RFID Pickpocketing Debunked
Pickpocketing might seem like a crime from centuries past but that doesn’t stop me from checking my wallet periodically when I stroll through crowded areas. As a wireless and cybersecurity expert, paranoia is part of my business but that doesn’t mean we all have to succumb to that psychosis. That’s why I wanted to cover digital pickpocketing, some truths and some myths.
Many credit cards currently contain RFID tags embedded directly into the card. RFID (Radio Frequency IDentification) has been around for many years and used primarily for tracking and tagging purposes instead of barcodes. RFID tags are essentially an antenna and memory chip embedded inside small tags or cards. When an RFID reader is brought in close proximity to an RFID tag, the antenna is energized and data is captured by the reader. The distance the data can travel is very short but also very fast – the perfect challenge for a digital pickpocket.
RF blocking sleeves work but do we need them?
But how do you even know if you have an RFID antenna embedded inside your credit card? Credit cards that have an embedded RFID antenna will have an antenna symbol (similar to Wi-Fi icon) on the front or back of the credit card. I suggest you pause reading and pull out your credit card(s) to take a quick look. More than likely, you will not see that antenna symbol on your card because most new cards are getting away from RFID.
RFID Myth: Stacking multiple RFID cards DOES NOT scramble or protect the data from being compromised.
If your credit card has an embedded smart chip, (also referred to as a contactless payment system) there is no RFID or any wireless happening. So a thief or hacker CANNOT steal information from your credit card’s smart chip without actually touching because they emit no radio waves. It is a myth that they can hack your chip card without actually touching it. Many confuse this newer technology with other wireless technologies such as NFC (Near Field Communications) and RFID. Both of these wireless protocols have their respective vulnerabilities including the fact that RFID is always “ON” while NFC must be triggered by the user or nearby NFC reader before transmitting any data.
Most banks are replacing older cards with EMV chip cards. EMV (Europay, MasterCard & Visa) is quickly becoming the global standard. EMV chips are not contactless – they emit no radio waves and have integrated microprocessor chips that store and protect cardholder data. However, some banks do issue cards containing both EMV and NFC chips, but the average person is unlikely to have a card that is vulnerable to wireless pickpocketing. EMV chip cards can only be used with a terminal for EMV cards. They are extremely secure primarily because the microprocessor chip in your EMV card generates a unique code for every transaction. This is similar to other contactless payment systems such as Apple Pay, Samsung Pay and Android Pay. These payment systems create tokens for one time use for each and every purchase. Now contrast that approach to traditional credit cards with account numbers printed and embedded in the mag stripe and you can see why Apple Pay alone tallied $10.9 Billion in transactions in 2015. Consumers might be lazy but they are also tired of disputing fraudulent charges made on their cards. When they are presented with a secure and fast alternative, they adopt it quickly.
RFID Myth: Tyvek sleeves DO NOT protect RFID cards from being read. Only shielded metallic sleeves or shielded wallets will block RFID.
In reality, your biggest risk of having your credit card hacked is still in retail scenarios and insecure websites where unscrupulous retailers and employees can simply copy your card. From there, millions of our credit cards end up on lists bought and sold on the dark web. Hackers also install skimmers (card readers) that can skim your card data from modified gas pumps or ATM machines around the world but these require some mechanical modifications and a physical presence that hackers typically avoid. And even less likely is the notion of a wireless pickpocket roaming malls and crowded city streets collecting our data. But as any security expert will tell you, situational awareness is always the key to security so stay safe.