How to Hack an RFID Credit Card from 20 Feet Away
It’s a pickpocket’s dream, and the stuff of nightmares for the rest of us: You’re in line at the supermarket, and a thief steals your credit card. Not, mind you, by taking your wallet or even touching your credit card. The fraudster makes off with your credit card information, while your credit card remains tucked securely in your wallet, and you have no idea that you were just robbed.
As the pickpockets of yesteryear turn into the hackers of today, this could well become a reality for holders of the new, no-swipe, contactless credit cards. according to some.
No-swipe cards, also known as Radio Frequency ID cards (RFID). relay credit card data via radio frequencies, eliminating the slow and cumbersome process of swiping the card and signing the receipt. On average, an RFID credit card transaction takes only 15 seconds. You simply wave the card in front of the RFID reader and, if the transaction is under $25, you can be on your way without even giving a signature. Tens of millions no-swipe credit cards have already been issued, and RFID cards are poised to be the wave of the future.
But are no-swipe credit cards safe? Some people argue no—it’s all too easy for hackers to acquire a radio card scanning device to skim the data from RFID credit cards. In one widely reported study, researchers Tom Heydt-Benjamin and Kevin Fu of University of Massachusetts used a radio frequency reader to cull information from 20 credit cards from Visa. MasterCard. and American Express. According to the New York Times. the researchers easily skimmed off the card information, using a book-size device pieced together from easily available computer and radio components.
Credit card companies, on the other hand, counter that while hackers may be able to skim the RFID data, it’s basically useless
information. Most RFID credit cards transmit a dummy number that does not match the actual credit card, and the number can only be used with an encrypted verification code that is transmitted at the same time.
While this indeed is the case for some no-swipe cards, not all RFID credit cards are the same, and a very small percentage of RFID cards currently in circulation have lower security standards.
No need to throw out your RFID credit card just yet, however. How the RFID information is broadcast is just one level of security. There are numerous other fraud detection and prevention measures in place.
Most credit card charges done over the phone or online (without the physical card), require the 3- or 4-digit “verification code” on the back of the card along with your phone number. This information is matched against the card information on file to verify that the person making the charge is indeed the card holder. Scanners can’t obtain this information, severely limiting hackers’ options for using any card data they may skim.
In addition, the electronic security systems of credit card companies are constantly monitoring charges to your credit cards in real time. Any unusual pattern of spending will trigger a fraud alert, and the credit card issuer will call the card holder to verify the charges.
Most importantly, it’s the credit card issuer’s money that’s on the line, not yours. In most cases, credit card holders only have liability for unauthorized purchases up to $50. In the unlikely case that a hacker goes to town with information skimmed from your RFID credit card, it’s the bank issuing the credit card that will be left holding the bag. That alone is an assurance that credit card issuers will make sure that RFID cards remain safe to use.Source: www.creditcardguide.com