Most of us have
credit cards and debit cards that behave themselves. Or at least we hope so.
And anyway, we don’t shop at Target.
But maybe we should
check our wallets anyhow.
Electric Card readers
are out there, readily available and cheap. Some of the biggest credit card
issuers have issued super convenient cards generically called “smart” or
contactless, and referred to as “PayPass” by MasterCard and as “Blink” by
Chase.
How great is that! A
godsend for this vision-impaired shopper, obviously. No more trying to decode
what the machine is telling me. No more need for the checkout person to tell
me, “No, the other way” or “You pushed the wrong button, we have to clear the
machine and start over.”
The new smart cards
can be read through your pocket, wallet or even in the envelope they were
mailed in. They have a tiny chip and embedded antenna which can transmit
information from your card, even when you are not shopping.
No, the cards can’t
transmit to your neighbors while you are at home. But out on the street in a
crowd, or at close quarters in a store, the signals can be picked up by a
hacker with the equipment for that, without you using the card. You might be
window shopping, and pause to admire a display, along with other shoppers. You
might be choosing merchandise in a store, with your card safely in your wallet
in your shoulder bag.
The hacker is another
shopper, from all appearances, carrying a laptop in an ordinary case or “Targus
bag,” with a reader attached to it.
One report says there
are 35 million RFID credit/debit cards in circulation in the U.S. How do we
know whether we have one of them? Some are marked with a symbol with four wavy
lines. Some were our new cards such as are sent periodically, to replace the
worn ones, for a credit card account we have had for years, and the
accompanying letter (which we threw away without reading?) explained the new
convenience features of this card. Of course it was not valid until we signed
it or registered it, and of course it couldn’t be used online or over the phone
or in a mail order purchase without the three-digit security code, right?
Wrong.
I hear some of you
saying, “RFID? What’s that?”
Well. We haven’t used
any RFID gear, have we? Well, in a way, we have. Stores have attached Radio
Frequency IDentification devices to merchandise for years, and libraries have
protected their collections from being taken out without being checked out, in
similar ways.
A few years back
Walmart caused a stir when it began requiring all suppliers to equip shipping
pallets and each item in the shipment with RFID, so Walmart could automate its supply
chain and inventory processes, and get a better handle on pilfering and
shoplifting. But suppliers fell into line, and the system spread.
Manufacturers use
RFID technology to track goods along the assembly line. Pets have transmitting
chips implanted, and so do some humans.
A pro with the right
equipment could stand at a highly trafficked point where he can place a
concealed reader less than a foot away from passersby, and can collect
thousands of card IDs and related info.
Chase says its
contactless cards are designed to change their security codes with every
transaction. But if the heisted RFID data is used soon enough, even one
transaction may be enough to wreak havoc on the rightful cardholder’s finances.
What gets “swiped”
from a no-swipe card, by a high-tech pickpocket who never so much as dipped a
light finger into your pocket? Here’s what: account number, expiration date and
security data, along with some other identity details, depending on the card.
A “skimmed” card’s
data can be transferred onto a blank card of the magnetic-strip type. Then that
counterfeit card can be used to make a transaction.
As for illicit use of
a lost or stolen credit card, physically in the possession of a crook, that can
be utilized by repeatedly scanning the card and creating multiple security
codes, the indexed kind.
Some contactless
cards do not reveal the account numbers of the holders. That is the claim of
Discover, MasterCard, Visa and other members of the Smart Card Alliance.
Also, for those who
are using the RFID-equipped cards, or think they may do so in the future, there
are products being marketed as able to protect cards, RF badges and such from
intrusion. But security company Recursion tested an assortment of those RFID-blocking
wallets and pouches, and found that none blocked the signal completely, and
even same-model items varied from one to another in their blocking abilities.
A different approach
recalls the Cold War and the Commies’ efforts to keep Radio Free Europe signals
on the other side of the wall: Jam, baby, jam. Recursion has developed jamming
devices, no bigger than a credit card, that keep credit cards from responding
to any reader. So how can you use your cards? Turn off the jamming device!
Credit card holders
may ask the card companies for regular old magnetic strip (magstripe) cards
that have no RFID abilities.
No comments:
Post a Comment
Comments which are degrading in any way will not be posted. Please use common sense and be polite.