The credit-card swiper you now use at the checkout counter may eventually be obsolete, but privacy advocates question whether cotactless cards are more for convenience and less about keeping customers’ data safely protected.
MasterCard, Visa and American Express are promoting contactless versions of their credit cards, which only need to be held near a special reader at the checkout counter for a sale to go through, making the standard card swiper no longer necessary. The goal is easier transactions done in a flash, even at the corner convenience store or fast-food outlet.
The move is not without risk.
“Contactless cards do make paying more convenient, but their wireless nature makes it difficult for the cardbearer to control where his personal information is being sent,” says Karsten Nohl, a research fellow at the University of Virginia studying the technology used inside these cards.
What’s new inside the plastic
That technology is called radio-frequency identification, or RFID. Originally devised during World War II to distinguish friendly from enemy aircraft, RFID is now used by everyone from Wal-Mart to the U.S. military. RFID chips speed up retail transactions, track shipments through warehouses and stores, open electronic locks, and identify people and even animals. You may be using RFID daily, via the card that lets you drive past the tollbooth without stopping, the remote that opens your car door or the workplace ID fob that unlocks the office door.
|Go high-tech, or go tinfoil|
|You can make a contactless card “unskimmable” in your wallet by buying an actual RFID-blocking wallet with a shielding layer of steel or nickel.|
A cheaper method: Wrap a piece of tinfoil around the card. “They’re bullet-resistant methods, but not bulletproof,” says Kevin Fu, an assistant professor at University of Massachusetts-Amherst.
If you’re still feeling wary, just send it back to your issuer and ask for an RFID-free one, or else ask for the chip to be deactivated.
The risks and damages are primarily borne by the card issuers. So even if that hacker standing next to you with a reader in his pocket gathers enough information to go on a shopping spree, your card issuer should cover the fraudulent charges.
Standard credit cards store account information on the magnetic stripe used for swiping. Contactless cards use RFID to store data inside a “smart chip” within the plastic. The chip doesn’t have a battery or power source, but comes to life through electromagnetic waves emitted by the contactless-card reader and uses a small radio antenna to transmit account information to the reader. That data makes its way through the card issuer’s network, just like a swiped card.
Many contactless cards look like typical credit cards, with the same magnetic stripes so they can be used like regular plastic, but they also come in the shape of key fobs. Credit-card companies are touting contactless cards for payments at places typically thought of as cash-only, such as 7-Eleven, McDonald’s and AMC movie theaters.
Don’t be surprised if you haven’t gotten one of these cards from your card issuer yet; the majority of stores with contactless readers are primarily in major metropolitan areas, but they are spreading. Visa says 20 retailers with 32,000 outlets now accept its payWave card, while MasterCard states its 37 million PayPass cards can be used at more than 130,000 locations worldwide. Most readers are designed to read the payWave, PayPass and American Express’s RFID-chipped Blue and Clear cards. While only MasterCard discloses the number of contactless cards it has issued, the Smart Card Alliance, an organization touting the new technology, estimates 50 million cards have been issued in the United States, and will increase as card issuers send them out when customers’ magnetic-stripe cards expire.
Beware of inexpensive ‘readers’
The distance from which RFID can be read varies, from hundreds of feet on a tollbooth pass to inches on a contactless card. That means cards with these chips never have to leave your hand during a transaction, prompting card companies to say these new cards are faster and safer.
Do a search on the Web for “RFID and credit cards,” and you may think otherwise. One website shows a video demonstration of how to hack an RFID-enabled credit card with just $8 of gear bought on eBay. Another warns of people walking around in crowds with homemade readers in their pockets to pick up unsuspecting people’s card data.
What really made people gasp was a 2006 study done by researchers at the University of Massachussetts at Amherst, showing how easy it was for thieves to steal data off contactless cards. Using a RFID reader purchased for $150, the team scanned 20 different contactless cards and were able to “skim” card numbers, expiration dates and cardholders’ names.
“We couldn’t believe it was that easy for an off-the-shelf reader to get that info, so we then made our own and got the same results” says team leader Kevin Fu, an assistant professor of computer science. He wouldn’t divulge what card issuers they tested, but said the card data they skimmed wasn’t encrypted, so the cards were broadcasting the data into the air. Plus, the researchers were standing not inches, but a few feet away from the cards. The printed verification numbers on the back of the card were missing, but the rest of the skimmed info could have been used to buy stolen goods from online and brick-and-mortar stores.
No real-world hacking examples – yet
Those tests were done in a lab and to date, there have been no reports of RFID card-hacking fraud in the real world. But the study shows how vulnerable RFID can be, says Roger Nebel, director of Washington, D.C.-based consulting firm FTI Technology. “The card responds to any radio frequency transmission so the concern is, ‘I no longer have control over who gets information from my card.’ Unless you were paying attention to the guy behind you with a reader, you’d never know you were being skimmed.”
After the UMass study, most card companies removed the cardholder’s name, but stated the majority of contactless cards were already set to the highest security standards. However, because banks, not card companies, set the security levels, there’s no guarantee that all security standards are alike.
“The card industry sees this as a new avenue for getting more credit transactions, so RFID is more for its own benefit,” says Fu. “Consumers are the beta testers, but they haven’t been involved in the decision making.”
What’s the password?
Bank security levels aside, card companies insist it’s impossible for thieves to crack contactless cards, even if they skimmed the information that Fu’s team did. RFID acts as a third layer of security. The first level is the card’s magnetic stripe and your signature. The second is the Card Security Code, the three digits on the back of the card that many online retailers now ask for. RFID is the third and strongest layer.
Each company has varying security methods for their contactless cards, but usually the data on that card is different from that on a standard credit card. The smart chip carries a code that is constantly changing in tandem with a similar code in the card issuer’s computers. “That code is different from the card account number, because we don’t store that number on the chip,” says American Express spokeswoman Molly Faust. During a transaction, when the RFID reader asks the bank for authorization, the chip’s code must line up with the bank’s code. “The code is good for just that one transaction then changes to something else,” says Faust. “Even if hackers skim that code, they can’t use it for another transaction, and they can’t fake a code.”
Is there something better than RFID?
Some RFID skeptics say U.S. cardholders would be safer with the “chip-and-PIN” technology used in Europe. Chip-and-PIN cards also have computer chips in them, but require cardholders to type a four-digit PIN into a reader instead of signing their names. The technology is considered to have better anti-theft protection and is quickly being adapted in Canada, Asia and South America.
“Ironically, it’s the same credit-card companies issuing those better cards in Europe and the unsecure ones in America,” says Nohl. To date, no U.S bank has issued chip-and-PIN cards to customers.
Randy Vanderhoof, executive director of the Smart Card Alliance, says it’s again due to who pays the cost. “It would require every merchant with a magnetic stripe/contactless card reader to replace it with one reading chip-and-PIN. They don’t want to pay for it because now, as long as they get the person’s signature and do the online transaction, they’re protected from fraud responsibility, and the bank will have to pay for it. Also, people could forget their PIN and hold up the line. For banks, it’s too expensive to install a whole new system and upgrade the readers. Chip-and-PIN would have to be more cost-effective than what they spend now to cover fraud costs.”
Thieves looking to steal credit card information still have richer sources than contactless cards to choose from. Trying to skim data off one cardholder at a time pales in comparison to getting data on millions of cardholders at once, says Nebel. “As a card user, I’m more concerned about Internet phishing or breaches at big financial institutions.” One example of the latter is the 2008 database breach at Heartland Payment Services, a payment-processing middleman for card issuers. At least 400 banks and credit unions have had to report that their customers’ debit and credit card information was compromised.
See related: No-swipe credit cards could let thieves swipe your info, A novel look at credit cards in popular fiction, How will credit cards look in 25, 50, 100 years?, Contactless payment cards raise security, privacy concerns, U.S. Bancorp tries contactless technology, Experts say RFID hacking easy