How Radio Frequency Identification is used to Steal Credit Card Numbers

Credit cards embedded with radio frequency identification (RFID) chips enable consumers to use their cards by simply waving them in front of an RFID reader. Examples of these contactless cards include MasterCard’s PayPass and American Express’s ExpressPay. RFID technology has made transactions fast and easy. However, what happens if an RFID reader is used by the wrong person?

RFID expert, Walt Augustinowicz of Identity Stronghold recently demonstrated on a local Memphis TV station, WREG, that stealing credit card numbers off RFID enabled cards is a simple matter of obtaining the right scanner. For less than $100, anyone could obtain a portable RFID scanner and steal credit card numbers without even removing the victim’s wallet from his pocket. In Augustinowicz’s demonstration, the scanner was hidden in a zippered valise, and the victims’ cards were still in their pockets.

In another demonstration, this time at the Black Hat DC 2008 conference, RFID security expert, Adam Laurie, demonstrated how easy it is to steal credit card numbers through RFID. Using an RFID scanner, information including the volunteer’s name, account number and expiration date, was stolen and projected on screen, all without the RFID-enabled credit card ever leaving the volunteer’s wallet.

Does this mean that you should opt out of a contactless credit card? Not necessarily. Understanding the security risks of an RFID-enabled card, issuers have taken the necessary steps to protect consumers’ privacy. For example, the American Express card number that Adam Laurie got off his volunteer did not match the number printed on the card itself. Instead, it is an alias number that cannot be used for transactions that do not require a signature like online purchases.

Another security measure for credit cards embedded with radio frequency identification chips is a dynamic electronic credit verification value (CVV). The CVV number is typically used for transactions that cannot be verified with a signature. In contactless purchases, the RFID chip generates a new CVV that is different from the one printed on the card for each transaction. This CVV is then verified by the network before the transaction is approved. Even if your credit card number is stolen with an RFID scanner, the scanner would never be able to pick a useable CVV code.

Credit card industry experts argue that RFID enabled cards are safer than cards that only have magnetic stripes. With contactless cards, the credit card never leaves the consumer’s hand. This means that there is no opportunity to steal your credit card and CVV number, which means that your card cannot be cloned.

In summary, can your RFID-enabled credit card number be stolen? Yes it can. But the thieves can do little with the information, and because RFID cards seldom need to leave your hand, they are more secure.