2/21/2012 6:03 PM ET|
Risks of 'swipe and go' credit cards
RFID credit cards offer convenience, but they're not entirely safe from identity thieves. Here's where you may be vulnerable.
Chip ahoy! Are RFID credit cards secure?
Ask any of the estimated 9 million Americans who become victims of identity theft each year: Getting billed for someone else's credit card charges stinks.
Enter the "radio frequency identification" credit card. Designed to provide extra layers of security against identity theft, an RFID card transmits credit card information through radio waves from a chip embedded in the card. (The cards also have a magnetic stripe on the back so you can swipe it in the traditional way.)
If you're using a card with an RFID chip and your merchant has a compatible card reader, you don't have to swipe your card when making a transaction. You merely hold your card within one to four inches of the card scanner. This practice raises questions as to how safe the technology is and whether you should protect your RFID card with a special wallet or card sleeve. Here's the skinny on RFID credit cards.
Benefits of the RFID card
Available through credit card companies such as Visa, MasterCard and American Express, RFID cards eliminate certain security hazards posed by traditional cards but could make you vulnerable to others. According to Denis G. Kelly, the author of "The Official Identity Theft Prevention Handbook" and the chairman of the Identity Ambassador Commission in Seattle, the security benefits of the RFID cards are threefold: limited card exposure, data encryption and new authentication codes.
A side benefit: RFID cards also help speed the checkout process. "RFID technology tends to cut the overall transaction time (of a credit card purchase) in half," says Kelly.
Because the technology doesn't require a cardholder to physically remove the card from a wallet, RFID can eliminate the need for waiters, retail clerks and other salespeople to handle your card, Kelly points out. That creepy guy lurking behind you at the grocery store? He won't get a chance to see your credit card info because you'll never have to take your card out.
Does RFID make it easier to steal?
The new technology causes some to worry that it's now easier to steal RFID credit card information. Because your RFID card allows you to complete transactions without pulling out the card itself, critics argue that identity thieves could swipe your credit information simply by placing an RFID scanner nearby.
Jay Foley, the executive director of the Identity Theft Resource Center in San Diego, admits that thieves could get your card information remotely through a scanner, but adds that they probably wouldn't be able to use it. Unlike magnetic stripe cards, RFID credit cards encrypt a cardholder's information. To access a consumer's account, thieves not only have to scan the card but must also break the card issuer's encryption.
RFID cards also create a new authentication code for each transaction. If identity thieves nab info by physically skimming a traditional credit card, they can use that information as many times as they like, racking up purchase after purchase until the card gets reported. If all they have is the information from your RFID chip, they can make only one purchase with that authentication code.
"If someone captures your (RFID) card (electronically), the most they can use it is one transaction," Foley explains.
But of course the encryption and authentication code helps you only if your card information is swiped remotely from an unauthorized scanner. If thieves physically nab your RFID card, they can still use the magnetic stripe all over town until you alert the authorities.
Reports of RFID hacking
There's no doubt that limiting who handles your credit card and the number of purchases thieves can make on stolen accounts will significantly increase card security, but questions remain as to the reliability of RFID credit card encryption.
According to a University of Massachusetts, Amherst, study published in 2007, researchers purchased a commercial RFID scanner over the Internet and accessed sensitive information on 20 different first-generation RFID cards issued in 2006.
One year later, a University of Virginia graduate student successfully hacked RFID encryption found in rechargeable bus and subway cards issued by the Massachusetts Bay Transportation Authority.
It's worth noting that, to date, there's never been a major RFID credit card breach outside of a lab, but that's not stopping retailers from selling aluminum-lined wallets and card sleeves designed to disrupt unwanted radio waves from reaching your cards.
Protecting your RFID credit card
The first step to protecting yourself from RFID identity theft is simply knowing if you have an RFID-enabled credit card. You can find out by calling your credit card company, reading your card agreement or checking your card for the presence of an RFID chip or RFID logo, which looks like a series of expanding ripples or waves.
Consumers concerned about the security of their RFID card can purchase an RFID-blocking wallet or credit card shield, although both Kelly and Foley insist that such protection products aren't absolutely necessary at this point.
"If it's that big a concern to you," says Kelly, "I probably recommend not using an RFID card."
More from IndexCreditCards.com:
VIDEO ON MSN MONEY
As this technology is rolled out every more and adopted by more companies & institutions the more threat to getting your personal identity thieved.
You have several different types of RFID enabled cards in your wallet purse.
Citizen Card if you have them (I read the EU is rolling our over 400 mil with RFID enabled technology)
Local Library card
Drivers licence (some countries / states already have these implemented)
Social security card
Now if a RFID reader reads all these cards which they can because that is the nature of the technology regardless if there is encryption or not it will transmit data.
You may not get all your Personal Identity data from one card source, but combined you will often get a very good picture of someones personal identity that can easily be cloned and used for criminal activities like getting a loan etc.
So holistically the threat of identity theft is of greater concern & the more this technology is adopted the more easier it will be.
A un-encryted RFID tag costs lets approx .25 cents whereas an encrypted RFID tag costs upwards of $5 you do the maths not everyone can afford encryption.
More reading on this subject can be found at www.armourcard.com.au
1/ Banks limit the money you can spend on it to $100 or so (if it was so secure why not allow for greater amounts, like 5k, 10k) - rather suspect I feel
2/ The banks guarantee the repay your the money that was skimmed. - ( admission really, when does a bank do anything without a motive, they want to roll out this far & wide and already have invested billions on this technology)
2/ The US government has mandated that employees with RFID enabled ID cards and building entry passes need to wear a RFID blocking sleeve etc
Another few points, in the article they say (paraphrasing) their has been no documented accounts of ePickpocketing out of the lab tests. What a laugh, I didn't see that question on the last censis I did, as if the criminals would comply to putting up their had to say yep I do it. Often the consumer doesn't even know they have been skimmed.
In relation to the 1 off transaction id, that is fine but nothing stops a dialed up reader and programmed to get multiple transaction codes in seconds, then send the data live to 3rd party for producing cards and spending (so from a 1 transaction of $100 to 10 transaction id's for $1000) in the same time it gets to get one, its the hacker & the software they use.
These passive shields or blocking wallets have mixed results* and have been bench tested, because if a skimmer dials up the power on their RFID reader (ie greater than the ISO standard) they can often still penetrate passive shielding and blocking items.
Copyright © 2013 Microsoft. All rights reserved.
Quotes are real-time for NASDAQ, NYSE and AMEX. See delay times for other exchanges.
Fundamental company data and historical chart data provided by Thomson Reuters (click for restrictions). Real-time quotes provided by BATS Exchange. Real-time index quotes and delayed quotes supplied by Interactive Data Real-Time Services. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by SIX Financial Information.