Consultant Kristin Paget demonstrated at a security conference that it is possible to easily and inexpensively read and steal the data off a radio frequency identification-enabled payment card without the victim realizing it.
Paget's method employs a $50 RFID card reader to wirelessly read credit cards and capture their numbers, expiration dates, and one-time CCV numbers used by contactless cards for payment authentication. The stolen data can then be encoded onto a blank card with a $300 card-magnetizing device, while the victim's money can be taken using a Square attachment for the iPhone that lets anyone swipe a card and receive payments.
Paget illustrated a practical application of the scam in which the fraudster can simply bump against his target with the card reader in his pocket, and invisibly scan the RFID signal through material such as a leather wallet or cloth pants. The Smart Card Association estimates that some 100 million RFID-enabled cards are in circulation, and although the security industry has long known that contactless credit cards can be read wirelessly, it argues that such attacks are impractical because current versions of the cards do not include the user's name, PIN, and CCV in the wirelessly-read data.
Advocates say the one-time CCV code the cards present with each scan means that a fraudster can only use each stolen number for a single transaction—but Paget says a crook can target multiple victims rather than defraud one victim over and over.
We enjoy helping our customers each and every day.