Millions of credit cards now have a built-in device designed to make them more convenient. But is it also making your credit cards more vulnerable to fraud? 13 Investigates shows how credit card information can be stolen from your wallet while it’s still inside your pocket.
Credit cards are getting a high-tech makeover.
Many of them now contain a tiny radio chip that allows customers to simply wave their credit card at the checkout line and be on their way.
Radio frequency identification (RFID) is an added convenience, according to Visa, MasterCard and American Express. The nation’s three largest credit card companies have recently issued millions of credit and debit cards with RFID technology, and McDonald’s, Walgreens, Office Depot and Meijer are among a growing number of restaurants and retailers that now process the radio signal embedded in the cards.
But some privacy experts say the technology comes with risk and controversy, and an Eyewitness News test shows why.
“Wow. That’s Scary.”
Walt Augustinowicz is a credit card privacy advocate and founder of Identity Stronghold, which sells fraud-prevention products for credit cards.
Last month, Augustinowicz came to Indianapolis to demonstrate the vulnerability of RFID credit cards for 13 Investigates.
Equipped with a standard credit card reader connected to a battery and a laptop computer, Augustinowicz claimed he could easily steal credit card numbers from dozens of unsuspecting travelers at Indianapolis International Airport.
“It’s absolutely something anybody can do, and the equipment costs less than $100,” he explained. “With what I have here, I can get your credit card number, your expiration date and everything I need to make a clone card.”
He wasn’t exaggerating.
13 Investigates randomly selected 20 people to take part in a demonstration. With their permission, Augustinowicz tried to intercept their credit card numbers. Seven of the participants had RFID-enabled credit cards, and Augustinowicz was able to electronically scan card numbers and expiration dates from all of them – without the credit cards ever leaving a pocket, purse or wallet.
“Oh my gosh. Wow. That’s scary,” said Kathleen Charley, as she watched Augustinowicz intercept information from her Visa card. “I’m shocked to think someone could do that just by walking by me with [my credit card] in my pocket.”
Roberta Gonzales learned three of her cards are at risk.
Augustinowicz intercepted information from Gonzales’ Visa card, MasterCard and American Express card; all are embedded with radio frequency identification.
“Wow. I heard about this but I didn’t think my cards were accessible to it,” she said. “I thought all the new cards were protected and I thought ‘surely it’s not possible.'”
It is possible — even if most consumers don’t realize it.
“I had no idea. It’s the first time I’ve heard of anything like that. That’s just insane that it’s happening and that credit cards are allowing it to happen,” said Nate Elkins after his friend’s credit card data was intercepted during WTHR’s demonstration.
Major credit card companies insist RFID technology is safe, and they say consumers have little to worry about.
Visa, MasterCard and American Express all sent statements to WTHR, citing advanced safeguards to protect RFID credit cards from tampering and fraud. And each of the companies point out consumers face zero liability (or very limited liability) for any fraudulent purchases charged to their credit cards.
In its statement, Visa admits radio frequency identification does pose some risk to consumers:
“Because information travels from card to terminal without any contact, there is a remote risk that data can be intercepted. However, we have built in multiple layers of security for every Visa transaction that helps protect against fraud using stolen information.”
All three companies say cardholder name and address information is not included during the RFID transaction process. They also say fraud rates associated with RFID technology are extremely low due to special security codes that are created for each individual transaction.
“In response to the claims that you’re hearing that a person could use a reader to capture someone’s account number and expiration date, I think it’s important to point out that they can’t do anything with that data,” explained MasterCard spokeswoman Erica Harvill.
Augustinowicz disagrees, and he provided a bold demonstration to show why.
While at the airport, he intercepted information from an RFID credit card and, using an inexpensive device purchased on eBay, he copied the data onto the magnetic stripe of his hotel room key. Augustinowicz then used the hotel room key to pay for a large soda at an airport restaurant. He simply slid the hotel room key through a traditional credit card reader at the restaurant, and the credit card reader allowed the transaction because it couldn’t tell the difference between a regular credit card and a room key containing intercepted data.
“You can’t say ‘no, it can’t be done’ when someone turns around and does it right in front of your eyes, and that’s what we did. We did exactly what they said we can’t do,” Augustinowicz said. “We didn’t have to do a whole lot to do this. It’s not rocket science, and we’ve done it at big box retailers for several hundreds of dollars with no problem … It’s too easy. Way too easy. It’s a wide open door – especially if you don’t know it’s a threat.”
Are your credit cards at risk?
To find out if you have a credit card or debit card containing a radio chip, simply take a look at the card.
If it has a symbol similar to the speaker or volume symbol on a computer, it’s a sure sign the card has RFID technology. You can also look for buzzwords such as PayPass, payWave, expresspay or Blink as proof that you’ve got a radio chip in your credit card.
Joan Antokol, an attorney specializing in security and privacy issues, says it’s not just credit cards and debit cards that are now embedded with radio frequency technology. She says new passports and ID cards issued by many schools, private companies and government agencies also contain RFID. (Click here to see the RFID symbol on passports.)
“Over a billion cards have been issued with RFID chips in unencrypted form and all of those cards are very vulnerable to attack,” Antokol told WTHR. “I think it’s a very big risk. It’s the responsibility of the credit card companies to issue cards that are secure or people won’t want to use them.”
The Identity Theft Resource Center agrees. The nonprofit organization says RFID technology is not as secure as it should be to be included in millions of credit and debit cards.
It is a potential problem, and I think the credit card companies themselves are going to have to get this figured this out and conclusively resolve this issue because they’re in it up to their noses,” said ITRC executive director Jay Foley. “Like any other technology, RFID is only as good as the systems it’s used on and that system has some holes.”
So far, ITRC has not directly linked any cases of identity theft to RFID-enabled credit cards. But says a direct link would be very difficult to establish because consumers victimized by credit card fraud usually cannot identify the cause.
While consumer liability is usually limited in cases of credit and debit card fraud (credit card companies usually follow a “zero liability” policy for unauthorized use of a credit card and limit consumer liability to $500 for fraudulent use involving a debit card) , Antokol says many consumers face great hassle and inconvenience when their card numbers are stolen.
“You can face years and years of angst associated with trying restore your credit and identity because of stolen credit card information,” she said. “Even if you don’t lose a cent, it’s something nobody wants to go through.”
After learning of the risk involving RFID, Augustinowicz launched his company that sells protective sleeves, badge holders and wallets designed to block the radio frequency waves from credit cards and IDs containing RFID chips. One of his biggest clients is the U.S. government, which has purchased tens of thousands of badge holders for government-issued IDs and protective envelopes that are sent with all newly-issued U.S. passport cards.
While many government agencies require protective covers for ID badges and all passport cards are shipped with a protective sleeve, no credit card companies or U.S. banks currently provide consumers with protective covers with their RFID-enabled credit cards.
A single protective sleeve for a credit card costs $4.99 (a 10-pack including protective sleeves for both credit cards and passports costs $19.99) plus shipping through Identity Stronghold. Other companies such as 3M and RFID Shield sell protective sleeves, as well. Purchased in bulk, the protective sleeves cost less than 50 cents each.
Augustinowicz says consumers can make a homemade remedy for just pennies by wrapping their credit card in a piece of aluminum foil.
“The metal from the foil will do the same thing and block the radio signal,” he explained. “But consumers have to have the knowledge – they have to know they are getting these cards with radio chips in them – in order to protect themselves. This is a problem and this is real.”
Statements from Visa, MasterCard and American Express