Cyberthieves are Picking Pockets with RFID

On Monday, I got a call from the bank that issued me a credit card six years ago.  The woman on the other end of the line asked me to call back using the number on the back of the card for security purposes.

When I called back, I was directed to the fraud department, where the same woman who had just called me answered the phone.

“Hello,” said the woman on the line. “Have you made any purchases in Florida today?” I said I hadn’t used the card at all in months, not since I was in Florida last June while on vacation. The woman said several thousand dollars had been charged, and declined, at a Ross in Fort Myers.

It turns out that my card information was stolen from my card’s embedded radio-frequency signal, the technology that allows it to be swiped over scanner without inputting a code.

That’s right. My credit card information was stolen from my wallet while it was in my pocket.

If you have a credit card that was issued in the past year or two, pull it out and look at the back. If it has a little wireless signal on it, your card has radio-frequency identification (RFID) technology that allows you to speed through retail transactions by just waving your card. No code or signature is needed.

Now, I never asked for this technology, and I’ve never used it in that form. When my last card expired, a new one was sent with this technology already embedded. It turns out that enterprising thieves have figured out a way to steal (or build their own) scanning technology. They put these scanners in a handbag, backpack or computer case, and simply walk through crowds stealing the signals from cards. If you'd like to practice at home, Boing Boing has an instructional video: "How to hack RFID-enabled credit cards for $8."

The problem is you can’t turn the signal off. Even cutting the card up may not work. Unless you kill the chip, it just keeps sending out your information.

My bank told me the information is encrypted. But they also told me someone had my card number and was attempting to use it. You be the judge of whether encryption worked. Stung by the theft of my card number, I asked a group attending a lecture I gave last night (on the ongoing effects of the recession) how many of them had a theft of credit card information. Nearly the entire crowd raised their hands.

Most had lost data from a stolen purse or wallet. One lost their credit card, checking and savings information from a skimming machine at their bank’s ATM. But several confirmed that the RFID technology from their cards was the culprit.

The point is that hard times are making thieves smarter and any technology can, and probably will, be hacked. If you are concerned about having wireless data transmitted from your card, consider asking your bank to cancel your card and reissue one without the technology. Or consider making or buying some kind of blocking sleeve.