You might not know it, or like it, but there’s a good chance your wallet is transmitting all the information on the face of your credit card, such as your account number and expiration date. If you’re carrying credit cards enabled with a radio frequency identification (RFID) chip (commonly called smart cards or chip cards), some would argue that you’re a sitting duck.
But not us.
Despite claims that credit cards with RFID chips expose consumers to a whole new threat of identity theft—best illustrated in an Internet video that shows how someone could steal the information on your card without even touching it—we think you should feel more comfortable using smart cards as you’ve felt using traditional magnetic-stripe cards.
CARD CREDIBILITY. We scrutinized all facets of smart cards and interviewed security experts, credit-card company officials, scientists and even would-be hackers. Smart cards aren’t perfect and certainly are not as convenient to use as credit-card issuers would have you believe. To use a smart card, you tap or place your card within a couple inches of an RFID reader to pay for an item. A tiny microchip attached to an antenna inside the card transmits information to the reader, which in turn relays it to the issuer.
The good news is we found no tangible, real-world evidence that indicates that using credit cards with RFID chips increases the likelihood that you’ll become a victim of identity theft. The bad news is that some people don’t realize they have a chip card.
Too often, customers receive smart cards unsolicited as a replacement to their existing traditional card. In most cases smart cards look like standard credit cards, because they also include the traditional magnetic stripe on the back. But they also have a tiny, flat chip—no bigger than a fly’s head—imbedded in the face of the card. Not sure whether your card has a chip? Take it to a branch of the bank that issued it, and bank personnel will be able to tell you. If you don’t want a card with a chip, let the issuer know. It will replace the chip card with a traditional card.
Many experts we interviewed believe relaying credit-card information via the Internet still poses a much greater threat for consumers than carrying smart cards in your purse or wallet. In fact, the main reason you wouldn’t want a smart credit card has nothing to do with security. It’s rare that customers are able to use them for their “smart-ness,” given that only about 1 percent of all U.S. merchants have devices that allow customers to pay with a smart card, according to an April 2008 report by Javelin Strategy and Research.
The first of today’s 35 million RFID-enabled credit cards in the United States were introduced in 2005. But we found no anecdotal evidence or documented proof that anyone had information stolen remotely from a smart card’s chip. Such credit-card theft—whether it occurs wirelessly on smart cards or with an illegal swiping device for magnetic-stripe cards—is known as skimming.
But to date, the only indication that skimming is possible on smart cards comes from demonstrations by would-be hackers or controlled studies, including one major project in 2006 at University of Massachusetts-Amherst. Ari Juels, a lead researcher in that study, tells us that even today the security flaws in smart cards discovered by their study are difficult for even the most technically savvy thieves to exploit.
The study examined 20 smart cards from various card issuers. Because the information in these credit-card chips essentially is broadcast like a miniature radio signal, the scientists were able to use devices that intercepted details of the credit card even if it were in pockets, wallets or purses, says Thomas S. Heydt-Benjamin, another scientist who worked on the project. Even though they retrieved the cardholder’s name, credit-card number and expiration date, none of the cards transmitted the verification code (a three-digit security code on the back of the card that is required to complete most Internet transactions). And in only one case did the researchers complete an online transaction using data retrieved from smart cards—a purchase that didn’t require the three-digit security code.