There has been a lot of hysteria and misinformation surrounding RFID-enabled credit cards (also known as contactless or smart payment cards – or as some misidentify them – wifi credit cards). Also known as an “e-dip”, e-pickpocketing is possible, but highly unlikely – your old school credit card is far more likely to be duplicated than your RFID card is to be hijacked. Here are the facts as we know them.
RFID-enabled smart, contactless credit cards contain an RFID chip embedded in them that has certain pieces of your information. In essence, it contains the same information that is contained in the magnetic strip of any credit card.
When it comes in contact with an NFC (Near Field Communication) reader, and when in communication with that particular reader, the reader can read the information to complete the transaction from the RFID chip, instead of your having to swipe it.
Much of the hysteria has been driven by technologist Walt Augustinowicz, who has mounted a very successful PR campaign to warn the public of the ‘dangers’ of RFID credit cards. These efforts have included a YouTube video of him creating a smart card scanner and scanning cards, and news coverage of him doing the same thing.
The problem? Not only is Augustinowicz a techie with the wherewithal to create such a scanner, but he is the owner of ID Stronghold, a company that panders to the hysteria by selling RFID-blocking wallets.
Now, there are several reasons why your RFID-enabled credit card is unlikely to compromise your account – at least more (or even as much) as your regular credit card is.
First, the RFID mechanism only transmits 8 of the 16 digits of your card – the middle 8 are Xed out.
In fact, this is a screen-shot from Augustinowicz’ own video! The one he is using to whip the media into a frenzy:
Second, and more importantly, the RFID cards include a mechanism that is very similar to two-factor authentication.
For each individual transaction, a new code is generated by the RFID chip. Which means that even if a bad guy bothered to put together a scanner, they would only be able to use your account for one single transaction.
Contrast that to the bad guy who gets your card number by copying it (or taking a picture of it with his phone) when you hand it to him for swiping.
Third, the distance from which these cards can be read (known as the “read range“) is three feet or less. The bad guy would have to be nearly on top of you in order to get a read from your card.
Finally, while the directions to make a scanner are available online, they are much more work than just buying your credit card number online, which is how the majority of identity theft happens these days.
A typical set of instructions to build an RFID scanner includes something like this:
“It’s easy to build an RFID scanner. You need is a computer, an Arduino, a breadboard, and the Parallax RFID Reader Module.”
Anyone with the chops to build a scanner will also almost certainly know how to get credit card numbers online in the forums where they are traded and sold in files with the information for thousands of accounts. Why would they go through the effort to build a scanner that will net them one account at a time – and a single transaction at that?
So, the bottom line is that yes, it is possible to scan an RFID smart card, but it is highly unlikely that anyone would bother other than as a proof of concept (we’re looking at you, Walt Augustinowicz), and even if they did, they could only use it for one transaction, unlike someone who copies your entire card number at the register.
|Get notified of new Internet Patrol articles!