It’s not exactly supply chain related, but we were interested enough in recent investigative report by Eye Witness News 4, the local NBC affiliate in Albuquerque, NM, on just how easy it really is to get detailed credit card information from cards with embedded RFID chips.
That even as credit card companies and banks tell consumers their data is safe.
Channel 4 brought in Walt Augustinowicz, founder and CEO of Florida-based company Identity Stronghold, which makes a variety of products to protect consumers against such hacks, such as wallets and sleeves that block RFID signals, to demonstrate how easy it really is.
In recent years, many credit card companies have started to embed RFID tags into the physical cards. Store associates then simply need to wave the card past an RFID reader to collect the credit card information, a somewhat easier process than running the card through a magnetic stripe reader. Mag stripe reads also often seem to fail due to stripe damage or other factors, and require numerous passes and/or manually entering the numbers.
Those RFID-tagged cards have led to concerns about consumers movements in store being tracked as they shop, and also of course the potential for identity theft of the credit card information. Hence the rise of a number of companies such as Identity Stronghold that offer protective devices for the cards.
Augustinowicz took Channel 4 reporters both to the “old town” area of Albuquerque and then later to the airport to demonstrate that the card companies’ claims of security do not be valid.
For this test, he used only willing volunteers, bringing a small laptop within a few inches of each person’s wallet or purse.
Early on in the video report, which can be found here, Augustinowicz passes the leather covered laptop passed a woman’s purse, and zap, on his computer screen is the woman’s name, credit card number, expiration date, the fact that she cannot use the card to acquire cash, and other details.
He repeats the process numerous times both in town and at the airport, always to the astonishment of the participant.
An Increasing Number of Credit Cards Now Contain Embedded Passive RFID Chips
Though using volunteers here, it is obvious that it would be trivial to surreptitiously do the same thing to anyone by just getting into proximity to a person in a crowded environment. Then just bring a laptop with an RFID reader or some other reader device near to a purse or a pocket, and a thief could easily grab the card data.
The exact information that was captured the card tag varied by card issuer.
All That was Needed Was to Pass Small, Disguised Laptop
Past a Purse or Wallet to Grab to RFID Credit Card Information
The report is off a little in saying that the tags in the card are “constantly broadcasting” their information. In reality credit cards use passive RFID tags that must be energized by a tag reader to broadcast their signals. Still, the report is essentially correct that this process cannot be turned off by card holders – unless they use a blocking device, which can be a simple as placing the credit card into aluminum foil.
Augustinowicz charges that the banks and card companies are misleading the public.
“They are completely wrong and they know that,” Augustinowicz said. “They shouldn’t be telling people that. I hear that a lot. They say there are protections in place to stop people from using the cards. The may be able to scam some data, but they don’t get enough to do anything. That’s completely false.”
From this report, it certainly appears that he has a real point. We have to wonder if there are banks making such security claims if they would be liable for damages should card holders be damaged by card number theft.