Credit Card Chips and Identity Theft
Can you identify this symbol?
It is the symbol placed on RFID chipped credit cards, cards you may well have in your wallet which are transmitting your personal information without you even knowing.
Radio-frequency identification (RFID) chips first gained traction as a payment method in 1997 when ExxonMobil debuted their Speedpass key chain device. Just sweep the device past the receptor and you are done – no need to break out your wallet. When researchers broke the security algorithm in 2005, permitting them to copy the devices and purchase gas, ExxonMobile responded by beginning to require consumers enter their zip codes at the time of purchase to prevent fraud. As is typical with security concerns, corporations are more reactive than proactive when it comes to security, which leaves the consumer at risk.
RFID chip cards began rolling out in the US in 2005. However, within a year, in October 2006, the New York Times reported on the concerning security flaws – researchers with $150 in equipment discovered the cards had weak or no security. The chips transmitted the cardholder name and credit card number to their handmade RFID scanner. These scanners are currently available on eBay for under $100. The credit card companies responded by claiming no such attacks had occurred, so no one need worry. Some aspects of the security were tightened, but most of these chips could still transmit your card number, expiration date, and CVV number – everything a thief needs to create a fraudulent card of their own. In 2011, Consumer Reports warned their readers about these “contactless credit cards”. A fraudster need only be carrying a reader in a purse or bag and “accidentally” bump into you – the reader will grab the information from your wallet. Unlike with the classic pickpocket scheme, the cardholder has no idea their information has been compromised. A few hours in the mall or at a train station could net hundreds of card numbers.
There are currently an estimated 100 million of these cards in circulation today. Check your credit cards – each lender calls their touchless program by a proprietary name. MasterCard features “PayPass” and Visa calls theirs “payWave”. Of note – this year Chase quietly discontinued their “blink” contactless program, but only through attrition – so when the contactless card you have now expires, it will be replaced with a different type of card. The card issuers have strong motivation to keep rolling out these types of cards. In a 2012 press release, MasterCard claimed a 15-month study showed PayPass-using customers “spent almost 30% more on average”.
Some companies have started encrypting the data or appending a PIN number that must match the PIN at the company with the PIN changing for every transaction. Even with the PIN enhancement, it is still possible for quick acting thieves to obtain your data and use the information, especially for online purchases.
RFID technology is becoming more popular in other areas of your life as well. Many companies use RFID cards to operate security locks to allow access to the premises. FasTrak for the toll roads is an RFID system. The London Oyster card allows for contactless payment in the same manner. No doubt, our local mass transit agencies are also moving away from cash and towards a contactless payment system. Even Disney is getting in on the action. Disney is using an RFID wrist cuff in their Florida parks that will allow guests to store FastPasses and their credit card information so that they may make immediate purchases. While not advertised as such, the RFID wrist cuff allows Disney to track their guests throughout the park. There is nothing to prevent another company from collecting similar tracking data about you while in the mall by simply reading your RFID card information.
As RFID becomes more and more prevalent, we need to be ever cognizant of the information we are allowing companies and individuals to obtain about us.
This article is for educational purposes only and is not intended to constitute legal advice.