need a protective cardholder? What is the true extent of the risk for contactless customers? Once criminals have got hold of our account details, just how much damage can they do?
Before we all start to panic about this report, it is important to remember that there are safeguards built into contactless cards to prevent major losses to customers. Most importantly, they cannot be scanned by card readers for a PIN number or a CVV (3-digit security code). Some older contactless cards may hold a scannable customer name, but not the later editions. Either way, account number and expiry date, with or without a customer name, is insufficient data to create an illegal cloned card. For a Card Not Present (CNP), that is a telephone or internet purchase, a fraudster would also need to know the long number embossed on the card and the CVV. Contactless cards are designed to be read only when held close to a merchant’s reader, and have a limited transmission range, meaning that any would-be scammer would have to get pretty darned close to you in order to be physically able to scan your card.
Contactless card providers are constantly striving to ensure their customers are safe from fraud, and the latest cards emit their data in an encrypted format. Another security feature intrinsic to contactless cards is that they are only intended for relatively low-value purchases, and typically have a transaction limit of $30 or less. So it is unlikely you will ever lose much to a scammer. In the meantime, it wouldn’t hurt to invest in a bespoke card wallet, or at least wrap your card up in a bit of kitchen foil.