Monday, January 6, 2014

Tech Talk / By Martha Knight



Most of us have credit cards and debit cards that behave themselves. Or at least we hope so. And anyway, we don’t shop at Target.

But maybe we should check our wallets anyhow.

Electric Card readers are out there, readily available and cheap. Some of the biggest credit card issuers have issued super convenient cards generically called “smart” or contactless, and referred to as “PayPass” by MasterCard and as “Blink” by Chase.

How great is that! A godsend for this vision-impaired shopper, obviously. No more trying to decode what the machine is telling me. No more need for the checkout person to tell me, “No, the other way” or “You pushed the wrong button, we have to clear the machine and start over.”

The new smart cards can be read through your pocket, wallet or even in the envelope they were mailed in. They have a tiny chip and embedded antenna which can transmit information from your card, even when you are not shopping.

No, the cards can’t transmit to your neighbors while you are at home. But out on the street in a crowd, or at close quarters in a store, the signals can be picked up by a hacker with the equipment for that, without you using the card. You might be window shopping, and pause to admire a display, along with other shoppers. You might be choosing merchandise in a store, with your card safely in your wallet in your shoulder bag.

The hacker is another shopper, from all appearances, carrying a laptop in an ordinary case or “Targus bag,” with a reader attached to it.

One report says there are 35 million RFID credit/debit cards in circulation in the U.S. How do we know whether we have one of them? Some are marked with a symbol with four wavy lines. Some were our new cards such as are sent periodically, to replace the worn ones, for a credit card account we have had for years, and the accompanying letter (which we threw away without reading?) explained the new convenience features of this card. Of course it was not valid until we signed it or registered it, and of course it couldn’t be used online or over the phone or in a mail order purchase without the three-digit security code, right?

Wrong.

I hear some of you saying, “RFID? What’s that?”

Well. We haven’t used any RFID gear, have we? Well, in a way, we have. Stores have attached Radio Frequency IDentification devices to merchandise for years, and libraries have protected their collections from being taken out without being checked out, in similar ways.

A few years back Walmart caused a stir when it began requiring all suppliers to equip shipping pallets and each item in the shipment with RFID, so Walmart could automate its supply chain and inventory processes, and get a better handle on pilfering and shoplifting. But suppliers fell into line, and the system spread.

Manufacturers use RFID technology to track goods along the assembly line. Pets have transmitting chips implanted, and so do some humans.

A pro with the right equipment could stand at a highly trafficked point where he can place a concealed reader less than a foot away from passersby, and can collect thousands of card IDs and related info.

Chase says its contactless cards are designed to change their security codes with every transaction. But if the heisted RFID data is used soon enough, even one transaction may be enough to wreak havoc on the rightful cardholder’s finances.

What gets “swiped” from a no-swipe card, by a high-tech pickpocket who never so much as dipped a light finger into your pocket? Here’s what: account number, expiration date and security data, along with some other identity details, depending on the card.

A “skimmed” card’s data can be transferred onto a blank card of the magnetic-strip type. Then that counterfeit card can be used to make a transaction.

As for illicit use of a lost or stolen credit card, physically in the possession of a crook, that can be utilized by repeatedly scanning the card and creating multiple security codes, the indexed kind.

Some contactless cards do not reveal the account numbers of the holders. That is the claim of Discover, MasterCard, Visa and other members of the Smart Card Alliance.

Also, for those who are using the RFID-equipped cards, or think they may do so in the future, there are products being marketed as able to protect cards, RF badges and such from intrusion. But security company Recursion tested an assortment of those RFID-blocking wallets and pouches, and found that none blocked the signal completely, and even same-model items varied from one to another in their blocking abilities.

A different approach recalls the Cold War and the Commies’ efforts to keep Radio Free Europe signals on the other side of the wall: Jam, baby, jam. Recursion has developed jamming devices, no bigger than a credit card, that keep credit cards from responding to any reader. So how can you use your cards? Turn off the jamming device!

Credit card holders may ask the card companies for regular old magnetic strip (magstripe) cards that have no RFID abilities.

No comments:

Post a Comment

Comments which are degrading in any way will not be posted. Please use common sense and be polite.