You might not know it, or like it, but there’s a good chance your wallet is transmitting all the information on the face of your credit card, such as your account number and expiration date. If you’re carrying credit cards enabled with a radio frequency identification (RFID) chip (commonly called smart cards or chip cards), some would argue that you’re a sitting duck.
But not us.
Despite claims that credit cards with RFID chips expose consumers to a whole new threat of identity theft—best illustrated in an Internet video that shows how someone could steal the information on your card without even touching it—we think you should feel more comfortable using smart cards as you’ve felt using traditional magnetic-stripe cards.
CARD CREDIBILITY. We scrutinized all facets of smart cards and interviewed security experts, credit-card company officials, scientists and even would-be hackers. Smart cards aren’t perfect and certainly are not as convenient to use as credit-card issuers would have you believe. To use a smart card, you tap or place your card within a couple inches of an RFID reader to pay for an item. A tiny microchip attached to an antenna inside the card transmits information to the reader, which in turn relays it to the issuer.
The good news is we found no tangible, real-world evidence that indicates that using credit cards with RFID chips increases the likelihood that you’ll become a victim of identity theft. The bad news is that some people don’t realize they have a chip card.
Too often, customers receive smart cards unsolicited as a replacement to their existing traditional card. In most cases smart cards look like standard credit cards, because they also include the traditional magnetic stripe on the back. But they also have a tiny, flat chip—no bigger than a fly’s head—imbedded in the face of the card. Not sure whether your card has a chip? Take it to a branch of the bank that issued it, and bank personnel will be able to tell you. If you don’t want a card with a chip, let the issuer know. It will replace the chip card with a traditional card.
Many experts we interviewed believe relaying credit-card information via the Internet still poses a much greater threat for consumers than carrying smart cards in your purse or wallet. In fact, the main reason you wouldn’t want a smart credit card has nothing to do with security. It’s rare that customers are able to use them for their “smart-ness,” given that only about 1 percent of all U.S. merchants have devices that allow customers to pay with a smart card, according to an April 2008 report by Javelin Strategy and Research.
The first of today’s 35 million RFID-enabled credit cards in the United States were introduced in 2005. But we found no anecdotal evidence or documented proof that anyone had information stolen remotely from a smart card’s chip. Such credit-card theft—whether it occurs wirelessly on smart cards or with an illegal swiping device for magnetic-stripe cards—is known as skimming.
But to date, the only indication that skimming is possible on smart cards comes from demonstrations by would-be hackers or controlled studies, including one major project in 2006 at University of Massachusetts-Amherst. Ari Juels, a lead researcher in that study, tells us that even today the security flaws in smart cards discovered by their study are difficult for even the most technically savvy thieves to exploit.
The study examined 20 smart cards from various card issuers. Because the information in these credit-card chips essentially is broadcast like a miniature radio signal, the scientists were able to use devices that intercepted details of the credit card even if it were in pockets, wallets or purses, says Thomas S. Heydt-Benjamin, another scientist who worked on the project. Even though they retrieved the cardholder’s name, credit-card number and expiration date, none of the cards transmitted the verification code (a three-digit security code on the back of the card that is required to complete most Internet transactions). And in only one case did the researchers complete an online transaction using data retrieved from smart cards—a purchase that didn’t require the three-digit security code.
FEAR FACTOR. Studies such as these are valuable, because they show a worst-case example of what might happen, says James Van Dyke, the head of Javelin Strategy & Research, a company that specializes in security and identity-theft issues. But he says no studies or hypothetical demonstrations should create consumer panic. “Every time I read one of these stories, they are typically about theoretical cases, which wouldn’t apply to the average person,” Van Dyke explains.
The fear, of course, is that hackers will imitate what Seattle’s Pablos Holman demonstrates on a widely circulated Internet video. He used his notebook computer and a merchant card reader he bought on eBay for $8 to read data from an RFID-enabled credit card, an experiment he repeated this spring. But the data Holman was able to read varied by the card. With the American Express ExpressPay card, for example, the number transmitted differed from the one printed on the card. Other cards transmitted all credit-card data, even the name of the cardholder. Whether data could be used to conduct a fraudulent transaction is unknown, because Holman’s only goal was to prove RFID-enabled credit cards could be read. He did nothing with the information after he had it.
In theory, a person with the same equipment Holman used could be standing beside you in an elevator or on a commuter train or could brush up next to you while standing in line for coffee and capture the information on your credit-card chip. You could call it a virtual pickpocket, except that the credit-card companies and issuers we interviewed all said their smart cards contain features that prevent hackers from effectively re-creating the card even if they would remotely steal data from the chips.
For example, MasterCard Worldwide’s PayPass card generates a new three-digit security code each time the card is tapped on the merchant reader, the company tells us. So, if a hacker were able to access your data, he wouldn’t have a valid security code and, therefore, couldn’t create a virtual clone of the card for future use. As Holman discovered, American Express’ smart cards transmit an alias account number (not the actual account number) and a specialized digital signature, which hackers can’t reuse.
It’s worth noting that RFID technology is being used in identification cards, too. Department of State began issuing passports in August 2006 that have chips containing the same data found on a passport’s photo page (name, date of birth, gender, place of birth, dates of passport issuance and expiration, and passport number). But the cover and spine of each card includes metallic anti-skimming material to prevent the chip from being read by hackers when the passport is closed. And this year, Washington became the first of four states that will test an optional driver’s license with RFID chips that is designed to make it easier for U.S. residents to enter and exit Canada and Mexico, because they don’t have to stop to show authorities their identification.
However, the concerns over passports and licenses with RFID chips are more about privacy issues than financial threats, which is why our story focuses on credit cards as opposed to other common personal items that use RFID chips, such as employee security badges or smart cards used for access to buses and commuter trains in major cities.
PROTECTIVE APPROACHES. Not surprisingly, you can buy wallets and credit-card sleeves with hacker-proof metal linings designed to block smart-card data transmission. RFID-blocking wallets are sold widely on the Internet for around $20, and sleeves that fit inside your wallet sell for less than $10. And despite conventional wisdom that wrapping your card in aluminum foil will do the trick, that low-cost approach won’t block the RFID signal—just weaken it, Holman says.
We think a better option would be for the card issuers to distribute the cards with a free metal sleeve, but don’t expect that to happen anytime soon. Using those kinds of sleeves and wallets make the cards less convenient to use, and credit-card companies don’t want that, says Melissa Ngo of Electronic Privacy Information Center.
You can destroy the RFID chip in your credit card, too, by smashing it with a hammer. It defeats the purpose of having a smart card, of course, because then you’re left with a card that only can be used the traditional way. And experts we interviewed say traditional magnetic-stripe cards still pose a much greater threat of theft and fraud to consumers than smart cards.
Skimming of magnetic-stripe cards reportedly accounts for $1 billion in credit-cards losses each year. Skimmed data can be used for fraudulent purchases or to make fake credit cards. Thieves have targeted ATMs, gas station pay pumps and video rental kiosks, among other places, where they trick customers into swiping their cards through phony devices. Understand that you’re not liable for any such unauthorized transactions as long as you or your bank (or credit-card company) red flag it. In fact, banks and credit-card companies have increased efforts in recent years to monitor customer accounts for suspicious activity. For example, Chase told us that 80 percent of unauthorized transactions on individual accounts are caught by the bank and before the customer is aware.
There are several precautions consumers should take to avoid becoming skimming victims, Van Dyke says. For one, you should always examine ATMs or payment kiosks to make sure there are no extensions or overlays on the card slot that skimmers can plant on machines. (These are usually plastic covers and differ slightly in color from the rest of the machine.) And when you punch in your debit-card passcode, make a habit of covering your fingers with your other hand, so nobody can see what numbers you’re punching. If you have online banking, you should monitor your accounts at least once a week to make sure there’s no sign of unauthorized withdrawals or purchases.
But in the years ahead, both forms of credit cards could be replaced by RFID-enabled cellphones that allow you to pay for purchases. As we reported in our March/April 2008 issue, a few U.S. retailers (mostly fast-food restaurants) already let customers pay with a cellphone linked to a credit-card account. You just wave the phone a few inches from the payment reader, and the transaction is made. It’s still uncertain how many years will pass before paying with your cellphone becomes a common option. And a new batch of security concerns could sprout as a result.
Freelance writer Darci Smith is a regular contributor to Consumers Digest. She also writes about consumer-oriented topics for Bankrate.com, Crain’s Chicago Business and Glamour.