How Criminals Can Steal Your Credit Card without Ever Touching It

Forbes’ Andy Greenberg has a very nice piece on the vulnerability of contactless bank cards to a new form of skimming, which has traditionally been defined as the illegal copying of the information stored in a payment card’s magnetic stripe. The radio-frequency identification (RFID) technology has made it possible for this information to be wirelessly transmitted between a chip embedded into a card, which contains the account data, and an RFID-equipped card reader. Such readers are becoming “increasingly present” at retailer checkouts, where they allow cardholders to complete a payment by waving their card by, rather than swiping it through, the point-of-sale (POS) terminal.

The problem is, as Greenberg reminds us, that RFID card readers can easily and cheaply find their way into the hands of criminals who can then use them to copy your credit card information, even as the card never leaves your wallet, which is “securely” tucked into the inner pocket of your coat. So what can we do to protect ourselves against such high-tech pickpocketing? Well, it turns out that we have a range of options, including frying the card to kill the chip, but banks seem to have taken even more drastic measures.

How Wireless Credit Card Skimming Work

In his piece Greenberg tells us about a presentation given by Kristin Paget, a data security expert, at a hacker conference, which has provided everyone in attendance with a step-by-step guide to the wireless stealing of credit card data. It is a disturbingly straightforward process, which relies on the use of equipment that can be legitimately purchased for a few hundred dollars on eBay.

In fact, I found a YouTube video that shows you exactly how this is done:

The problem is that there doesn’t seem to be a way to make our cards readable only by authorized devices. So what’s there to be done?

How to Protect Ourselves against Wireless Skimming

As I mentioned above, one of the options suggested by Greenberg’s security expert as a sure way to neutralize the wireless skimming threat is to fry the vulnerable chip. There is catch, though. While “[t]hree seconds in the microwave will kill the chip, [f]ive seconds will set it on fire.”

Recognizing the need for a somewhat less arsonous way of dealing with the issue, Paget has come up with a protective device that would be inserted in your wallet to block the RFID waves. Think of it as the wallet-sized equivalent of the heavy blanket placed on your upper body when your dentist takes an X-ray picture of your teeth.

Yet, whatever the effectiveness of such RFID blocking devices and strategies, there is a much bigger issue at play here. It has to do with the fact that most cardholders have no idea that their cards are readable from a distance. And if you don’t know that, you also don’t know that you have a problem. So is there anything that can be done?

The Takeaway

The bottom line is that contactless skimming is a problem and one that makeshift protective devices alone, or microwave ovens for that matter, cannot solve. Ideally, RFID data transmission would only be possible when the cardholder authorizes it, but that does not seem to be feasible at present. Or at least no one is talking about it.

What I’ve noticed is that at least one big card issuer has resorted to a much more drastic solution to the problem: getting rid of the wireless capability altogether. My two new Chase cards do not display the “Blink” logo, which designates RFID capability, whereas the ones they replaced did feature it. If Chase has done it, I have no doubt that others have too. And I think that this is the right response. If you can’t fully secure a given technology, you shouldn’t be using it.

Image credit: Etsy.com.