Credit Cards At Risk from High-Tech Pickpockets?

[GumbyCT]

BEWARE - Expert Demonstrates How Your Credit Card's RFID Chip Can Help Crooks Steal Your Info Without Stealing Your Card.

I don't have one the these new fangled cards but I think I would destroy it if I did.

--------------------------------------------------
(CBS) It's supposed to make paying for things faster and easier - just wave your credit or debit card over a scanner and you've paid.

But now some worry that radio frequency identification (RFID) technology is also making it easier for crooks to rip you off.

Security expert Walt Augustinowicz took a stroll along Beale Street in Memphis where, as witnessed by CBS Affiliate WREG, he was able to swipe the credit card information from passers-by.

"If I'm walking through a crowd, and I get near people's back pocket and their wallet, I just have to get that close to it and there's my credit card and expiration date on the screen," Augustinowicz told WREG correspondent Scott Noll.

Using just an off-the-shelf card reader he bought online for less than $100 and a Netbook computer, Augustinowicz explained, he could swipe credit card numbers, expiration dates, and in some cases, even people's names.

People who thought there was no way their pocket could be picked without laying a hand on them, soon learned they were wrong.

Scanning one willing participant's wallet, Augustinowicz showed the man his credit card number and expiration date on his computer. "There you go. It's a MasterCard," he explained.

"You have a SunTrust card in there," Augustinowicz explained to a second "victim." "And that's your account number and expiration date," he said showing the man the screen.

In about an hour he scanned 26 wallets and purses. Five of them - nearly 20% - had cards with RFID chips.

Augustinowicz said crooks could work a crowd, steal numbers, and then e-mail them anywhere.

"You might as well print your credit card number across your T-shirt and walk around with it because it's the same difference," he said.

U.S. passports issued since 2006 also contain RFID technology that, Augustinowicz said, can make personal information vulnerable to theft.

Augustinowicz is the founder of Identity Stronghold, a company that markets secure sleeves and ID holders designed to block RFID hacking.

Among his customers: The U.S. government.

So is Augustinowicz just trying to scare people into buying his product, or is the threat real?

Experts at the San Diego-based Identity Theft Resource Center told WREG that they've never seen a case of RFID skimming used to steal information.

WREG's Steve Noll show showed a video of Augustinowicz's demonstration to University of Memphis professor and computer security expert Mark Gillenson.

Gillenson calls it technology run wild, and called WREG's findings compelling.

"It's potentially a major problem," he said. "I think people do need to be concerned and should be aware, and we'll see if this becomes a major problem."

WREG contacted several credit card issuers for comments about RFID technology.

Discover said its Discover Zip contactless card, unlike RFID, is designed to operate only at very short ranges (less than 2-4 inches). Using RF-enabled technology, the card "has a unique security feature in that the verification code changes each time you use it - so that any skimmed data could not be reused."

American Express told WREG that it is confident in the security of its RFID technology, called ExpressPay. Its says ExpressPay contains a unique "key" that generates a different digital signature for each transaction that cannot be copied, overwritten or read. The ExpressPay key creates an unbreakable cryptogram, ensuring the ExpressPay device is legitimate. "We believe that the cryptogram is the best technology available today for ensuring the integrity of ExpressPay transactions and minimizing the risk of fraud," American Express said.

MasterCard said that its PayPass cards and devices "are as secure as paying with traditional MasterCard cards that have magnetic stripe technology. In fact, many consumers claim that they feel more secure with PayPass because they never have to turn the card over to a cashier and it never leaves their hand."

In response to WREG's report demonstrating the swiping of digital data, MasterCard said, "'s important to point out that they can't do anything with that data," such as making an Internet phone purchase without the 3-digit CVC number printed on the card's back; nor could anyone create a phony magnetic stripe card.

Representatives of Visa have not responded to multiple requests from WREG for comment on its story.

the full story here -
http://www.cbsnews.com/stories/2010/12/ ... 4331.shtml

[BlackSpinner]

I saw that on a tv show "NCIS" so by last year the writers of this show had an inkling of this possibility. Now mind you they always exaggerate on crime shows but it was so close to the truth it is scary.
I don't have a credit card, If I did it would be in a secure sleeve immediately.

[chunkyfrog]

I saw an 'Instructable' for creating a shielding wallet for RFID cards--essentially a pocket-size Faraday cage.

[BlackSpinner]

I saw an 'Instructable' for creating a shielding wallet for RFID cards--essentially a pocket-size Faraday cage.

Maybe Padacheek can add it to her product line?

[billbolton]

Using just an off-the-shelf card reader he bought online for less than $100 and a Netbook computer, Augustinowicz explained, he could swipe credit card numbers, expiration dates, and in some cases, even people's names.

Um.... so what

There are MUCH are easier ways to get that information than doing that, and you can't do much with that information set nowadays anyway

Facebook is HUGELY greater privacy/financial risk.

Cheers,

Bill

[LinkC]

Just keep your cards in your tin-foil hat!

The way I understand it, each time the RFID is read, the code is changed.. Thus, if they read the existing code on the street, they've just changed it...so the code they have is already obsolete.

Did you notice the folks promoting this "scare" and doing the street demos make and market wallets and "sleeves" to protect your cads. Hmmmm...do I believe them?

[ZQuest]

Just keep your cards in your tin-foil hat!

The way I understand it, each time the RFID is read, the code is changed.. Thus, if they read the existing code on the street, they've just changed it...so the code they have is already obsolete.

Did you notice the folks promoting this "scare" and doing the street demos make and market wallets and "sleeves" to protect your cads. Hmmmm...do I believe them?

HMMMM I Agree with you 100% LinkC

[chunkyfrog]

Your Passport also has an RFID--I don't think the code cycles there.

[billbolton]

Your Passport also has an RFID--I don't think the code cycles there.

This is what the Australian Passport Office says about ePassport technology...

• The biometric chip and the electronic equipment used to write and read the chip [in the passport] meet the standards set by ICAO.
  
  Only the secure systems used in the Australian Passport Office are able to write your personal information on the chip in your passport. The ePassport incorporates security features to prevent anyone from changing or accessing information stored on the chip.
  
  Protection of the data is achieved through use of Public Key Infrastructure (PKI) cryptography. The use of PKI provides assurance to the reader that data on the chip was put there by an authorised entity, is complete, and has not been changed.
  The chip also uses Basic Access Control (BAC) to minimise the risk of ‘skimming’ or ‘eavesdropping’ and to ensure that data can be read only when the passport is presented by the holder.

Like any identification system that needs to be pragmatically usable at any arbitrary location (rather than a closed set of specific locations) there are ways of attacking the ePassport technology, but all of them require physical access to the passport as a minimum starting point, so the RF scanning approach that started this thread is quite useless for that purpose.

Cheers,

Bill

[GumbyCT]

Your Passport also has an RFID--I don't think the code cycles there.

I just received mine last week. I have the 'ol fashioned version.

[chunkyfrog]

Ah, so the passport with the RFID costs extra?
One thing I can live without.