Though it may be convenient to pay with a wave of your credit or debit card, Consumer Report’s Andrea Rock says so-called contactless cards make your personal information vulnerable. Whether you know it or not, your credit or debit cards might contain a tiny computer chip and radio antennae to transmit account information from your card, even when you’re not shopping.
Thieves can steal your credit card information from only a few inches away using a card reader that sells for less than $100. By simply transferring your account number, expiration date and security data to a computer and transferring it to blank cards, a counterfeit can be made of your card. Thieves can then make successful transactions using your “card” while it’s still in your wallet.
So how do you know if your cards use this technology? Chase cards calls their contactless cards “Blink”, MasterCards uses “Pay Pass” to identify its contactless cards, and others simply have a symbol consisting of four curved lines like the one shown below.
An industry newsletter, The Nilson Report, says 35 million contactless chip cards are in circulation in the United States alone. The cards are touted as being convenient, but are vulnerable to skimming without ever leaving your wallet.
The technology is active weather you know you have it or not. Shields of wallets marketed as RFID-blocking devices can make it more difficult for someone with an electromagnetic reader to read your cards, but they don’t entirely block transmission of card data. Another option is a protective sleeve made out of duct tape lined with aluminum foil. Tests show that it worked better than many of the ones you can buy, but even that didn’t block the signal completely. So while waiving your card is easy, making sure it’s secure is not. There’s not much you can do but ask your bank to replace the card with one that does not have this technology.
Chase spokesman Paul Hartwick says the security codes on its contactless cards are designed to change with every transaction, as they are with most RFID-enabled cards, so that even if a card is counterfeited, it would work for only one fraudulent transaction.
“If I put a reader next to a turnstile at Grand Central Terminal at rush hour, I could probably capture data from 5,000 cards that evening, and what you’re getting from each one is enough to initiate a transaction,” says Mark Rasch, a former Justice Department computer-crime prosecutor who serves as director of cybersecurity and privacy consulting at CSC, a business technology firm. “Moreover, repeatedly scanning a card that is lost, stolen or intercepted in the mail produces multiple security codes,” Paget says.
The Smart Card Alliance, an industry group, maintains that contactless card technology deployed by American Express, Discover, MasterCard, and Visa is secure and that there have been no reports of consumers been victimized. American Express says its contactless cards do not reveal the card account number, and demonstrations supported this.
According to Kevin Fu, a University of Massachusetts at Amherst assistant professor, the absence of a flood of fraud reports linked to the cards is not proof of their security. Because the contactless cards in circulation in the U.S. represent only 3.5 percent of the total debit and credit cards in use, they have not yet presented a big enough target to lure many crooks, especially when traditional magnetic stripe cards are so especially counterfeited.
For more information, visit: