Is RFID “contactless” card theft possible? Wendy
Knowler found out.
Is RFID “contactless” card theft possible? Wendy Knowler found out.
Listen to this week's consumer watch topic below or read the details under the podcast.
Whether you know it or not, if you have a credit card, it is most likely an RFID one - that it is it has Radio Frequency ID, the technology which allows you to Tap and Go: place your card on a reader at the till point to pay for something, rather than inserting it and keying in a PIN.
Not many South African retailers are using the technology right now - it’s mostly still a case of stick the card in and does the PIN thing - but that is changing rapidly.
Tap and Go is the norm in Australia, New Zealand, the UK and the EU.
How do you know if your credit card has RFID? It will have what looks like a wifi symbol on it.
There’ve been some rumbles about safety fears because you don’t have to put in a PIN, and some consumer pushback, but the fact is there’s been no spike in card fraud in markets where Tap n Go is the norm.
The “tap” only works for purchases up to R500 (R200 in the case of ABSA) - above that the user must key in their PIN, and as a security measure, the “Tap and Go” cards will still demand a PIN randomly, so criminals can’t use it with confidence and that acts as a deterrent.
Internationally there’s no known case of a chip being successfully cloned and used fraudulently - the chip cryptograms are just too strong.
Which brings us to the video doing the rounds…
It shows a man approaching shoppers in a mall, asking an innocuous question and in the process, getting their information from their credit cards via RFID - numbers, expiry date, and then using that information to buy goods online.
The woman who sent the video to me said: “I don’t usually forward these things, but this video got to me because it affects most of us as we go about our business..”
So I started investigating….
And I found an article published last year by Roger Grimes of San Fransisco-based technology publication InfoWorld, who has made himself an enemy of the makers of RFID blocking wallets by stating publicly for years that despite all those scare videos and apparently demonstrations, RFID-related crimes are actually non-existent.
“They - the RFID blocking wallet makers - have yet to produce evidence of a single real-world RFID crime,” Grimes said. “Year after year, nothing..”
I asked Mastercard to comment on the video, and a spokesman came back to me to say that the thrust of what Grimes says is spot on - theft of credit card details by RFID or contactless technology, is not a thing.
The card sends the reader a dynamic one-time-only code to uniquely and securely identify each transaction, and It would be extremely difficult for a fraudster to copy the advanced encryption technology used to generate this dynamic one-time-only code and create a functioning counterfeit version of a contactless card.
And if a card is compromised, the cardholder is protected by a global zero liability policy. That means they are not held liable for unauthorized fraudulent transactions.
Most, if not all, contactless card fraud cases reported around the world involve a thief stealing or finding a physical card and using it at the point of sale.
So don’t be bamboozled into thinking you need to invest in expensive RFID blocking wallets or sleeves. It’s a massive industry, and the RFID products are available in SA - a solution to a non-existent or at best unlikely problem.
One Cape Town leather wallet maker says on its website: “Your contactless card identity can be stolen electronically from your wallet or purse, allowing your card to be cloned in a matter of seconds. Protect yourself from electronic pickpocketing. RFID-blocking wallets and purses will increase the security of your RFID-embedded cards.”
For a price, of course.
And anyway, Grimes says, if theft via RFID was a thing, you could block all RFID waves with a few sheets of aluminum foil.
To contact Wendy, go to her Facebook page - wendyknowlerconsumer, and click on the send email tab.