Helping people with computers... one answer at a time.

Credit card theft "out of pocket" is possible with a new technology. And yes, foil in a wallet is a way to "foil" the thieves.

Not really a question - just a comment: I've heard that cards can be scanned remotely by someone standing in line, at the checkout, for instance. I bought a little card holder that protects you from this. Someone also just said that you can just wrap the card in foil. If this is true, then the fraud may not come from buying online. Just an FYI.

In this excerpt from Answercast #70, I look at identification technology on credit cards that can be "sniffed" right out of your pocket.

Stealing credit cards in line.

Yea, I'm actually aware of this, and in fact, it's not really terribly common... yet.

The technology is called, I think it's RFID or perhaps even NFC (Near Field Communications). The concept is that the credit card itself has a little essentially radio transponder. It's not powered. Obviously, there's no battery in your credit card, but it can be energized remotely by a radio signal and when it is, it responds with information.

You must be close

It's a very near-field kind of a thing. In other words, you have to be pretty close to the card in order to activate this thing. In fact, you've probably seen at some of the credit card terminals (at your grocery store, coffee shop, or whatever); there will be a place where you can just wave your card over the device, and the device then reads your information from the card.

Notice though that you actually have to get the card within a few inches of the device in order for that to be read.

Identity theft

But you're right. The fact is: the technology exists. In fact, I have heard of people having their card's information stolen this way.

It actually gets a little bit weirder because the same type of technology is also used in, I believe, most newly issued United States passports. So the passport itself can also be read without being opened by simply passing over some kind of a reader.

Protecting your card

You're right. Something as simple as a piece of foil over your card in your wallet will do it.

As it turns out, because I'm aware of this (and I did notice that on one of my credit cards: I carry three but only one of them actually has this technology in it)... Because I noticed that and because I got a new passport, I actually purchased (from ThinkGeek.com of all places) a wallet that includes within it metal shielding.

There's actually no loose foil in the wallet. But if you feel the outside of the wallet, you can feel that there's some crinkly stuff underneath the fake leather. That's essentially foil of some sort protecting or shielding the card inside from anybody trying to activate it from outside your wallet.

I also have a similar thing for my passport; same place ThinkGeek.com had it. It's a passport holder that... same thing - it's got some foil in its lining that prevents the thing from being able to be read externally.

Does your card have it?

It is something to be aware of, especially if you carry these kinds of cards. You can normally tell if they have them because there will be a little indicator on the back of the card that has a picture (it's almost a Wi-Fi-ish or radio-ish type of logo) that will indicate that the card supports this technology.

If you're in crowded places regularly, you might want to look into some kind of a radio shielding wallet or other kind of sleeve for these cards. At least be aware of this particular problem as a possible way that card information can be stolen.

It is not very common right... now - both in terms in the number of cards that have the technology and the number of people that are out swiping this information using this technique.

The fact is: there are easier ways for thieves to get a hold of your credit card. Most notably just stealing your wallet. But it is something to be aware of.

Like I said, the credit card companies are also aware of this. They are doing the traditional thing of trading off convenience versus risk, since they pick up the liability if your credit card gets stolen. It's usually not that big of an issue for you, other than the hassle of having to get a new credit card if something happens.

Thanks for the information. It's a good reminder for everybody.

Article C6028 - November 14, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

12 Comments
Mark J
November 16, 2012 7:22 AM

I carry 6 or 7 RFID cards with me all of the time. Before, when I had only one, I could hold my wallet up to the reader and it would read the card. Now when I have even 2 or 3 cards in my wallet, if I hold it up to the reader, it will produce an error flash from the reader. My question to the Ask-Leo! community is: If this is the case with legitimate readers, would this also protect me from remote scanning as the signals would conflict?

Randy S
November 16, 2012 8:44 AM

It is ignorant for banks to issue these cards. They will issue a non-RFID for free if you ask.

You have to be within a few inches of a standard reader but someone could possibly read the card from several feet. I'm not concerned about credit cards as I'm not liable, but how about my bank account card?

Billie Shaffer
November 16, 2012 9:31 AM

Yes, your credit card number can be read, but not the verification number or the expiration date, two things that one must have in order to charge to that number.

Mike Castro
November 16, 2012 10:20 AM

RFID stands for Radio Frequency IDentification. It is simply a means of charging a low frequency card so that it gives off its encoded number. It is very widely used in access control system and is more usually calle "prox" for proximity. The older 125mhz cards had nothing more than the cards code and that was it. Newer smartcards have a chip similar to that found on some credit card and sat receiver box cards, i.e a small contact area which comes into contact with "feelers" which connect them as temporary contacts. These usually charge the chip in the card which gives up its information and will contain the account number and card code in encrypted form. Running a scanner over these cards probably wont do anything as the connections are not made by radio but by physical contact, however there are some "RFID" cards that have active scanning so it could very well happen. Much newer "near field" cards and chips fitted to smart phones etc are able to transmit once woken up. However you will need some cunning stuff to get the encryption to break. The answer is quite simply that its too new and hasnt been broken yet. However, like all things electronic it will only take time. The advice is shield the cards as much as you can. I personnaly will not have near filed in my smart phone, its just to risky.

Gord Campbell
November 16, 2012 1:51 PM

One of the large supermarket chains in Canada uses RFID scanning for small purchases, perhaps up to $50. The clerk said, "just wave your card at the scanner," as if all local credit cards have RFID.

The same card also has a chip and metal contacts, but that's separate technology.

Snert
November 16, 2012 4:02 PM

Any metal will protect these RFID enabled card. A piece of folded window screen works just fine. I think the term for this is "Farady Cage".

David Mears
November 16, 2012 4:27 PM

So if someone alters the software on their smart phone that is used for the "legal" credit card transactions they would soon be able to walk down the street and collect $25.00 from each person they walk by???

Deanna
November 17, 2012 12:25 AM

Wasn't there a problem, some time ago, that cards became "unuseable" if kept in a wallet with other cards? Is a piece of foil really enough ?

Pete Laberge
November 17, 2012 6:25 AM

I made my own little case out of paper, aluminum foil, and some HD packing tape. It works. And I separate each card from the others with a little "flap" of folded paper. That works too.

Either CTV or the CBC did a study on staling data from these cards. In Canada see 5th Estate, MarketPlace, and several other investigative shows. I think one is called 16x9. They actually had a guy with a home made reader and a laptop, and he could read all kids of people's data off the cards in wallets and purses. Scary.

James
November 17, 2012 7:14 AM

In Canada, this near field communication as well as a chip embedded in your card is becoming standard. In Canada, we would love to get rid of magnetic strips because that is the largest cause of credit card theft.

A couple weeks after returning from a recent trip to the US, my card was compromised. MasterCard caught it before I was even aware because all my purchases (in Canada) use the chip (with a PIN for verification). The fraudulent transactions were swiped with the magnetic strip. So one of the US merchants/hotels/restaurants must have a card skimmer on their credit card machine (either knowingly or unknowingly).

I read up on the near field because it is convenient when I stop in at the drug store to just tap my card on the machine and walk out the door. My understanding from MasterCard is that their is a unique code that is generated each time the card is used, so even if someone picked up your card data, they can't just take that data and make a new credit card with it. It would take some extra effort and cost.

Why would someone want to go to extra effort and expense to manufacture cards this way when it's easier to just steal magnetic swipe info. Of course I'm not naive enough to think that nobody's working on it; I'm sure they are.

But I think it'll be a while before this really becomes a bigger risk because the US is hooked on magnetic strips and to eliminate the magnetic strips on Canadian cards would make it impossible to travel and use in the US (and how many other countries). And it's impossible to eliminate the magnetic strip readers because that would mean that Canadians could not accept US cards.

Credit card security would be greatly enhanced by the US adopting the chip and pin technology as quickly as it has been done in Canada.

Bob
November 19, 2012 4:40 AM

OK, the technology in the card is activated by a 'field' around the credit card terminal. I get that. And the field from that terminal is small. I get that too - it's been designed that way. But a "bad guy" will make his machine with a greater field, will he not? It has been proven many times, that it is not the strength of the transmitter that is important - it's the sensitivity of the receiver.

Billy Bob
December 8, 2012 4:15 PM

Looks like the tinfoil hat crowd had it right all along. They were just ahead of their time.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.