Friday, 13 February 2015
Hackers Can Use RFID Readers to Steal Payment Card Numbers While You Are in Public
A team of cyber security researchers have revealed that hackers can mobile technology to use to steal credit and debit numbers from you while you’re in public. The cards at risk are enabled with radio technology that allows you to “wave and pay.”
Its as though while you are ‘waving and paying’ a hacker lurking in vicinity is secretly reading your payment card numbers and storing them. While you are unaware of such a risk, you may receive a 440 volts shock to see unknown payments at the end of the payment cycle in your billing statement.
Radio frequencies are all over the place but the frequency most smart cards (i.e. newer debit and credit cards) are in the range of 13.56 MHz (HF) the range can be detected between 10 centimeters – 1 meter (around 2 feet max).
If you have these newer cards, currently an attacker can only obtain the card number and the expiration date, not the three digit CVV security number which are required for some purchases. However it should be noted that a card number and expiration date could be put onto dummy cards and used at certain point of sale terminals that only require you to pass the card over the terminal for a payment (without the CVV requirement).
What's an RFID?
According to Wikipedia.org,
RFID is Radio-frequency identification (RFID) is the wireless use of electromagnetic fields to transfer data, for the purposes of automatically identifying and tracking tags attached to objects. The tags contain electronically stored information. Some tags are powered by electromagnetic induction from magnetic fields produced near the reader. Some types collect energy from the interrogating radio waves and act as a passive transponder. Other types have a local power source such as a battery and may operate at hundreds of meters from the reader. Unlike a barcode, the tag does not necessarily need to be within line of sight of the reader, and may be embedded in the tracked object. Radio frequency identification (RFID) is one method for Automatic Identification and Data Capture (AIDC).
More and more of these RFID radio tags are placed into other documents including passports, employee badges which may hold more information and create potentially more problems when cloned especially in the case of employee badges which will allow access to secure buildings and the like.
So far the only known defense against these types of attacks are to create a “Faraday Cage” around the card (usually in the form of aluminum foil, or lining your pocket or wallet with a similar substance).
If you are victimized most cards like MasterCard, Visa, and debit cards have policies that say you’re not liable for any fraudulent transactions and you can be made whole, however this can take several days or weeks sometimes to get money back which has been stolen from your checking or debit card.
If you like the idea of mobile payments for now Apple Pay or Paypal can be viable alternatives since your actual card numbers are not stored on your iPhone or smart device and do not have any RFID.