Does Your Wallet Need a Tinfoil Hat?

Category: Security

Recently, a friend forwarded to me a Houston TV station’s story about “electronic pickpocketing.” In it, reporters say they watched a security expert steal credit card numbers from 39 victims in less than 15 minutes, simply by walking past them. But is this a real problem? Read on...

Is Electronic Pickpocketing a Big Problem?

In the TV story, Chris Gilpin of the National Crime Stop Program explained to Local 2’s reporters that contactless “chipped cards” used to pay for things by simply waving the card near a reader can actually be read up to 25 feet away.

He claims that electronic pickpocketers can buy card readers for “under $100” and soup them up to communicate with chipped cards at such distances. Gilpin says there are 250 million chipped cards in the U. S., and they’re all at risk.

To protect your cards from “wallet hackers” you can buy the $15 “Signal Vault,” which looks much like a credit card and fits in a card’s slot in your wallet. Local 2 provides no details on how it works. It just so happens the Signal Vault is sold by Gilpin’s company. Alternatively, the ingenious TV journalists add, you can use an aluminum wallet or “simply wrap your credit cards in aluminum foil.”

Credit Card Theft

Stories like this one make me weep for the state of journalism. This story was first done by Memphis TV station, WREG, in December 2010, and by several other gullible outlets since. It’s old news about technology that isn’t used in chipped cards anymore. The credulity of these reporters and producers must be willful; nobody could be this dumb naturally. Let’s look at what Local 2 overlooked:

The numbers that Local 2’s reporters saw may or may not have been actual credit card numbers. Only the last four digits are actually shown on the computer screen attached to Gilpin's scanner. The reporters didn’t ask anyone, “Excuse me, is this your credit card number?” Nor did they volunteer to have it tested on their own wallets.

Old Technology, Old News

Radio-frequency ID (RFID) chips can, indeed, be read over distances of several feet. This capability is useful in inventory control, package handling, shoplifting prevention, passport screening, and similar applications. It’s not desirable in a payment card for the very reasons highlighted by Mr. Gilpin. And that's why this technology is being (or has already been) phased out.

A Snopes article on contactless cards that have embedded RFID chips says: "The data streams emitted by contactless cards don't include such information as PINs and CVV (Card Verification Value) security codes — or, in newer cards, customer names — and without those pieces of information a card skimmer should not be able to utilize the stolen card numbers to print up counterfeit cards or engage in Card Not Present (CNP) transactions." And further, "Although RFID-enabled cards may have originally transmitted their information in plain text, newer contactless cards are adding encryption to the data streams and thus cannot be read directly by ordinary card readers. Card skimming generally works when the victim is carrying only a single contactless card; otherwise, the transmissions from multiple cards can create a jumbled, unintelligible stream."

So even if you have one of those older RFID-based cards, the information gleaned by a card-skimming, electronic pickpocketing hacker would not contain your name, address, PIN number or security (CVV) code. And without those bits, the credit card number is little more than a string of 16 digits.

And finally, “National Crime Stop” is an awkward name for a company. I wouldn’t choose it unless I wanted to be confused with “Crimestoppers,” a respected national brand. A bit of Googling shows that the National Crime Stop Program is a 4-person firm in South Florida that runs identity theft seminars, and sells the Signal Vault. Staff members are said to have taken various trainings, but specifics are vague. Their website has not been updated in over two years. I'm not trying to discredit these guys. But I am dismayed that so many journalists have so little inclination to do even a smidgen of their own research, or even ask intelligent questions.

What About the New EMV Cards?

Modern chipped cards (also called EMV cards) and their readers adhere to one of two global standards. The most widely used standard, ISO/IEC 14443, limits the radio communication range to 10 cm – about 4 inches. The alternate standard, ISO/IEC 15693, specifies a range of up to 50 cm – 1.6 feet.

It’s possible to build a “souped up” transceiver that could read these very short-range cards at up to 25 feet, but it would be about the size of a suitcase.

And even if a “wallet surfer” could read a chipped card, the information he gleaned would be of no use to him. The number transmitted by a chipped card is not the actual account number embossed on the card’s face. It’s a dummy number that is accepted by a payment processor only after an encrypted verification transaction is completed. No PIN or CVV numbers are transmitted.

The newest cards don’t even transmit the cardholder’s name. So forget about cloning physical cards or conducting “card not present” online transactions using data stolen by “wallet hacking.”

If you are concerned about “wallet hacking,” contact your card issuer(s) and make sure you have the latest, greatest security features in your card(s). Order new cards if necessary.

Or you can buy 2-inch wide aluminum duct tape for about $4 at Home Depot. Leave the paper backing on and slip a piece into each of the card slots in your regular wallet. Oh, and don't forget to wear your tinfoil hat when you leave home. Evil hackers may be trying to read your thoughts.

Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 15 May 2015


For Fun: Buy Bob a Snickers.

Prev Article:
What is Tesla Powerwall?

The Top Twenty
Next Article:
Compare Prescription Prices Online

Most recent comments on "Does Your Wallet Need a Tinfoil Hat?"

(See all 37 comments for this article.)

Posted by:

Egbok
15 May 2015

I don't think those RF blocking sleeves work. Before leaving for Mexico I had put my grandson and granddaughter's passport cards in the glove box and at the last minute my granddaughter decided that she felt ill and didn't go. On the way home I presented my grandson's and my card to the reader and when I got to the inspectors booth he asked. "Where's the girl?" My granddaughter's card was in it's gov't provided sleeve and in the glove box. I explained but he searched everywhere even under the hood (There's not enough room even for a six pack of sodas under there). Either the RF blocking foil doesn't work or the Feds have some kick butt readers.


Posted by:

Robert A
15 May 2015

Regarding the previous post from Steve - Kim Komando has lost all credibility. In the past few years. she has become a self-serving huckster, pushing all sorts of "must-have" merchandise that is often of dubious value, at prices that can often be more expensive than similar merchandise sold at other internet sources, or at bricks-and-mortar stores.

Kim Komando, with her often alarming articles, pushes her internet musings and radio show to much of an audience that seems to me, to be more on the lowest end of the tech-savviness scale, who are more interested in her numerous "cute" stories about children and animals, than in getting a serious explanation of computer related issues, as is normally presented by Bob Rankin.


Posted by:

Ken
15 May 2015

Bob,excellent article,I especially liked the last line.


Posted by:

Maura K
15 May 2015

Love the article! And thanks for calling out "journalists" - too much of our news these days is rushed onto the air or into print without proper vetting. Research and getting the facts right is apparently a thing of the past.


Posted by:

Lloyd Collins
16 May 2015

I don't have a chip card, only reliable magnetic strip. I do wear my tinfoil hat, mainly because it brings a smile to people's faces. I would be more worried about owning a cat, they are out to take over the world, I know it!


Posted by:

IanG
16 May 2015

LOL. Thanks for the chuckle, Bob (I love your sense of humor).

I couldn't agree more about the pathetic level of journalism these days. If these so-called journalists have to obtain a university degree before being employed by news reporting agencies, then it says a lot about the low standard of education these days, does it not?


Posted by:

Castlehillwalker
16 May 2015

So this is also an il-informed bit of info?


http://www.pcworld.com/article/249138/rfid_credit_cards_are_easy_prey_for_hackers_demo_shows.html


Posted by:

Maurice Lampl
16 May 2015

Seems to me that RFID sleeves add bulk to your wallets. I would think that a single piece of tinfoil, shaped like a dollar bill and inserted into the bill pocket of the wallet, resting against the outside part of the wallet would be effective in blocking the RFID signals from all the contents in the wallet....


Posted by:

Sandy
16 May 2015

Bob: a relative gave me a woman's tri-fold anti-theft security wallet from a company called "Identity Stronghold." A brochure included says Identity Stronghold is owned by Walt Augustinowicz. A label on package has address for Identity Stronghold in Englewood Fla. Know anything about these folks? I thought it was sort of silly and haven't used the wallet yet. Thank you.


Posted by:

Judyth Mermelstein
16 May 2015

The chips in traditional Canadian credit and debit cards aren't RFID and have to be physically inserted in the cardreader, with the user inputting the correct PIN. The data theft methods that have worked are:
1) the "inside job" whereby an employee has a second cardreader device cloning the legal one so as to capture both card number and PIN, (or sometimes just the card number, with the PIN captured on the security videom until they made the legal cardreaders with guards to hide your input)
2) specially made devices that fit into the cardreader slot (e.g., of an ATM in an obscure location) and could be removed by the thieves before the branch reopened.
The "wave your card at the cash" business is fairly new here. The new debit card I got last week was made to accommodate it but the teller agreed with me that enabling the wifi to save the "labour" of putting the card in a slot and punching in a few digits wasn't a terribly secure idea. Given how often supposedly-secure software is hacked, I'm quite happy to reject that particular form of convenience.


Posted by:

Sandy
16 May 2015

The end of March I received a new access card for a chequing account. I used it twice, once at a long-trusted location, and once at a store where I previously had used cash. The day my income tax refund was deposited in the account, someone went shopping online - in France. The card had never left my hand. I live in Canada.


Posted by:

Lee Dalzell
16 May 2015

I bought one of those metal wallet things...but never used it because it was too thick for my purse. Glad to know I did not waste too much money for the thing. It was supposed to be thin. 3/8 inch is rather thick!


Posted by:

Georgeofthe jungle
17 May 2015

The only natural occurring element that cannot be penetrated is LEAD "Pb" that's why radioactive isotopes are sealed in a LEAD containment vessels and they cover the family jewels when you get an x-ray. Duh!!!!


Posted by:

Kenny D
17 May 2015

Thanks for the info. I think you're the only person to have let people in on the secret. They're still pushing these blocking wallets on the internet. Well got to go. I got to find my tinfoil hat and take a walk. lol


Posted by:

Chris
17 May 2015

Here in the Netherlands a new chip was introduced last year for the regular debitcards. Normal payments always require inserting the card into the device and tapping in the personal code. The new chip also makes 'contactless paying' possible: it takes up to 25 euros per transaction directly from your account when you hold it close to a small device. This can be done up to ten times before you have to tap in your personal security code again. This is also the system that is used for the complete public transport system. When you board a train, a bus or tram, you keep your card in front of a device and you're checked in while they take twenty euros from the balance on the card. When you leave the vehicle, you have to check out again for a refund of the unused money or you lose it. And there's no need for names, PIN or other numbers, just a brief contact of the card and the reading device!

Point is, potential thieves only have to fabricate something inconspicuous and walk with it through a crowd and 'harvest' money to their heart's content. Almost everybody uses these chipped debitcards, creditcards are used more for bigger purchases or on holiday, so there's a lot of potential here.

For this situation the RFID wallet is a good thing to have, at least I think so. Over the last years we've had numerous gangs who try to take advantage of our financial system and this would be right up their alley. Just a few years ago they apprehended a Bulgarian gang who had situated one or two of them in the ceiling of my regular supermarket right above the paying device at the cashiers. When people didn't properly shield the tapping in of their code, they signalled the number to someone outside. They would pickpocket the card from that person outside the supermarket and go immediately to a cashing machine to take as much money as possible from the account. And the gang would disappear before anybody would find out what had happened.


Posted by:

Lucy
17 May 2015

Unfortunately we dumped our wallets and bought protected ones at great expense ... I should have waited for Bob to weigh in first :-(

What is concerning me most about these new RFID chip cards (not chip and PIN in the US) is that I might leave it behind in the retailers machine, as the card is left in for the whole transaction, not swiped and put back in my wallet immediately.

Right now I am back to my four year old self humming a little ditty the whole time ... don't forget the card, don't forget the card, don't forget the card.


Posted by:

Jim Higgins
17 May 2015

In my city the transport companies use a loadable chip card for rides on buses etc. I leave the card in my wallet and it reads through the leather. All of a sudden the bus card reader started to tell me I had more than one card. It turned out that our banks had started to use RFID in their cards and these were being picked up. A folded piece of cooking foil around the bank cards did the trick!


Posted by:

David
19 May 2015

About a year ago, I heard that 70% of Small Business had suffered an intrusion or data-loss event in 2013. Has anyone heard a similar statistic for 2014?


Posted by:

Walt Augustinowicz
09 Jul 2015

I would have to strongly disagree with this article. Yes, I own the original RFID wallet company Identity Stronghold. I started the company because of the ease in which data can be stolen off these cards. Even the new EMV contactless cards. If you doubt me do the following test. Go to Amazon and add a new card. Change your cardholder name to something like John Smith. They don't ask for a 3 digit code either. All that is checked is your account number and expiration date for validity. Those two pieces of info are not encrypted even on the new emv cards we have tested. Your order will be accepted. We did this test with a news reporter's cameraman's card and it went through fine. I had no data but what I had scanned with an off the shelf scanner.

Go to Youtube and search for straight talk about RFID myths and watch for more details.

Also if you do some web research you will learn that cardholder name has never been a piece of data that has been used to approve a credit card transaction. Just another misdirection from the card industry.

Bob, I would be happy to clear up the misconceptions Snopes and others have given you. Just contact me. Remember the money at stake here and you will know why some in the card industry are trying to confuse people on the danger.


Posted by:

Varun
02 Apr 2016

I was inquiring about credit card protection, ran into your blog. In parallel I also found shield identity card which I found it to be relatively inexpensive. I ordered one and it works great. you may want to check this one as well...I ordered it from their website www.shield-identity.com..it is just $12.99


There's more reader feedback... See all 37 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- Does Your Wallet Need a Tinfoil Hat? (Posted: 15 May 2015)
Source: http://askbobrankin.com/does_your_wallet_need_a_tinfoil_hat.html
Copyright © 2005 - Bob Rankin - All Rights Reserved