Pickpockets no longer need to touch their victims - they can use cheap technology to read credit cards through peoples’ pants. Hacker Kristin Paget proved as much with a demonstration at the Shmoocon hacker conference in Washington last week.
With a $50 Vivotech RFID (radio frequency identification) credit card reader, she wirelessly read a volunteer’s credit card standing near her on a stage before using a $300 magnetizing tool to put the data onto a blank card, reports Forbes’ Andy Greenberg.
Paget then used a credit card-swiping iPhone attachment and voila! She stole $15 bucks from her “victim” before paying him back immediately, Greenberg wrote.
Fears that hackers will steal personal or banking information have also sparked an industry of wallets, passport covers and individual credit card holders made of stainless steel or even aluminum foil to block unwanted radio signals from lifting information.
While Paget’s demonstration has been possible for years, questions about contactless payments are rising to the surface as RFID-enabled credit cards become ubiquitous (just look for a triangle made of arches to see if your credit card is RFID equipped).
In Canada, Visa’s payWave and MasterCard’s PayPass make it easy for consumers to tap their RFID-enabled cards on a terminal and pay quickly at thousands of merchants across the country, including Impark and McDonald’s.
The terminals may not accept transactions of more than $50.
MasterCard uses encryption technology and Visa embeds chips to prevent theft over the contactless systems, according to their websites. Both say the cards must be waved very near to the machines to work, and Visa adds that “only secure readers at authorized merchants” can process its cards.
But with the right machine, stealing credit card numbers, expiry dates and transaction codes is as simple as waiting for people to walk by on a crowded street, said project scientist and hacker 3ric (pronounced Eric) Johanson.
Consumers shouldn’t be too worried - at least not yet, Johanson said. Criminals will choose the easiest method to steal credit card information, which at the moment is hacking insecure websites “from the comfort of their own home,” he said.
If data was stolen, it would be difficult to use online as most websites require an address for confirmation, he said. Each contactless transaction involves a unique CCV code, but an “ample” number of those can be collected in just a few seconds, he explained. Scams would only be detected if the consumer used their card before the attacker had time to make fraudulent purchases.
Despite the logistical challenges, it’s just a matter of time before RFID hacks become commonplace, Johanson said. There are additional steps credit card companies can take to protect consumers, such as demanding a pin number, yet that’s unlikely to happen because it would slow down the payment process, he said.
“My general advice to people is to demand that their credit card companies offer them a non RFID-enabled card,” he added.
By the end of 2012, all Canadian passports will come equipped with RFID technology, according to Passport Canada. The RFID information will only become accessible if bar code on the second page has already been scanned, meaning the passport needs to be open for people to get data. New American passports already have this technology.