There has been a lot of hysteria and misinformation surrounding RFID-enabled credit cards (also known as contactless or smart payment cards – or as some misidentify them – wifi credit cards). Also known as an “e-dip”, e-pickpocketing is possible, but highly unlikely – your old school credit card is far more likely to be duplicated than your RFID card is to be hijacked. Here are the facts as we know them.
RFID-enabled smart, contactless credit cards contain an RFID chip embedded in them that has certain pieces of your information. In essence, it contains the same information that is contained in the magnetic strip of any credit card.
When it comes in contact with an NFC (Near Field Communication) reader, and when in communication with that particular reader, the reader can read the information to complete the transaction from the RFID chip, instead of your having to swipe it.
Much of the hysteria has been driven by technologist Walt Augustinowicz, who has mounted a very successful PR campaign to warn the public of the ‘dangers’ of RFID credit cards. These efforts have included a YouTube video of him creating a smart card scanner and scanning cards, and news coverage of him doing the same thing.
The problem? Not only is Augustinowicz a techie with the wherewithal to create such a scanner, but he is the owner of ID Stronghold, a company that panders to the hysteria by selling RFID-blocking wallets.
Now, there are several reasons why your RFID-enabled credit card is unlikely to compromise your account – at least more (or even as much) as your regular credit card is.
First, the RFID mechanism only transmits 8 of the 16 digits of your card – the middle 8 are Xed out.
In fact, this is a screen-shot from Augustinowicz’ own video! The one he is using to whip the media into a frenzy:
|We know you're sick of ads on websites. But we still need to pay to keep the lights on for you. So instead of huge ads and video ads, we use smaller, plainer ads. Still, if you'd like to support the Internet Patrol but not the ads, please consider supporting us here:|
|Get notified of new Internet Patrol articles for free!
|Or Read Internet Patrol Articles Right in Your Inbox!
as Soon as They are Published! Only $1 a Month!
Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
Second, and more importantly, the RFID cards include a mechanism that is very similar to two-factor authentication.
For each individual transaction, a new code is generated by the RFID chip. Which means that even if a bad guy bothered to put together a scanner, they would only be able to use your account for one single transaction.
Contrast that to the bad guy who gets your card number by copying it (or taking a picture of it with his phone) when you hand it to him for swiping.
Third, the distance from which these cards can be read (known as the “read range“) is three feet or less. The bad guy would have to be nearly on top of you in order to get a read from your card.
Finally, while the directions to make a scanner are available online, they are much more work than just buying your credit card number online, which is how the majority of identity theft happens these days.
A typical set of instructions to build an RFID scanner includes something like this:
“It’s easy to build an RFID scanner. You need is a computer, an Arduino, a breadboard, and the Parallax RFID Reader Module.”
Anyone with the chops to build a scanner will also almost certainly know how to get credit card numbers online in the forums where they are traded and sold in files with the information for thousands of accounts. Why would they go through the effort to build a scanner that will net them one account at a time – and a single transaction at that?
So, the bottom line is that yes, it is possible to scan an RFID smart card, but it is highly unlikely that anyone would bother other than as a proof of concept (we’re looking at you, Walt Augustinowicz), and even if they did, they could only use it for one transaction, unlike someone who copies your entire card number at the register.
No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!
|Get notified of new Internet Patrol articles!