Can your ID be stolen by just walking past a hacker?
… According to the Identity Theft Resource Center, the Smart Card Alliance states that: “the financial payments industry has designed multiple layers of security throughout the traditional credit and debit payment systems to protect all parties involved in the payment transaction.” For contactless payments (RFID), the financial industry uses added security technology, both on the contactless device (RFID card), as well as in the processing network and system to prevent fraud.”
The article goes on to state that Industry standard encryption, Authentication, Confidentiality and Control are some of the security measures being used to protect your identity. But how well does this added security work?
Well, here is where things get really murky. You have some authorities claiming that contactless credit cards are safe, but you have others showing that they clearly aren’t.
Even Mythbusters has been caught up in the drama. In 2008, they were going to do a show on RFID, but caved in from external pressure not to do the show. Then, later they released a statement that they were not pressured to cancel the show.
In December of 2010, WREG, Channel 3 news in Memphis decided to put this to the test. In just one hour, Walt Augustinowicz (of Identity Stronghold) armed with a netbook computer and a wireless card reader he bought online for under $100 patrolled Beale Street looking for volunteers. He had 20 people volunteer to be scanned and of these, he was able to read the account number and expiration date of 5 people who carried RFID enabled credit cards…
Selection of an article written for The Office Survivalist, continue reading here.
Looks like Chris Paget has done a lot of research into this issue. Apparently the record for reading one of these chips is over 200 feet, and theoretically could be read from over a mile. For more info check out Chris’s Blackhat video “Extreme Range RFID”:
And Chris’s appearance on FoxNews:
Apparently, the security code on the back of the credit card is one of the saving graces. This is not transmitted wirelessly with the account info. But not all companies require this for a purchase. Most credit cards offer full refunds for fraudulent purchases and as far as is known, this technique has never been used to actually steal information.
It would seem hackers prefer databases that store thousands of credit card numbers compared to walking around and waving a RFID reader around people’s butts after a football game.
RFID blocking sleeves and wallets are available that prevent these signals from being read remotely. You can also ask for non-RFID credit cards from your bank. Passports have blocking material in the cover and currently only a few states issue RFID enabled cards.