With millions of new credit cards being shipped with RFID chips, the big question is how secure are they really.
Well they are and they aren’t.
Using an RFID scanner, you can scan the tag from a credit card and copy that information, either by magnetising it onto another card, or by emulating the information that you have copy in your own RFID tag.
Although banks claim that the information stored is encrypted, usually using a 128bit encryption, you don’t actually have to decrypt it to us it. Simply retransmit what you have copied to a legitimate card reader, and the card reader will decrypt the information, and process the transaction as normal.
This is very real and quite easy to do using hardware readily available on the internet starting around the $100 mark.
So why isn’t this kind of fraud rampant?
Well there are a couple of security measures in place that do protect you. Firstly, for most RFID transactions, there is a limit to the amount that you can purchase. On my Commonwealth (Australia) bank card it is under $100.
The second, and the more important one, is that a onetime ccv is generated on each read, which is only valid for a single transaction. This means that were an attacker to swipe your credit information, they would be able to make at most a single transaction using that stolen information.
If the attacker were to copy this information onto another card and use it that way, then you should be protected in two ways. Firstly, the pin is not stored on the card, so the attacker would have to sign for the purchase. Now this is a where there is a security flaw. Although ever merchant is supposed to check your signature against the signature on the card, at least from personal experience, 9 times out of 10 they do not.
There is a couple of things you can do to protect your information from the unsavoury. You can get special wallets now that block RFID, by lacing the linings with aluminium or steel. A simpler solution also available is RFID protection card sleeves, which work in a similar manner.
For the traditionalist, you can simply wrap your card in tinfoil.
These solutions are not fool proof, but they will help reduce the risk.
RFID’s toted younger cousin. Where RFID is a one trick pony, the applications for NFC are numerous, and growing rapidly.
With most new mobile phones now being shipped with NFC, this is a fast growing technology, but it still hasn’t taken off yet. And before it does, the NFC phone payments are still a ways off.
With relation to credit card information, your phone would act similar to the way your current chipped credit card does; only it has some major advantages. Firstly, NFC only has a range of about 4 inches, so an attacker would have to be so much closer to steal your information. Secondly, your phone turns NFC off while it is locked, which means that an attacker could not steal your information unless you were actively using your phone during a credit card transfer, which, in all honesty, is where most credit card information is stolen, as the user swipes their card through an already contaminated reader. Not only this, but NFC allows two way communication, meaning that a reader could be forced to authenticate itself, before any private information was transmitted, significantly reducing the chances of stolen information.
Credit cards were never secure to begin with. The addition of the ccv was a deterrent that is no longer as effective as it was intended, and using wireless just adds another technology, and another vector of attack.