Not really a question – just a comment: I’ve heard that cards can be scanned
remotely by someone standing in line, at the checkout, for instance. I bought a
little card holder that protects you from this. Someone also just said that you
can just wrap the card in foil. If this is true, then the fraud may not come
from buying online. Just an FYI.
In this excerpt from Answercast #70, I look at identification technology on
credit cards that can be “sniffed” right out of your pocket.
Become a Patron of Ask Leo! and go ad-free!
Stealing credit cards in line.
Yea, I’m actually aware of this, and in fact, it’s not really terribly
common… yet.
The technology is called, I think it’s RFID or perhaps even NFC (Near Field
Communications). The concept is that the credit card itself has a little
essentially radio transponder. It’s not powered. Obviously, there’s no battery
in your credit card, but it can be energized remotely by a radio signal and
when it is, it responds with information.
You must be close
It’s a very near-field kind of a thing. In other words, you have to be pretty
close to the card in order to activate this thing. In fact, you’ve probably
seen at some of the credit card terminals (at your grocery store, coffee shop,
or whatever); there will be a place where you can just wave your card over the
device, and the device then reads your information from the card.
Notice though that you actually have to get the card within a few inches of
the device in order for that to be read.
Identity theft
But you’re right. The fact is: the technology exists. In fact, I have heard
of people having their card’s information stolen this way.
It actually gets a little bit weirder because the same type of technology is
also used in, I believe, most newly issued United States passports. So the
passport itself can also be read without being opened by simply passing over
some kind of a reader.
Protecting your card
You’re right. Something as simple as a piece of foil over your card in your
wallet will do it.
As it turns out, because I’m aware of this (and I did notice that on one of
my credit cards: I carry three but only one of them actually has this
technology in it)… Because I noticed that and because I got a new passport, I
actually purchased (from ThinkGeek.com of all places) a wallet that includes
within it metal shielding.
There’s actually no loose foil in the wallet. But if you feel the outside of
the wallet, you can feel that there’s some crinkly stuff underneath the fake
leather. That’s essentially foil of some sort protecting or shielding the
card inside from anybody trying to activate it from outside your wallet.
I also have a similar thing for my passport; same place ThinkGeek.com had
it. It’s a passport holder that… same thing – it’s got some foil in its
lining that prevents the thing from being able to be read externally.
Does your card have it?
It is something to be aware of, especially if you carry these kinds
of cards. You can normally tell if they have them because there will be a
little indicator on the back of the card that has a picture (it’s almost a
Wi-Fi-ish or radio-ish type of logo) that will indicate that the card supports
this technology.
If you’re in crowded places regularly, you might want to look into some kind
of a radio shielding wallet or other kind of sleeve for these cards. At least
be aware of this particular problem as a possible way that card information can
be stolen.
It is not very common right… now – both in terms in the number of cards
that have the technology and the number of people that are out swiping this
information using this technique.
The fact is: there are easier ways for thieves to get a hold of your credit
card. Most notably just stealing your wallet. But it is something to be aware
of.
Like I said, the credit card companies are also aware of this. They are
doing the traditional thing of trading off convenience versus risk, since they
pick up the liability if your credit card gets stolen. It’s usually not that
big of an issue for you, other than the hassle of having to get a new credit
card if something happens.
Thanks for the information. It’s a good reminder for everybody.
I carry 6 or 7 RFID cards with me all of the time. Before, when I had only one, I could hold my wallet up to the reader and it would read the card. Now when I have even 2 or 3 cards in my wallet, if I hold it up to the reader, it will produce an error flash from the reader. My question to the Ask-Leo! community is: If this is the case with legitimate readers, would this also protect me from remote scanning as the signals would conflict?
It is ignorant for banks to issue these cards. They will issue a non-RFID for free if you ask.
You have to be within a few inches of a standard reader but someone could possibly read the card from several feet. I’m not concerned about credit cards as I’m not liable, but how about my bank account card?
Yes, your credit card number can be read, but not the verification number or the expiration date, two things that one must have in order to charge to that number.
RFID stands for Radio Frequency IDentification. It is simply a means of charging a low frequency card so that it gives off its encoded number. It is very widely used in access control system and is more usually calle “prox” for proximity. The older 125mhz cards had nothing more than the cards code and that was it. Newer smartcards have a chip similar to that found on some credit card and sat receiver box cards, i.e a small contact area which comes into contact with “feelers” which connect them as temporary contacts. These usually charge the chip in the card which gives up its information and will contain the account number and card code in encrypted form. Running a scanner over these cards probably wont do anything as the connections are not made by radio but by physical contact, however there are some “RFID” cards that have active scanning so it could very well happen. Much newer “near field” cards and chips fitted to smart phones etc are able to transmit once woken up. However you will need some cunning stuff to get the encryption to break. The answer is quite simply that its too new and hasnt been broken yet. However, like all things electronic it will only take time. The advice is shield the cards as much as you can. I personnaly will not have near filed in my smart phone, its just to risky.
One of the large supermarket chains in Canada uses RFID scanning for small purchases, perhaps up to $50. The clerk said, “just wave your card at the scanner,” as if all local credit cards have RFID.
The same card also has a chip and metal contacts, but that’s separate technology.
Any metal will protect these RFID enabled card. A piece of folded window screen works just fine. I think the term for this is “Farady Cage”.
So if someone alters the software on their smart phone that is used for the “legal” credit card transactions they would soon be able to walk down the street and collect $25.00 from each person they walk by???
Wasn’t there a problem, some time ago, that cards became “unuseable” if kept in a wallet with other cards? Is a piece of foil really enough ?
I made my own little case out of paper, aluminum foil, and some HD packing tape. It works. And I separate each card from the others with a little “flap” of folded paper. That works too.
Either CTV or the CBC did a study on staling data from these cards. In Canada see 5th Estate, MarketPlace, and several other investigative shows. I think one is called 16×9. They actually had a guy with a home made reader and a laptop, and he could read all kids of people’s data off the cards in wallets and purses. Scary.
In Canada, this near field communication as well as a chip embedded in your card is becoming standard. In Canada, we would love to get rid of magnetic strips because that is the largest cause of credit card theft.
A couple weeks after returning from a recent trip to the US, my card was compromised. MasterCard caught it before I was even aware because all my purchases (in Canada) use the chip (with a PIN for verification). The fraudulent transactions were swiped with the magnetic strip. So one of the US merchants/hotels/restaurants must have a card skimmer on their credit card machine (either knowingly or unknowingly).
I read up on the near field because it is convenient when I stop in at the drug store to just tap my card on the machine and walk out the door. My understanding from MasterCard is that their is a unique code that is generated each time the card is used, so even if someone picked up your card data, they can’t just take that data and make a new credit card with it. It would take some extra effort and cost.
Why would someone want to go to extra effort and expense to manufacture cards this way when it’s easier to just steal magnetic swipe info. Of course I’m not naive enough to think that nobody’s working on it; I’m sure they are.
But I think it’ll be a while before this really becomes a bigger risk because the US is hooked on magnetic strips and to eliminate the magnetic strips on Canadian cards would make it impossible to travel and use in the US (and how many other countries). And it’s impossible to eliminate the magnetic strip readers because that would mean that Canadians could not accept US cards.
Credit card security would be greatly enhanced by the US adopting the chip and pin technology as quickly as it has been done in Canada.
OK, the technology in the card is activated by a ‘field’ around the credit card terminal. I get that. And the field from that terminal is small. I get that too – it’s been designed that way. But a “bad guy” will make his machine with a greater field, will he not? It has been proven many times, that it is not the strength of the transmitter that is important – it’s the sensitivity of the receiver.
Looks like the tinfoil hat crowd had it right all along. They were just ahead of their time.